Hi guys, On my Centos7 ansible control server I'm trying to connect to a windows host using a domain account. I've configured kerberos and installed everything (pip install pywinrm[kerberos]) and I have a ticket:
[meaton@MDE-001-IOM ansible-iom]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_g4NS8oC Default principal: [email protected] Valid starting Expires Service principal 29/03/17 17:16:35 30/03/17 03:16:35 krbtgt/[email protected] renew until 05/04/17 17:16:32 However, trying to use these details it still says invalid credentials, am I missing something? Group Vars: ansible_user = [email protected] ansible_password = password ansible_port = 5986 ansible_connection = winrm ansible_winrm_server_cert_validation = ignore ansible_winrm_realm = IOM.DOMAIN.COM ansible_winrm_service = HOST (I've tried with and without this, following various "solutions" - none of which have worked) I used the powershell script to configure WinRM. I can run my playbook with no issues if I use a local account rather than a domain account. DNS is configured, realms etc all configured. cat /etc/krb5.conf [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = IOM.DOMAIN.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] IOM.DOMAIN.COM = { kdc = dc-01-iom.iom.domain.com } [domain_realm] .iom.domain.com = IOM.DOMAIN.COM # example.com = EXAMPLE.COM Error from Playbook run: TASK [Gathering Facts] ****************************************************************************************************************************************** Using module file /root/ansible/lib/ansible/modules/windows/setup.ps1 <appt-001-iom> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5986 TO appt-001-iom <appt-001-iom> WINRM CONNECT: transport=ssl endpoint=https://appt-001-iom:5986/wsman <appt-001-iom> WINRM CONNECTION ERROR: the specified credentials were rejected by the server Traceback (most recent call last): File "/root/ansible/lib/ansible/plugins/connection/winrm.py", line 211, in _winrm_connect self.shell_id = protocol.open_shell(codepage=65001) # UTF-8 File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in open_shell res = self.send_message(xmltodict.unparse(req)) File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message return self.transport.send_message(message) File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 190, in send_message raise InvalidCredentialsError("the specified credentials were rejected by the server") InvalidCredentialsError: the specified credentials were rejected by the server fatal: [appt-001-iom]: UNREACHABLE! => { "changed": false, "msg": "ssl: the specified credentials were rejected by the server", "unreachable": true } Ansible Version: ansible 2.4.0 (devel e084e8809e) last updated 2017/03/24 11:58:45 (GMT +100) config file = configured module search path = Default w/o overrides python version = 2.7.5 (default, Nov 6 2016, 00:28:07) [GCC 4.8.5 20150623 (Red Hat 4.8.5-11)] Thanks, Michael -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/360e0c81-42bc-4664-8c4f-482ca4a2ea78%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
