time is definitely good. i run ntpdate in my vagrant provisioning script just to be sure.
On Tue, Apr 4, 2017 at 2:20 PM, cupcake <[email protected]> wrote: > sanity check; is time in sync? windows AD/kerb wont auth if the skew is > more than 5 or 10 minutes off. I also saw some weirdness like this recently > and a reboot and then kinit again made it work but i think due to another > config reason on my part. > > On Tuesday, April 4, 2017 at 9:09:27 AM UTC-4, William McKenzie wrote: >> >> I think that's what I'm doing. >> >> I've tried doing the kinit from the console, doing the kinit in a cron >> job, doing the kinit manually in a playbook before running the winrm play >> book, and doing it as a local_action in the winrm playbook itself. >> >> In all cases (except the last one), the kinit succeeds; I can use klist >> to see the tickets (logged in as awx user). I can see the credential cache >> with the correct owner and attributes in the /tmp directory. I've also >> tried using the KEYRING instead of the FILE cache. For whatever reason, the >> winrm job is unable to see the credentials in the cache. >> >> When I run this playbook, it fails: >> --- >> - name: WinPing >> hosts: all >> >> tasks: >> - name: knit >> local_action: command echo "xxxxxxx" | kinit -l 7d -r 7d -pf >> [email protected] >> >> - name: ping >> win_ping: >> >> >> >> >> Produces this output. It seems to be running task setup before running my >> local action, and setup fails. >> >> >> TASK [setup] >> ******************************************************************* >> >> 07:39:32 >> 8 >> Using module file /usr/lib/python2.7/site-packag >> es/ansible/modules/core/windows/setup.ps1 >> 9 >> <louis.home.cartewright.com> ESTABLISH WINRM CONNECTION FOR USER: >> [email protected] on PORT 5986 TO louis.home.cartewright.com >> 10 >> <louis.home.cartewright.com> WINRM CONNECT: transport=kerberos endpoint= >> https://louis.home.cartewright.com:5986/wsman >> 11 >> <louis.home.cartewright.com> WINRM CONNECTION ERROR: authGSSClientInit() >> failed: (('Unspecified GSS failure. Minor code may provide more >> information', 851968), ("Can't find client principal >> [email protected] in cache collection", -1765328243)) >> 12 >> Traceback (most recent call last): >> 13 >> File "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", >> line 154, in _winrm_connect >> 14 >> self.shell_id = protocol.open_shell(codepage=65001) # UTF-8 >> 15 >> File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", >> line 132, in open_shell >> 16 >> res = self.send_message(xmltodict.unparse(req)) >> 17 >> File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", >> line 207, in send_message >> 18 >> return self.transport.send_message(message) >> 19 >> File >> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/transport.py", >> line 181, in send_message >> 20 >> prepared_request = self.session.prepare_request(request) >> 21 >> File "/var/lib/awx/venv/ansible/lib/python2.7/site-packag… >> 22 >> >> >> >> >> On Monday, April 3, 2017 at 4:37:12 PM UTC-5, Matt Davis wrote: >>> >>> Ansible doesn't manage the tickets for you until Ansible Core 2.3 (still >>> in release candidate). Anything earlier, you'll have to do the kinit on the >>> controller yourself (either via a cron job or as part of your playbook with >>> a local action). >>> >>> On Monday, April 3, 2017 at 7:27:21 AM UTC-7, William McKenzie wrote: >>>> >>>> Here's my setup: >>>> >>>> Ansible Tower 3.1.1, Basic License, using the vagrant box, with some >>>> post provisioning steps to setup krb5 and join the box to my domain. >>>> >>>> Kerberos configuration is good. I can kinit, klist, etc. etc. from >>>> command line. >>>> >>>> python winrm is good: >>>> >>>> vagrant@ansible-tower ~]$ sudo su - awx >>>> >>>> Last login: Sat Apr 1 23:12:18 JST 2017 on pts/1 >>>> >>>> >>>> *Welcome to Ansible Tower!* >>>> >>>> Log into the web interface here: etc... >>>> >>>> -bash-4.2$ cat test.py >>>> >>>> import sys >>>> >>>> from winrm.protocol import Protocol >>>> >>>> HYPERV_SERVER = 'https://louis.home.cartewright.com:5986/wsman' >>>> >>>> class RM(): >>>> >>>> >>>> def __init__(self): >>>> >>>> self.win_connect = Protocol(endpoint=HYPERV_SERVER, transport= >>>> 'kerberos', server_cert_validation='ignore') >>>> >>>> >>>> def test(self): >>>> >>>> shell_id = self.win_connect.open_shell() >>>> >>>> cmd = "dir" >>>> >>>> command_id = self.win_connect.run_command(shell_id, cmd) >>>> >>>> output,error_value,exit_status = self.win_connect.get_command_o >>>> utput(shell_id, command_id) >>>> >>>> self.win_connect.cleanup_command(shell_id, command_id) >>>> >>>> self.win_connect.close_shell(shell_id) >>>> >>>> print output >>>> >>>> >>>> def main(): >>>> >>>> rm = RM() >>>> >>>> rm.test() >>>> >>>> if __name__ == '__main__': >>>> >>>> main() >>>> >>>> sys.exit() >>>> >>>> -bash-4.2$ python test.py >>>> >>>> Volume in drive C is SAMSUNG 512GB SSD >>>> >>>> Volume Serial Number is 2C8F-7BFA >>>> >>>> >>>> Directory of C:\Users\ansible >>>> >>>> >>>> 03/31/2017 11:04 AM <DIR> . >>>> >>>> 03/31/2017 11:04 AM <DIR> .. >>>> >>>> 07/16/2016 06:47 AM <DIR> Desktop >>>> >>>> 03/31/2017 11:04 AM <DIR> Documents >>>> >>>> 07/16/2016 06:47 AM <DIR> Downloads >>>> >>>> 07/16/2016 06:47 AM <DIR> Favorites >>>> >>>> 07/16/2016 06:47 AM <DIR> Links >>>> >>>> 07/16/2016 06:47 AM <DIR> Music >>>> >>>> 07/16/2016 06:47 AM <DIR> Pictures >>>> >>>> 07/16/2016 06:47 AM <DIR> Saved Games >>>> >>>> 07/16/2016 06:47 AM <DIR> Videos >>>> >>>> 0 File(s) 0 bytes >>>> >>>> 11 Dir(s) 291,787,771,904 bytes free >>>> >>>> >>>> -bash-4.2$ >>>> >>>> So now, I manually create some inventory in the default >>>> directories/files for ansible (not Tower). Works perfectly: >>>> >>>> -bash-4.2$ cat /etc/ansible/group_vars/windows.yml >>>> >>>> ansible_connection: winrm >>>> >>>> ansible_user: [email protected] >>>> >>>> ansible_password: R1pflash >>>> >>>> ansible_winrm_server_cert_validation: ignore >>>> >>>> >>>> -bash-4.2$ >>>> >>>> -bash-4.2$ ansible windows -m win_ping -v >>>> >>>> Using /etc/ansible/ansible.cfg as config file >>>> >>>> louis.home.cartewright.com | SUCCESS => { >>>> >>>> "changed": false, >>>> >>>> "ping": "pong" >>>> >>>> } >>>> >>>> >>>> Now, I create the exact same inventory in tower, exact same credentials >>>> ([email protected]) and now matter how I tweak it, always >>>> the same thing: >>>> >>>> Using /etc/ansible/ansible.cfg as config file SSH password: Using >>>> module file /usr/lib/python2.7/site-packag >>>> es/ansible/modules/core/windows/win_ping.ps1 < >>>> louis.home.cartewright.com> ESTABLISH WINRM CONNECTION FOR USER: >>>> [email protected] on PORT 5986 TO louis.home.cartewright.com >>>> <louis.home.cartewright.com> WINRM CONNECT: transport=kerberos >>>> endpoint=https://louis.home.cartewright.com:5986/wsman < >>>> louis.home.cartewright.com> WINRM CONNECTION ERROR: >>>> authGSSClientInit() failed: (('Unspecified GSS failure. Minor code may >>>> provide more information', 851968), ("Can't find client principal >>>> [email protected] in cache collection", -1765328243)) >>>> Traceback (most recent call last): File "/usr/lib/python2.7/site-packa >>>> ges/ansible/plugins/connection/winrm.py", line 154, in _winrm_connect >>>> self.shell_id = protocol.open_shell(codepage=65001) # UTF-8 File >>>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", >>>> line 132, in open_shell res = self.send_message(xmltodict.unparse(req)) >>>> File >>>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", >>>> line 207, in send_message return self.transport.send_message(message) >>>> File >>>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/transport.py", >>>> line 181, in send_message prepared_request = >>>> self.session.prepare_request(request) >>>> File >>>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/sessions.py", >>>> line 394, in prepare_request hooks=merge_hooks(request.hooks, >>>> self.hooks), File "/var/lib/awx/venv/ansible/lib >>>> /python2.7/site-packages/requests/models.py", line 298, in prepare >>>> self.prepare_auth(auth, url) File "/var/lib/awx/venv/ansible/lib >>>> /python2.7/site-packages/requests/models.py", line 500, in >>>> prepare_auth r = auth(self) File "/var/lib/awx/venv/ansible/lib >>>> /python2.7/site-packages/requests_kerberos/kerberos_.py", line 308, in >>>> __call__ auth_header = self.generate_request_header(None, host, >>>> is_preemptive=True) File "/var/lib/awx/venv/ansible/lib >>>> /python2.7/site-packages/requests_kerberos/kerberos_.py", line 148, in >>>> generate_request_header raise KerberosExchangeError("%s failed: %s" % >>>> (kerb_stage, str(error.args))) KerberosExchangeError: authGSSClientInit() >>>> failed: (('Unspecified GSS failure. Minor code may provide more >>>> information', 851968), ("Can't find client principal >>>> [email protected] in cache collection", -1765328243)) < >>>> louis.home.cartewright.com> WINRM CONNECT: transport=ssl endpoint= >>>> https://louis.home.cartewright.com:5986/wsman < >>>> louis.home.cartewright.com> WINRM CONNECTION ERROR: the specified >>>> credentials were rejected by the server Traceback (most recent call last): >>>> File >>>> "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", >>>> line 154, in _winrm_connect self.shell_id = >>>> protocol.open_shell(codepage=65001) >>>> # UTF-8 File "/var/lib/awx/venv/ansible/lib >>>> /python2.7/site-packages/winrm/protocol.py", line 132, in open_shell >>>> res = self.send_message(xmltodict.unparse(req)) File >>>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", >>>> line 207, in send_message return self.transport.send_message(message) >>>> File >>>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/transport.py", >>>> line 190, in send_message raise InvalidCredentialsError("the specified >>>> credentials were rejected by the server") InvalidCredentialsError: the >>>> specified credentials were rejected by the server >>>> louis.home.cartewright.com | UNREACHABLE! => { "changed": false, >>>> "msg": "kerberos: authGSSClientInit() failed: (('Unspecified GSS failure. >>>> Minor code may provide more information', 851968), (\"Can't find client >>>> principal [email protected] in cache collection\", >>>> -1765328243)), ssl: the specified credentials were rejected by the server", >>>> "unreachable": true } >>>> >>>> >>>> Just completely unable to find the credentials in the cache, no matter >>>> how I do it. I've put the password in the tower credentials, in the >>>> inventory, using ASK, no matter what I do, it cannot find credentials. >>>> >>>> What am I missing? >>>> >>>> ~Bill >>>> >>> -- > You received this message because you are subscribed to a topic in the > Google Groups "Ansible Project" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/ansible-project/-7e0do1u8dk/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/ansible-project/5ca67b34-4b01-4c10-bb3a-5956d24c24ad%40googlegroups. > com > <https://groups.google.com/d/msgid/ansible-project/5ca67b34-4b01-4c10-bb3a-5956d24c24ad%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAC7g-J39tf9M4PdEVJ%3D6OUWckfXiWHisoH3NBdVp0OqnrnVq_g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
