Looks like you are on the right track where you can get a valid Kerberos ticket using kinit but your Ansible config needs a few more settings so it runs through Kerberos. Looking at the error message it is still trying to authenticate using Basic auth "plaintext" and not Kerberos. Also ansible_ssh_user has been deprecated in favour of ansible_user which is probably why it doesn't detect to use Kerberos.
Try setting the following vars in your inventory ansible_user=ans...@uat.intra.com ansible_password=password here ansible_port=5985 ansible_connection=winrm ansible_winrm_transport=kerberos 3 things to say though when looking at your seting; * If you upgrade to Ansible 2.3 you don't have to manually get a ticket beforehand using kinit, Ansible will do this for you which is a massive plus around automating this all * You can also use NTLM and CredSSP auth with domain accounts but Kerberos is definitely the most secure out of the 3 * You should be using HTTPS instead of HTTP as your messages and headers are in plaintext with HTTP which is a big no no in security. The ConfigureRemotingForAnsible.ps1 script will set up a HTTPS listener with a self signed cert for testing, You should use a proper cert if running this in production, my workplaces environment uses ADCS to set up a host certificate on each Windows box making it quite easy for us. Thanks Jordan On Friday, April 21, 2017 at 9:13:45 AM UTC+10, Siva-Ansile wrote: > > HI Team, > > I have a new requirement to install an agant in 1500 windows machines, all > these machine are Domain managed VMs. When i try to connect using local > user, i am able to connect the windows box, But when i use AD credentials > its not working. Let me share my current Setup here. Please help. > > Windows VM settings:- > > > 1. Enabled WINRM > 2. Ran the script in the remote Windows VM > > ConfigureRemotingForAnsible.ps1 > > <https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1> > > > > Ansible Host:(Linux RHEL 7.2) > Installed packages: > > 1. Ansible 2.2.1.0 > 2. Python 2.7.5 > 3. krb5-workstation-1.14.1-27.el7_3.x86_64 > 4. krb5-devel-1.14.1-27.el7_3.x86_64 > 5. krb5-libs-1.14.1-27.el7_3.x86_64 > 6. kerberos > > Krb5.conf entry as below: > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [realms] > UAT.INTRA.COM = { > kdc = winad23987.uat.intra.com > admin_server = winad23987.uat.intra.com > } > > [domain_realm] > .uat.intra.com = UAT.INTRA.COM > > ============== > Kinit and Klist as below:- > > > [root@liuatasans01 ~]# kinit ans...@uat.intra.com <javascript:> > Password for ans...@uat.intra.com <javascript:>: > > [root@liuatasans01 ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: ans...@uat.intra.com <javascript:> > > Valid starting Expires Service principal > 04/20/2017 18:31:59 04/21/2017 04:31:59 krbtgt/uat.in...@uat.intra.com > <javascript:> > renew until 04/21/2017 18:31:55 > [root@liuatasans01 ~]# > > ============================ > Inventory file as below:- > > /etc/ansible/hosts > > [windows] > 172.45.17.182 > > [windows:vars] > > ansible_ssh_user=ans...@uat.intra.com <javascript:> > ansible_password="P@$$wo6d" > ansible_port=5985 > ansible_connection=winrm > > ===================================== > Error as below:-(while trying to connect the AD user) > > [root@liuatasans01 ~]# ansible windows -m win_ping > 172.45.17.182 | UNREACHABLE! => { > "changed": false, > "msg": "kerberos: __init__() got an unexpected keyword argument > 'hostname_override', plaintext: auth method plaintext requires a password", > "unreachable": true > } > > ==================================== > > Working when connecting as windows local user:- > > [root@liuatasans01 ~]# ansible windows -m win_ping > > 172.45.17.182 | SUCCESS => { > "changed": false, > "ping": "pong" > } > > ================================= > > > Please help to fix the issue: > > While connecting as AD user, getting the below error in the windows Audit > log > > > The computer attempted to validate the credentials for an account. > > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > Logon Account: ans...@uat.intra.com <javascript:> > Source Workstation: winvmuatiis7202 > Error Code: 0xC0000064 > ================================ > > Appreciate your help on this > > > > > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5f40bacb-4059-443e-b74b-a50af1a223e2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
