sanity check; is time in sync? windows AD/kerb wont auth if the skew is more than 5 or 10 minutes off. I also saw some weirdness like this recently and a reboot and then kinit again made it work but i think due to another config reason on my part.
On Tuesday, April 4, 2017 at 9:09:27 AM UTC-4, William McKenzie wrote: > > I think that's what I'm doing. > > I've tried doing the kinit from the console, doing the kinit in a cron > job, doing the kinit manually in a playbook before running the winrm play > book, and doing it as a local_action in the winrm playbook itself. > > In all cases (except the last one), the kinit succeeds; I can use klist to > see the tickets (logged in as awx user). I can see the credential cache > with the correct owner and attributes in the /tmp directory. I've also > tried using the KEYRING instead of the FILE cache. For whatever reason, the > winrm job is unable to see the credentials in the cache. > > When I run this playbook, it fails: > --- > - name: WinPing > hosts: all > > tasks: > - name: knit > local_action: command echo "xxxxxxx" | kinit -l 7d -r 7d -pf > [email protected] > > - name: ping > win_ping: > > > > > Produces this output. It seems to be running task setup before running my > local action, and setup fails. > > > TASK [setup] > ******************************************************************* > 07:39:32 > 8 > Using module file > /usr/lib/python2.7/site-packages/ansible/modules/core/windows/setup.ps1 > 9 > <louis.home.cartewright.com> ESTABLISH WINRM CONNECTION FOR USER: > [email protected] <javascript:> on PORT 5986 TO > louis.home.cartewright.com > 10 > <louis.home.cartewright.com> WINRM CONNECT: transport=kerberos endpoint= > https://louis.home.cartewright.com:5986/wsman > 11 > <louis.home.cartewright.com> WINRM CONNECTION ERROR: authGSSClientInit() > failed: (('Unspecified GSS failure. Minor code may provide more > information', 851968), ("Can't find client principal > [email protected] <javascript:> in cache collection", > -1765328243)) > 12 > Traceback (most recent call last): > 13 > File > "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", > line 154, in _winrm_connect > 14 > self.shell_id = protocol.open_shell(codepage=65001) # UTF-8 > 15 > File > "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", > line 132, in open_shell > 16 > res = self.send_message(xmltodict.unparse(req)) > 17 > File > "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", > line 207, in send_message > 18 > return self.transport.send_message(message) > 19 > File > "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/transport.py", > line 181, in send_message > 20 > prepared_request = self.session.prepare_request(request) > 21 > File "/var/lib/awx/venv/ansible/lib/python2.7/site-packag… > 22 > > > > > On Monday, April 3, 2017 at 4:37:12 PM UTC-5, Matt Davis wrote: >> >> Ansible doesn't manage the tickets for you until Ansible Core 2.3 (still >> in release candidate). Anything earlier, you'll have to do the kinit on the >> controller yourself (either via a cron job or as part of your playbook with >> a local action). >> >> On Monday, April 3, 2017 at 7:27:21 AM UTC-7, William McKenzie wrote: >>> >>> Here's my setup: >>> >>> Ansible Tower 3.1.1, Basic License, using the vagrant box, with some >>> post provisioning steps to setup krb5 and join the box to my domain. >>> >>> Kerberos configuration is good. I can kinit, klist, etc. etc. from >>> command line. >>> >>> python winrm is good: >>> >>> vagrant@ansible-tower ~]$ sudo su - awx >>> >>> Last login: Sat Apr 1 23:12:18 JST 2017 on pts/1 >>> >>> >>> *Welcome to Ansible Tower!* >>> >>> Log into the web interface here: etc... >>> >>> -bash-4.2$ cat test.py >>> >>> import sys >>> >>> from winrm.protocol import Protocol >>> >>> HYPERV_SERVER = 'https://louis.home.cartewright.com:5986/wsman' >>> >>> class RM(): >>> >>> >>> def __init__(self): >>> >>> self.win_connect = Protocol(endpoint=HYPERV_SERVER, transport= >>> 'kerberos', server_cert_validation='ignore') >>> >>> >>> def test(self): >>> >>> shell_id = self.win_connect.open_shell() >>> >>> cmd = "dir" >>> >>> command_id = self.win_connect.run_command(shell_id, cmd) >>> >>> output,error_value,exit_status = self.win_connect. >>> get_command_output(shell_id, command_id) >>> >>> self.win_connect.cleanup_command(shell_id, command_id) >>> >>> self.win_connect.close_shell(shell_id) >>> >>> print output >>> >>> >>> def main(): >>> >>> rm = RM() >>> >>> rm.test() >>> >>> if __name__ == '__main__': >>> >>> main() >>> >>> sys.exit() >>> >>> -bash-4.2$ python test.py >>> >>> Volume in drive C is SAMSUNG 512GB SSD >>> >>> Volume Serial Number is 2C8F-7BFA >>> >>> >>> Directory of C:\Users\ansible >>> >>> >>> 03/31/2017 11:04 AM <DIR> . >>> >>> 03/31/2017 11:04 AM <DIR> .. >>> >>> 07/16/2016 06:47 AM <DIR> Desktop >>> >>> 03/31/2017 11:04 AM <DIR> Documents >>> >>> 07/16/2016 06:47 AM <DIR> Downloads >>> >>> 07/16/2016 06:47 AM <DIR> Favorites >>> >>> 07/16/2016 06:47 AM <DIR> Links >>> >>> 07/16/2016 06:47 AM <DIR> Music >>> >>> 07/16/2016 06:47 AM <DIR> Pictures >>> >>> 07/16/2016 06:47 AM <DIR> Saved Games >>> >>> 07/16/2016 06:47 AM <DIR> Videos >>> >>> 0 File(s) 0 bytes >>> >>> 11 Dir(s) 291,787,771,904 bytes free >>> >>> >>> -bash-4.2$ >>> >>> So now, I manually create some inventory in the default >>> directories/files for ansible (not Tower). Works perfectly: >>> >>> -bash-4.2$ cat /etc/ansible/group_vars/windows.yml >>> >>> ansible_connection: winrm >>> >>> ansible_user: [email protected] >>> >>> ansible_password: R1pflash >>> >>> ansible_winrm_server_cert_validation: ignore >>> >>> >>> -bash-4.2$ >>> >>> -bash-4.2$ ansible windows -m win_ping -v >>> >>> Using /etc/ansible/ansible.cfg as config file >>> >>> louis.home.cartewright.com | SUCCESS => { >>> >>> "changed": false, >>> >>> "ping": "pong" >>> >>> } >>> >>> >>> Now, I create the exact same inventory in tower, exact same credentials ( >>> [email protected]) and now matter how I tweak it, always the >>> same thing: >>> >>> Using /etc/ansible/ansible.cfg as config file SSH password: Using >>> module file >>> /usr/lib/python2.7/site-packages/ansible/modules/core/windows/win_ping.ps1 >>> <louis.home.cartewright.com> ESTABLISH WINRM CONNECTION FOR USER: >>> [email protected] on PORT 5986 TO louis.home.cartewright.com < >>> louis.home.cartewright.com> WINRM CONNECT: transport=kerberos endpoint= >>> https://louis.home.cartewright.com:5986/wsman < >>> louis.home.cartewright.com> WINRM CONNECTION ERROR: authGSSClientInit() >>> failed: (('Unspecified GSS failure. Minor code may provide more >>> information', 851968), ("Can't find client principal >>> [email protected] in cache collection", -1765328243)) >>> Traceback (most recent call last): File >>> "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", >>> line 154, in _winrm_connect self.shell_id = >>> protocol.open_shell(codepage=65001) # UTF-8 File >>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", >>> line 132, in open_shell res = self.send_message(xmltodict.unparse(req)) >>> File >>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", >>> line 207, in send_message return self.transport.send_message(message) File >>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/transport.py", >>> line 181, in send_message prepared_request = >>> self.session.prepare_request(request) File >>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/sessions.py", >>> >>> line 394, in prepare_request hooks=merge_hooks(request.hooks, self.hooks), >>> File >>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/models.py", >>> line 298, in prepare self.prepare_auth(auth, url) File >>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/models.py", >>> line 500, in prepare_auth r = auth(self) File >>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", >>> >>> line 308, in __call__ auth_header = self.generate_request_header(None, >>> host, is_preemptive=True) File >>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", >>> >>> line 148, in generate_request_header raise KerberosExchangeError("%s >>> failed: %s" % (kerb_stage, str(error.args))) KerberosExchangeError: >>> authGSSClientInit() failed: (('Unspecified GSS failure. Minor code may >>> provide more information', 851968), ("Can't find client principal >>> [email protected] in cache collection", -1765328243)) < >>> louis.home.cartewright.com> WINRM CONNECT: transport=ssl endpoint= >>> https://louis.home.cartewright.com:5986/wsman < >>> louis.home.cartewright.com> WINRM CONNECTION ERROR: the specified >>> credentials were rejected by the server Traceback (most recent call last): >>> File >>> "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", >>> line 154, in _winrm_connect self.shell_id = >>> protocol.open_shell(codepage=65001) # UTF-8 File >>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", >>> line 132, in open_shell res = self.send_message(xmltodict.unparse(req)) >>> File >>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", >>> line 207, in send_message return self.transport.send_message(message) File >>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/transport.py", >>> line 190, in send_message raise InvalidCredentialsError("the specified >>> credentials were rejected by the server") InvalidCredentialsError: the >>> specified credentials were rejected by the server >>> louis.home.cartewright.com | UNREACHABLE! => { "changed": false, "msg": >>> "kerberos: authGSSClientInit() failed: (('Unspecified GSS failure. Minor >>> code may provide more information', 851968), (\"Can't find client principal >>> [email protected] in cache collection\", -1765328243)), ssl: >>> the specified credentials were rejected by the server", "unreachable": true >>> } >>> >>> >>> Just completely unable to find the credentials in the cache, no matter >>> how I do it. I've put the password in the tower credentials, in the >>> inventory, using ASK, no matter what I do, it cannot find credentials. >>> >>> What am I missing? >>> >>> ~Bill >>> >> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5ca67b34-4b01-4c10-bb3a-5956d24c24ad%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
