Hey. How do I check the spn? I've already applied that pull to pywinrm... Thanks. Michael -------- Original message --------From: Matt Davis <[email protected]> Date: 30/03/2017 18:08 (GMT+00:00) To: Ansible Project <[email protected]> Subject: Re: [ansible-project] Kerberos Auth - the specified credentials were rejected by the server Is the target host's HTTP SPN assigned to a user (instead of the computer account) in AD? Pywinrm isn't currently patching the service override through to the kerb layer (see https://github.com/diyan/pywinrm/pull/144), so if you're in that situation, you'll have to wait for the next pywinrm release that includes that bugfix.
On Thursday, March 30, 2017 at 9:36:50 AM UTC-7, Michael Eaton wrote:Thanks, That allowed me to get a bit further: TASK [Gathering Facts] ******************************************************************************************************************************************************************************************************************************************************************* Using module file /root/ansible/lib/ansible/modules/windows/setup.ps1 <appt-001-iom.IOM.DOMAIN.COM> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5986 TO appt-001-iom.IOM.DOMAIN.COM creating Kerberos CC at /tmp/tmppm3JWz calling kinit for principal [email protected] kinit succeeded for principal [email protected] <appt-001-iom.IOM.DOMAIN.COM> WINRM CONNECT: transport=kerberos endpoint=https://appt-001-iom.IOM.DOMAIN.COM:5986/wsman <appt-001-iom.IOM.DOMAIN.COM> WINRM CONNECTION ERROR: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377)) Traceback (most recent call last): File "/root/ansible/lib/ansible/plugins/connection/winrm.py", line 211, in _winrm_connect self.shell_id = protocol.open_shell(codepage=65001) # UTF-8 File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in open_shell res = self.send_message(xmltodict.unparse(req)) File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message return self.transport.send_message(message) File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 181, in send_message prepared_request = self.session.prepare_request(request) File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 407, in prepare_request hooks=merge_hooks(request.hooks, self.hooks), File "/usr/lib/python2.7/site-packages/requests/models.py", line 306, in prepare self.prepare_auth(auth, url) File "/usr/lib/python2.7/site-packages/requests/models.py", line 543, in prepare_auth r = auth(self) File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 308, in __call__ auth_header = self.generate_request_header(None, host, is_preemptive=True) File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 148, in generate_request_header raise KerberosExchangeError("%s failed: %s" % (kerb_stage, str(error.args))) KerberosExchangeError: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377)) fatal: [appt-001-iom.IOM.DOMAIN.COM]: UNREACHABLE! => { "changed": false, "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))", "unreachable": true } to retry, use: --limit @/root/ansible-iom/windows.retry As you can see the ticket request succeeds but I still get the error about the server not being found. DNS looks good - I can resolve both ways,, WinRM config... Config MaxEnvelopeSizekb = 500 MaxTimeoutms = 60000 MaxBatchItems = 32000 MaxProviderRequests = 4294967295 Client NetworkDelayms = 5000 URLPrefix = wsman AllowUnencrypted = false Auth Basic = true Digest = true Kerberos = true Negotiate = true Certificate = true CredSSP = false DefaultPorts HTTP = 5985 HTTPS = 5986 TrustedHosts Service RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD) MaxConcurrentOperations = 4294967295 MaxConcurrentOperationsPerUser = 1500 EnumerationTimeoutms = 240000 MaxConnections = 300 MaxPacketRetrievalTimeSeconds = 120 AllowUnencrypted = true Auth Basic = true Kerberos = true Negotiate = true Certificate = false CredSSP = false CbtHardeningLevel = Relaxed DefaultPorts HTTP = 5985 HTTPS = 5986 IPv4Filter = * IPv6Filter = * EnableCompatibilityHttpListener = false EnableCompatibilityHttpsListener = false CertificateThumbprint AllowRemoteAccess = true Winrs AllowRemoteShellAccess = true IdleTimeout = 7200000 MaxConcurrentUsers = 2147483647 MaxShellRunTime = 2147483647 MaxProcessesPerShell = 2147483647 MaxMemoryPerShellMB = 2147483647 MaxShellsPerUser = 2147483647 Let me know if you need anything further - any ideas? Best Regards, Michael Eaton | DevOps Engineer T: +44 (0) 203 4688271 | M: +44 (0) 7624 267 407 E: [email protected] W: www.iforium.com Twitter | Facebook | Linkedin -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jordan Borean Sent: 29 March 2017 21:56 To: Ansible Project <[email protected]> Subject: [ansible-project] Kerberos Auth - the specified credentials were rejected by the server Are you able to set ansible_winrm_transport to Kerberos and see if that works out. I also believe in 2.4 there was a change made where ansible will get the Kerberos ticket for you removing the need for getting it manually beforehand. Another thing that would be good to know is the output of 'winrm get winrm/config' when running on your windows server. -- You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/ORVozS2Nwqk/unsubscribe. To unsubscribe from this group and all its topics, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3a2fe4e4-91ff-4080-b328-795a1b3cb53c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/ORVozS2Nwqk/unsubscribe. To unsubscribe from this group and all its topics, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/144f3e78-ab94-407c-8e19-080f18ccd8ee%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/58dd4239.c879240a.62fba.43f5SMTPIN_ADDED_MISSING%40gmr-mx.google.com. For more options, visit https://groups.google.com/d/optout.
