Here's my setup: Ansible Tower 3.1.1, Basic License, using the vagrant box, with some post provisioning steps to setup krb5 and join the box to my domain.
Kerberos configuration is good. I can kinit, klist, etc. etc. from command line. python winrm is good: vagrant@ansible-tower ~]$ sudo su - awx Last login: Sat Apr 1 23:12:18 JST 2017 on pts/1 *Welcome to Ansible Tower!* Log into the web interface here: etc... -bash-4.2$ cat test.py import sys from winrm.protocol import Protocol HYPERV_SERVER = 'https://louis.home.cartewright.com:5986/wsman' class RM(): def __init__(self): self.win_connect = Protocol(endpoint=HYPERV_SERVER, transport= 'kerberos', server_cert_validation='ignore') def test(self): shell_id = self.win_connect.open_shell() cmd = "dir" command_id = self.win_connect.run_command(shell_id, cmd) output,error_value,exit_status = self.win_connect.get_command_output( shell_id, command_id) self.win_connect.cleanup_command(shell_id, command_id) self.win_connect.close_shell(shell_id) print output def main(): rm = RM() rm.test() if __name__ == '__main__': main() sys.exit() -bash-4.2$ python test.py Volume in drive C is SAMSUNG 512GB SSD Volume Serial Number is 2C8F-7BFA Directory of C:\Users\ansible 03/31/2017 11:04 AM <DIR> . 03/31/2017 11:04 AM <DIR> .. 07/16/2016 06:47 AM <DIR> Desktop 03/31/2017 11:04 AM <DIR> Documents 07/16/2016 06:47 AM <DIR> Downloads 07/16/2016 06:47 AM <DIR> Favorites 07/16/2016 06:47 AM <DIR> Links 07/16/2016 06:47 AM <DIR> Music 07/16/2016 06:47 AM <DIR> Pictures 07/16/2016 06:47 AM <DIR> Saved Games 07/16/2016 06:47 AM <DIR> Videos 0 File(s) 0 bytes 11 Dir(s) 291,787,771,904 bytes free -bash-4.2$ So now, I manually create some inventory in the default directories/files for ansible (not Tower). Works perfectly: -bash-4.2$ cat /etc/ansible/group_vars/windows.yml ansible_connection: winrm ansible_user: [email protected] ansible_password: R1pflash ansible_winrm_server_cert_validation: ignore -bash-4.2$ -bash-4.2$ ansible windows -m win_ping -v Using /etc/ansible/ansible.cfg as config file louis.home.cartewright.com | SUCCESS => { "changed": false, "ping": "pong" } Now, I create the exact same inventory in tower, exact same credentials ([email protected]) and now matter how I tweak it, always the same thing: Using /etc/ansible/ansible.cfg as config file SSH password: Using module file /usr/lib/python2.7/site-packages/ansible/modules/core/windows/win_ping.ps1 <louis.home.cartewright.com> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5986 TO louis.home.cartewright.com <louis.home.cartewright.com> WINRM CONNECT: transport=kerberos endpoint=https://louis.home.cartewright.com:5986/wsman <louis.home.cartewright.com> WINRM CONNECTION ERROR: authGSSClientInit() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ("Can't find client principal [email protected] in cache collection", -1765328243)) Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", line 154, in _winrm_connect self.shell_id = protocol.open_shell(codepage=65001) # UTF-8 File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", line 132, in open_shell res = self.send_message(xmltodict.unparse(req)) File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message return self.transport.send_message(message) File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/transport.py", line 181, in send_message prepared_request = self.session.prepare_request(request) File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/sessions.py", line 394, in prepare_request hooks=merge_hooks(request.hooks, self.hooks), File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/models.py", line 298, in prepare self.prepare_auth(auth, url) File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/models.py", line 500, in prepare_auth r = auth(self) File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 308, in __call__ auth_header = self.generate_request_header(None, host, is_preemptive=True) File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 148, in generate_request_header raise KerberosExchangeError("%s failed: %s" % (kerb_stage, str(error.args))) KerberosExchangeError: authGSSClientInit() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ("Can't find client principal [email protected] in cache collection", -1765328243)) <louis.home.cartewright.com> WINRM CONNECT: transport=ssl endpoint=https://louis.home.cartewright.com:5986/wsman <louis.home.cartewright.com> WINRM CONNECTION ERROR: the specified credentials were rejected by the server Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", line 154, in _winrm_connect self.shell_id = protocol.open_shell(codepage=65001) # UTF-8 File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", line 132, in open_shell res = self.send_message(xmltodict.unparse(req)) File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message return self.transport.send_message(message) File "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/transport.py", line 190, in send_message raise InvalidCredentialsError("the specified credentials were rejected by the server") InvalidCredentialsError: the specified credentials were rejected by the server louis.home.cartewright.com | UNREACHABLE! => { "changed": false, "msg": "kerberos: authGSSClientInit() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), (\"Can't find client principal [email protected] in cache collection\", -1765328243)), ssl: the specified credentials were rejected by the server", "unreachable": true } Just completely unable to find the credentials in the cache, no matter how I do it. I've put the password in the tower credentials, in the inventory, using ASK, no matter what I do, it cannot find credentials. What am I missing? ~Bill -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e2b3d85f-0c18-4add-8d49-be0d90415893%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
