I think that's what I'm doing.
I've tried doing the kinit from the console, doing the kinit in a cron job,
doing the kinit manually in a playbook before running the winrm play book,
and doing it as a local_action in the winrm playbook itself.
In all cases (except the last one), the kinit succeeds; I can use klist to
see the tickets (logged in as awx user). I can see the credential cache
with the correct owner and attributes in the /tmp directory. I've also
tried using the KEYRING instead of the FILE cache. For whatever reason, the
winrm job is unable to see the credentials in the cache.
When I run this playbook, it fails:
---
- name: WinPing
hosts: all
tasks:
- name: knit
local_action: command echo "xxxxxxx" | kinit -l 7d -r 7d -pf
[email protected]
- name: ping
win_ping:
Produces this output. It seems to be running task setup before running my
local action, and setup fails.
TASK [setup]
*******************************************************************
07:39:32
8
Using module file
/usr/lib/python2.7/site-packages/ansible/modules/core/windows/setup.ps1
9
<louis.home.cartewright.com> ESTABLISH WINRM CONNECTION FOR USER:
[email protected] on PORT 5986 TO louis.home.cartewright.com
10
<louis.home.cartewright.com> WINRM CONNECT: transport=kerberos
endpoint=https://louis.home.cartewright.com:5986/wsman
11
<louis.home.cartewright.com> WINRM CONNECTION ERROR: authGSSClientInit()
failed: (('Unspecified GSS failure. Minor code may provide more
information', 851968), ("Can't find client principal
[email protected] in cache collection", -1765328243))
12
Traceback (most recent call last):
13
File
"/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py",
line 154, in _winrm_connect
14
self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
15
File
"/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py",
line 132, in open_shell
16
res = self.send_message(xmltodict.unparse(req))
17
File
"/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py",
line 207, in send_message
18
return self.transport.send_message(message)
19
File
"/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/transport.py",
line 181, in send_message
20
prepared_request = self.session.prepare_request(request)
21
File "/var/lib/awx/venv/ansible/lib/python2.7/site-packag…
22
On Monday, April 3, 2017 at 4:37:12 PM UTC-5, Matt Davis wrote:
>
> Ansible doesn't manage the tickets for you until Ansible Core 2.3 (still
> in release candidate). Anything earlier, you'll have to do the kinit on the
> controller yourself (either via a cron job or as part of your playbook with
> a local action).
>
> On Monday, April 3, 2017 at 7:27:21 AM UTC-7, William McKenzie wrote:
>>
>> Here's my setup:
>>
>> Ansible Tower 3.1.1, Basic License, using the vagrant box, with some post
>> provisioning steps to setup krb5 and join the box to my domain.
>>
>> Kerberos configuration is good. I can kinit, klist, etc. etc. from
>> command line.
>>
>> python winrm is good:
>>
>> vagrant@ansible-tower ~]$ sudo su - awx
>>
>> Last login: Sat Apr 1 23:12:18 JST 2017 on pts/1
>>
>>
>> *Welcome to Ansible Tower!*
>>
>> Log into the web interface here: etc...
>>
>> -bash-4.2$ cat test.py
>>
>> import sys
>>
>> from winrm.protocol import Protocol
>>
>> HYPERV_SERVER = 'https://louis.home.cartewright.com:5986/wsman'
>>
>> class RM():
>>
>>
>> def __init__(self):
>>
>> self.win_connect = Protocol(endpoint=HYPERV_SERVER, transport=
>> 'kerberos', server_cert_validation='ignore')
>>
>>
>> def test(self):
>>
>> shell_id = self.win_connect.open_shell()
>>
>> cmd = "dir"
>>
>> command_id = self.win_connect.run_command(shell_id, cmd)
>>
>> output,error_value,exit_status = self.win_connect.
>> get_command_output(shell_id, command_id)
>>
>> self.win_connect.cleanup_command(shell_id, command_id)
>>
>> self.win_connect.close_shell(shell_id)
>>
>> print output
>>
>>
>> def main():
>>
>> rm = RM()
>>
>> rm.test()
>>
>> if __name__ == '__main__':
>>
>> main()
>>
>> sys.exit()
>>
>> -bash-4.2$ python test.py
>>
>> Volume in drive C is SAMSUNG 512GB SSD
>>
>> Volume Serial Number is 2C8F-7BFA
>>
>>
>> Directory of C:\Users\ansible
>>
>>
>> 03/31/2017 11:04 AM <DIR> .
>>
>> 03/31/2017 11:04 AM <DIR> ..
>>
>> 07/16/2016 06:47 AM <DIR> Desktop
>>
>> 03/31/2017 11:04 AM <DIR> Documents
>>
>> 07/16/2016 06:47 AM <DIR> Downloads
>>
>> 07/16/2016 06:47 AM <DIR> Favorites
>>
>> 07/16/2016 06:47 AM <DIR> Links
>>
>> 07/16/2016 06:47 AM <DIR> Music
>>
>> 07/16/2016 06:47 AM <DIR> Pictures
>>
>> 07/16/2016 06:47 AM <DIR> Saved Games
>>
>> 07/16/2016 06:47 AM <DIR> Videos
>>
>> 0 File(s) 0 bytes
>>
>> 11 Dir(s) 291,787,771,904 bytes free
>>
>>
>> -bash-4.2$
>>
>> So now, I manually create some inventory in the default directories/files
>> for ansible (not Tower). Works perfectly:
>>
>> -bash-4.2$ cat /etc/ansible/group_vars/windows.yml
>>
>> ansible_connection: winrm
>>
>> ansible_user: [email protected] <javascript:>
>>
>> ansible_password: R1pflash
>>
>> ansible_winrm_server_cert_validation: ignore
>>
>>
>> -bash-4.2$
>>
>> -bash-4.2$ ansible windows -m win_ping -v
>>
>> Using /etc/ansible/ansible.cfg as config file
>>
>> louis.home.cartewright.com | SUCCESS => {
>>
>> "changed": false,
>>
>> "ping": "pong"
>>
>> }
>>
>>
>> Now, I create the exact same inventory in tower, exact same credentials (
>> [email protected] <javascript:>) and now matter how I tweak
>> it, always the same thing:
>>
>> Using /etc/ansible/ansible.cfg as config file SSH password: Using module
>> file
>> /usr/lib/python2.7/site-packages/ansible/modules/core/windows/win_ping.ps1
>> <louis.home.cartewright.com> ESTABLISH WINRM CONNECTION FOR USER:
>> [email protected] <javascript:> on PORT 5986 TO
>> louis.home.cartewright.com <louis.home.cartewright.com> WINRM CONNECT:
>> transport=kerberos endpoint=https://louis.home.cartewright.com:5986/wsman
>> <louis.home.cartewright.com> WINRM CONNECTION ERROR: authGSSClientInit()
>> failed: (('Unspecified GSS failure. Minor code may provide more
>> information', 851968), ("Can't find client principal
>> [email protected] <javascript:> in cache collection",
>> -1765328243)) Traceback (most recent call last): File
>> "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py",
>> line 154, in _winrm_connect self.shell_id =
>> protocol.open_shell(codepage=65001) # UTF-8 File
>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py",
>> line 132, in open_shell res = self.send_message(xmltodict.unparse(req))
>> File
>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py",
>> line 207, in send_message return self.transport.send_message(message) File
>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/transport.py",
>> line 181, in send_message prepared_request =
>> self.session.prepare_request(request) File
>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/sessions.py",
>>
>> line 394, in prepare_request hooks=merge_hooks(request.hooks, self.hooks),
>> File
>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/models.py",
>> line 298, in prepare self.prepare_auth(auth, url) File
>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/models.py",
>> line 500, in prepare_auth r = auth(self) File
>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests_kerberos/kerberos_.py",
>>
>> line 308, in __call__ auth_header = self.generate_request_header(None,
>> host, is_preemptive=True) File
>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests_kerberos/kerberos_.py",
>>
>> line 148, in generate_request_header raise KerberosExchangeError("%s
>> failed: %s" % (kerb_stage, str(error.args))) KerberosExchangeError:
>> authGSSClientInit() failed: (('Unspecified GSS failure. Minor code may
>> provide more information', 851968), ("Can't find client principal
>> [email protected] <javascript:> in cache collection",
>> -1765328243)) <louis.home.cartewright.com> WINRM CONNECT: transport=ssl
>> endpoint=https://louis.home.cartewright.com:5986/wsman <
>> louis.home.cartewright.com> WINRM CONNECTION ERROR: the specified
>> credentials were rejected by the server Traceback (most recent call last):
>> File
>> "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py",
>> line 154, in _winrm_connect self.shell_id =
>> protocol.open_shell(codepage=65001) # UTF-8 File
>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py",
>> line 132, in open_shell res = self.send_message(xmltodict.unparse(req))
>> File
>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py",
>> line 207, in send_message return self.transport.send_message(message) File
>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/transport.py",
>> line 190, in send_message raise InvalidCredentialsError("the specified
>> credentials were rejected by the server") InvalidCredentialsError: the
>> specified credentials were rejected by the server
>> louis.home.cartewright.com | UNREACHABLE! => { "changed": false, "msg":
>> "kerberos: authGSSClientInit() failed: (('Unspecified GSS failure. Minor
>> code may provide more information', 851968), (\"Can't find client principal
>> [email protected] <javascript:> in cache collection\",
>> -1765328243)), ssl: the specified credentials were rejected by the server",
>> "unreachable": true }
>>
>>
>> Just completely unable to find the credentials in the cache, no matter
>> how I do it. I've put the password in the tower credentials, in the
>> inventory, using ASK, no matter what I do, it cannot find credentials.
>>
>> What am I missing?
>>
>> ~Bill
>>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/e1aa03ae-5b22-4086-b40a-4f2abf15b551%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
