I hope I got all:


(venv_ansible)[userid@ansiblehost ~/ansible_test]$ pip list
ansible (2.4.3.0)
asn1crypto (0.24.0)
bcrypt (3.1.4)
certifi (2018.1.18)
cffi (1.11.5)
chardet (3.0.4)
cryptography (2.1.4)
enum34 (1.1.6)
idna (2.6)
ipaddress (1.0.19)
Jinja2 (2.10)
MarkupSafe (1.0)
ntlm-auth (1.0.6)
paramiko (2.4.0)
pip (9.0.1)
pyasn1 (0.4.2)
pycparser (2.18)
pycrypto (2.6.1)
pykerberos (1.2.1)
PyNaCl (1.2.1)
pywinrm (0.3.0)
PyYAML (3.12)
requests (2.18.4)
requests-kerberos (0.12.0)
requests-ntlm (1.1.0)
setuptools (38.5.1)
six (1.11.0)
urllib3 (1.22)
xmltodict (0.11.0)





(venv_ansible)[userid@ansiblehost ~/ansible_test]$ cat hosts

[windows]
server2016.domain.local      #windows 2016
server2012r2.domain.local    #windows 2012 r2

[all:vars]
ansible_port=5985
ansible_user=userid@DOMAIN.LOCAL
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
ansible_winrm_transport=kerberos
ansible_winrm_operation_timeout_sec=60
ansible_winrm_read_timeout_sec=70


(venv_ansible)[userid@ansiblehost ~/ansible_test]$ ansible -m win_ping -i 
hosts windows -vvvvvv
ansible 2.4.3.0
  config file = None
  configured module search path = 
[u'/home/userid/.ansible/plugins/modules', 
u'/usr/share/ansible/plugins/modules']
  ansible python module location = 
/home/userid/venv_ansible/local/lib/python2.7/site-packages/ansible
  executable location = /home/userid/venv_ansible/bin/ansible
  python version = 2.7.9 (default, Jun 29 2016, 13:08:31) [GCC 4.9.2]
No config file found; using defaults
setting up inventory plugins
Parsed /home/userid/ansible_test/hosts inventory source with ini plugin
Loading callback plugin minimal of type stdout, v2.0 from 
/home/userid/venv_ansible/local/lib/python2.7/site-packages/ansible/plugins/callback/minimal.pyc
META: ran handlers
Using module file 
/home/userid/venv_ansible/local/lib/python2.7/site-packages/ansible/modules/windows/win_ping.ps1
Using module file 
/home/userid/venv_ansible/local/lib/python2.7/site-packages/ansible/modules/windows/win_ping.ps1
<server2016.domain.local> ESTABLISH WINRM CONNECTION FOR USER: 
userid@DOMAIN.LOCAL on PORT 5985 TO server2016.domain.local
checking if winrm_host server2016.domain.local is an IPv6 address
<server2012r2.domain.local> ESTABLISH WINRM CONNECTION FOR USER: 
userid@DOMAIN.LOCAL on PORT 5985 TO server2012r2.domain.local
<server2016.domain.local> WINRM CONNECT: transport=kerberos 
endpoint=http://server2016.domain.local:5985/wsman
checking if winrm_host server2012r2.domain.local is an IPv6 address
<server2012r2.domain.local> WINRM CONNECT: transport=kerberos 
endpoint=http://server2012r2.domain.local:5985/wsman
<server2016.domain.local> WINRM CONNECTION ERROR: Bad HTTP response 
returned from server. Code 400
Traceback (most recent call last):
  File 
"/home/userid/venv_ansible/local/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py",
 
line 240, in _winrm_connect
    self.shell_id = protocol.open_shell(codepage=65001)  # UTF-8
  File 
"/home/userid/venv_ansible/local/lib/python2.7/site-packages/winrm/protocol.py",
 
line 157, in open_shell
    res = self.send_message(xmltodict.unparse(req))
  File 
"/home/userid/venv_ansible/local/lib/python2.7/site-packages/winrm/protocol.py",
 
line 242, in send_message
    raise ex
WinRMTransportError: Bad HTTP response returned from server. Code 400

server2016.domain.local | UNREACHABLE! => {
    "changed": false,
    "msg": "kerberos: Bad HTTP response returned from server. Code 400",
    "unreachable": true
}
<server2012r2.domain.local> WINRM CONNECTION ERROR: Bad HTTP response 
returned from server. Code 400
Traceback (most recent call last):
  File 
"/home/userid/venv_ansible/local/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py",
 
line 240, in _winrm_connect
    self.shell_id = protocol.open_shell(codepage=65001)  # UTF-8
  File 
"/home/userid/venv_ansible/local/lib/python2.7/site-packages/winrm/protocol.py",
 
line 157, in open_shell
    res = self.send_message(xmltodict.unparse(req))
  File 
"/home/userid/venv_ansible/local/lib/python2.7/site-packages/winrm/protocol.py",
 
line 242, in send_message
    raise ex
WinRMTransportError: Bad HTTP response returned from server. Code 400

server2012r2.domain.local | UNREACHABLE! => {
    "changed": false,
    "msg": "kerberos: Bad HTTP response returned from server. Code 400",
    "unreachable": true
}







(venv_ansible)[userid@ansiblehost ~/ansible_test]$ krb5-config --version
Kerberos 5 release 1.12.1



(venv_ansible)[userid@ansiblehost ~/ansible_test]$ cat /etc/debian_version
8.9


(venv_ansible)[userid@ansiblehost ~/ansible_test]$ cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MANAGEMENT.LOCAL
 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
 default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
 allow_weak_crypto = true
 udp_preference_limit = 1
 kdc_timeout = 1000
 forwardable = true

[realms]
  MANAGEMENT.LOCAL = {
   default_domain = MANAGEMENT.LOCAL
  }

[domain_realm]
 .management.local = MANAGEMENT.LOCAL
 management.local = MANAGEMENT.LOCAL


[appdefaults]
 pam = {
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
 }

 
(venv_ansible)[userid@ansiblehost ~/ansible_test]$ klist -e

 Ticket cache: FILE:/tmp/krb5cc_1000019852
Default principal: userid@DOMAIN.LOCAL

Valid starting       Expires              Service principal
03/02/2018 09:00:41  03/02/2018 19:00:41  krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
        renew until 03/03/2018 09:00:39, Etype (skey, tkt): arcfour-hmac, 
aes256-cts-hmac-sha1-96
03/02/2018 09:00:53  03/02/2018 19:00:41  HTTP/server2016.domain.local@
        renew until 03/03/2018 09:00:39, Etype (skey, tkt): arcfour-hmac, 
arcfour-hmac
03/02/2018 09:00:53  03/02/2018 19:00:41  
HTTP/server2016.domain.local@DOMAIN.LOCAL
        renew until 03/03/2018 09:00:39, Etype (skey, tkt): arcfour-hmac, 
arcfour-hmac
03/02/2018 09:00:53  03/02/2018 19:00:41  HTTP/server2012r2.domain.local@
        renew until 03/03/2018 09:00:39, Etype (skey, tkt): arcfour-hmac, 
arcfour-hmac
03/02/2018 09:00:53  03/02/2018 19:00:41  
HTTP/server2012r2.domain.local@DOMAIN.LOCAL
        renew until 03/03/2018 09:00:39, Etype (skey, tkt): arcfour-hmac, 
arcfour-hmac


yes, the ansible controller is member of another domain as the windows 
servers. This wasn't a problem and also shouldn't be in this case.

jn

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/d220f1c9-e0db-4abd-92a5-832edbe7e342%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to