Also worth checking your /etc/krb5.conf to make sure that the domain
controllers you are pointing at are aware of management.company.corp domain
?
On Friday, March 10, 2017 at 7:10:33 PM UTC, cupcake wrote:
>
> Is the second domain "setup" either in AD as an alternate UPN suffix or
> via a trust relationship with the forest? If it was, it would likely work.
>
> Also, what auth are you using; local acct, domain acct; ntlm, kerberos,
> etc.
>
> -cupcake
>
> On Thursday, March 9, 2017 at 3:01:10 AM UTC-5, MKPhil wrote:
>>
>> Hi,
>> I posted a similar question over on Stack Overflow but without any
>> helpful replies so I thought I'd try this group too... I don't think it is
>> an Ansible question per se but has arisen from our use of Ansible
>>
>> We have Windows servers with two NICs, two separate IPs and two FQDNs in
>> DNS, e.g.
>>
>>> SERVER01.ADdomain.company.corp [10.0.0.1]
>>
>> SERVER01.management.company.corp [192.168.0.1]
>>
>>
>> Both are configured in Windows and I can RDP, Telnet, HTTP or whatever to
>> both names and both IPs (assuming firewalls & routing are configured
>> correctly and there is something listening on the relevant ports). This
>> set-up is primarily to enable our management traffic (e.g. Backups) to
>> communicate over an alternative NIC to the primary traffic.
>>
>> WinRM has been configured (using the ConfigureRemotingForAnsible.ps1
>> script) and I can prove that it works if I use Ansible or PowerShell on the
>> AD name:
>>
>>> $ ansible -m win_ping SERVER01.ADdomain.company.corp
>>> SERVER01.ADdomain.company.corp | SUCCESS => {
>>> "changed": false,
>>> "ping": "pong"
>>> }
>>
>>
>> PS> Invoke-Command -scriptblock{hostname} -ComputerName
>>> SERVER01.ADdomain.company.corp
>>
>> SERVER01
>>
>>
>>
>> My problems come when I try to use the other FQDN. Ansible returns:
>>
>>> SERVER01.management.company.corp | UNREACHABLE! => {
>>> "changed": false,
>>> "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS
>>> failure. Minor code may provide more information', 851968), ('Server not
>>> found in Kerberos database', -1765328377)), ssl: the specified credentials
>>> were rejected by the server",
>>> "unreachable": true
>>> }
>>
>>
>> And PowerShell sayeth:
>>
>>> [SERVER01.management.company.corp] Connecting to remote server
>>> SERVER01.management.company.corp failed with the following error message :
>>> WinRM cannot process the request. The following error occurred while using
>>> Kerberos authentication: Cannot find the computer
>>> SERVER01.management.company.corp. Verify that the computer exists on the
>>> network and that the name provided is spelled correctly. For more
>>> information, see the about_Remote_Troubleshooting
>>> Help topic.
>>> + CategoryInfo : OpenError:
>>> (SERVER01.management.company.corp:String) [], PSRemotingTransportException
>>> + FullyQualifiedErrorId : NetworkPathNotFound,PSSessionStateBroken
>>
>>
>>
>> From reading about this I think it is because the Kerberos Authentication
>> that WinRM uses only works on the AD name but my question is this: Is there
>> any way to get the Ansible/WinRM/PowerShell working using the second FQDN?
>> If not, why not? Any documents (particularly from Ansible and/or Microsoft)
>> to back this up would be appreciated.
>>
>> Cheers
>> Phil
>>
>>
>>
>>
>>
>>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/f2856a8c-0532-454b-9d6c-bf479bfe0b6d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
