Is the target host's HTTP SPN assigned to a user (instead of the computer account) in AD? Pywinrm isn't currently patching the service override through to the kerb layer (see https://github.com/diyan/pywinrm/pull/144), so if you're in that situation, you'll have to wait for the next pywinrm release that includes that bugfix.
On Thursday, March 30, 2017 at 9:36:50 AM UTC-7, Michael Eaton wrote: > > Thanks, > > That allowed me to get a bit further: > > > TASK [Gathering Facts] > ******************************************************************************************************************************************************************************************************************************************************************* > > > Using module file /root/ansible/lib/ansible/modules/windows/setup.ps1 > <appt-001-iom.IOM.DOMAIN.COM> ESTABLISH WINRM CONNECTION FOR USER: > [email protected] on PORT 5986 TO appt-001-iom.IOM.DOMAIN.COM > creating Kerberos CC at /tmp/tmppm3JWz > calling kinit for principal [email protected] > kinit succeeded for principal [email protected] > <appt-001-iom.IOM.DOMAIN.COM> WINRM CONNECT: transport=kerberos endpoint= > https://appt-001-iom.IOM.DOMAIN.COM:5986/wsman > <appt-001-iom.IOM.DOMAIN.COM> WINRM CONNECTION ERROR: authGSSClientStep() > failed: (('Unspecified GSS failure. Minor code may provide more > information', 851968), ('Server not found in Kerberos database', > -1765328377)) > Traceback (most recent call last): > File "/root/ansible/lib/ansible/plugins/connection/winrm.py", line 211, > in _winrm_connect > self.shell_id = protocol.open_shell(codepage=65001) # UTF-8 > File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in > open_shell > res = self.send_message(xmltodict.unparse(req)) > File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in > send_message > return self.transport.send_message(message) > File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 181, in > send_message > prepared_request = self.session.prepare_request(request) > File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 407, > in prepare_request > hooks=merge_hooks(request.hooks, self.hooks), > File "/usr/lib/python2.7/site-packages/requests/models.py", line 306, in > prepare > self.prepare_auth(auth, url) > File "/usr/lib/python2.7/site-packages/requests/models.py", line 543, in > prepare_auth > r = auth(self) > File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", > line 308, in __call__ > auth_header = self.generate_request_header(None, host, > is_preemptive=True) > File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", > line 148, in generate_request_header > raise KerberosExchangeError("%s failed: %s" % (kerb_stage, > str(error.args))) > KerberosExchangeError: authGSSClientStep() failed: (('Unspecified GSS > failure. Minor code may provide more information', 851968), ('Server not > found in Kerberos database', -1765328377)) > > fatal: [appt-001-iom.IOM.DOMAIN.COM]: UNREACHABLE! => { > "changed": false, > "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS > failure. Minor code may provide more information', 851968), ('Server not > found in Kerberos database', -1765328377))", > "unreachable": true > } > to retry, use: --limit @/root/ansible-iom/windows.retry > > > As you can see the ticket request succeeds but I still get the error about > the server not being found. DNS looks good - I can resolve both ways,, > WinRM config... > > > > Config > MaxEnvelopeSizekb = 500 > MaxTimeoutms = 60000 > MaxBatchItems = 32000 > MaxProviderRequests = 4294967295 > Client > NetworkDelayms = 5000 > URLPrefix = wsman > AllowUnencrypted = false > Auth > Basic = true > Digest = true > Kerberos = true > Negotiate = true > Certificate = true > CredSSP = false > DefaultPorts > HTTP = 5985 > HTTPS = 5986 > TrustedHosts > Service > RootSDDL = > O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD) > MaxConcurrentOperations = 4294967295 > MaxConcurrentOperationsPerUser = 1500 > EnumerationTimeoutms = 240000 > MaxConnections = 300 > MaxPacketRetrievalTimeSeconds = 120 > AllowUnencrypted = true > Auth > Basic = true > Kerberos = true > Negotiate = true > Certificate = false > CredSSP = false > CbtHardeningLevel = Relaxed > DefaultPorts > HTTP = 5985 > HTTPS = 5986 > IPv4Filter = * > IPv6Filter = * > EnableCompatibilityHttpListener = false > EnableCompatibilityHttpsListener = false > CertificateThumbprint > AllowRemoteAccess = true > Winrs > AllowRemoteShellAccess = true > IdleTimeout = 7200000 > MaxConcurrentUsers = 2147483647 > MaxShellRunTime = 2147483647 > MaxProcessesPerShell = 2147483647 > MaxMemoryPerShellMB = 2147483647 > MaxShellsPerUser = 2147483647 > > > > Let me know if you need anything further - any ideas? > > Best Regards, > > Michael Eaton | DevOps Engineer > > > > T: +44 (0) 203 4688271 | M: +44 (0) 7624 267 407 > E: [email protected] > W: www.iforium.com > > > > > > > > Twitter | Facebook | Linkedin > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Jordan Borean > Sent: 29 March 2017 21:56 > To: Ansible Project <[email protected]> > Subject: [ansible-project] Kerberos Auth - the specified credentials were > rejected by the server > > Are you able to set ansible_winrm_transport to Kerberos and see if that > works out. I also believe in 2.4 there was a change made where ansible will > get the Kerberos ticket for you removing the need for getting it manually > beforehand. Another thing that would be good to know is the output of > 'winrm get winrm/config' when running on your windows server. > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Ansible Project" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ansible-project/ORVozS2Nwqk/unsubscribe. > > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/3a2fe4e4-91ff-4080-b328-795a1b3cb53c%40googlegroups.com. > > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/144f3e78-ab94-407c-8e19-080f18ccd8ee%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
