Glad to hear it.
On Friday, October 4, 2019 at 8:39:22 AM UTC+1, Piyush Bansal wrote:
>
> Hello J Hawkesworth,
>
> I would like to thank you very much for the suggestion.
> Issue got resolved now.
> Thanks for your help :)
>
> Thanks,
> Piyush
>
>
> On Thu, Oct 3, 2019 at 12:46 PM 'J Hawkesworth' via Ansible Project <
> ansible...@googlegroups.com <javascript:>> wrote:
>
>> I suspect the issue is to do with resolving the hostname, so potentially
>> an issue with DNS.
>> Although you are using hostnames in your ansible inventory, it appears
>> from the trace output that you are actually connecting via an IP address -
>> 192.168.169.131
>> Kerberos requires DNS to be fully working. So you need to be able to
>> nslookup and get the ip from the hostname _and_ also be able to resolve the
>> hostname from the ip address, otherwise it won't work.
>> Kerberos, like https, deals in hostnames, not IPs, so its not surprising
>> that it can't find the server by name when it is receiving an ip address.
>> I hope this helps,
>> Jon
>>
>> On Thursday, October 3, 2019 at 7:57:30 AM UTC+1, Piyush Bansal wrote:
>>>
>>> Hello Nandha,
>>>
>>> Thanks for writing me but we have to use kerberos authentication due to
>>> security reasons.
>>> So, need some help to troubleshoot this issue
>>>
>>>
>>> On Wed, Oct 2, 2019 at 5:47 PM nandha kumar <nandhu...@gmail.com> wrote:
>>>
>>>> Ansible winrm transport parameter try to use ntlm...not kerboroes..it
>>>> might work
>>>>
>>>> On Wed, Oct 2, 2019, 5:37 PM Piyush Bansal <bansalpiy...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I am trying to use Windows-2008-R2 AD domain authentication for my
>>>>> windows infrastructure playbooks however its failing with following error:
>>>>> Also tried just for win_ping and ping but still everything fails.
>>>>>
>>>>> ERROR:
>>>>> ---------------------------
>>>>> "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure.
>>>>> Minor code may provide more information', 851968), ('Server not found in
>>>>> Kerberos database', -1765328377))", [0m
>>>>> ---------------------------
>>>>>
>>>>> WinRM is configured correctly and working fine from other windows
>>>>> server.
>>>>> Ansible server is pinging DNS/AD server fine.
>>>>> Kerberos Ticket is successfully getting generated with "kinit"
>>>>> commands on Ansible control node
>>>>> DNS resolution is tested with hostname from Ansible controller node
>>>>> and working fine. /etc/hosts and resolv.conf files updated appropriately.
>>>>>
>>>>> Verbose output, inventory file, library version, krb5.conf all these
>>>>> outputs and files are mentioned in below sections of this email.
>>>>>
>>>>> Pre-requisite libraries, and configuration files are all configured
>>>>> fine as per following link:
>>>>> https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html
>>>>>
>>>>> Here is the version details:
>>>>> Ansible: 2.8.5 (also tried with 2.7.13 ansible version in LAB but
>>>>> still no success)
>>>>> Python: 3.6.6
>>>>> requests-kerberos 0.12.0
>>>>> pykerberos 1.2.1
>>>>> pywinrm 0.3.0
>>>>> kerberos 1.3.0
>>>>>
>>>>> Inventory File:
>>>>> -------------------
>>>>> [win_infra]
>>>>> win2k121.MYLAB.COM
>>>>>
>>>>> [win_infra:vars]
>>>>> ansible_connection=winrm
>>>>> ansible_winrm_transport=kerberos
>>>>> ansible_user=ans...@mylab.com
>>>>> ansible_password=xxxxxxxx
>>>>> ansible_port=5986
>>>>> -------------------
>>>>>
>>>>> krb5.conf file:
>>>>> --------------------------
>>>>> # Configuration snippets may be placed in this directory as well
>>>>> includedir /etc/krb5.conf.d/
>>>>>
>>>>> [logging]
>>>>> default = FILE:/var/log/krb5libs.log
>>>>> kdc = FILE:/var/log/krb5kdc.log
>>>>> admin_server = FILE:/var/log/kadmind.log
>>>>>
>>>>> [libdefaults]
>>>>> dns_lookup_realm = false
>>>>> ticket_lifetime = 8h
>>>>> renew_lifetime = 7d
>>>>> forwardable = true
>>>>> rdns = false
>>>>> pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
>>>>> default_realm = MYLAB.COM
>>>>> default_ccache_name = KEYRING:persistent:%{uid}
>>>>>
>>>>> [realms]
>>>>> MYLAB.COM = {
>>>>> kdc = win2k8r2.mylab.com
>>>>> admin_server = win2k8r2.mylab.com
>>>>> }
>>>>>
>>>>> [domain_realm]
>>>>> .mylab.com = MYLAB.COM
>>>>> mylab.com = MYLAB.com
>>>>> --------------------------
>>>>>
>>>>>
>>>>> VERBOSE OUTPUT:
>>>>> -------------------------
>>>>> [root@ansible_centos ~]# ansible win_infra -m ping -vvvvvv
>>>>> ansible 2.8.5
>>>>> config file = /etc/ansible/ansible.cfg
>>>>> configured module search path = ['/root/.ansible/plugins/modules',
>>>>> '/usr/share/ansible/plugins/modules']
>>>>> ansible python module location =
>>>>> /usr/local/lib/python3.6/site-packages/ansible
>>>>> executable location = /usr/local/bin/ansible
>>>>> python version = 3.6.6 (default, Aug 13 2018, 18:24:23) [GCC 4.8.5
>>>>> 20150623 (Red Hat 4.8.5-28)]
>>>>> Using /etc/ansible/ansible.cfg as config file
>>>>> setting up inventory plugins
>>>>> host_list declined parsing /etc/ansible/hosts as it did not pass it's
>>>>> verify_file() method
>>>>> script declined parsing /etc/ansible/hosts as it did not pass it's
>>>>> verify_file() method
>>>>> auto declined parsing /etc/ansible/hosts as it did not pass it's
>>>>> verify_file() method
>>>>> Parsed /etc/ansible/hosts inventory source with ini plugin
>>>>> Loading callback plugin minimal of type stdout, v2.0 from
>>>>> /usr/local/lib/python3.6/site-packages/ansible/plugins/callback/minimal.py
>>>>> META: ran handlers
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/basic.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/common/process.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/common/text/__init__.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/pycompat24.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/common/_utils.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/common/_json_compat.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/common/_collections_compat.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/common/text/formatters.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/parsing/__init__.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/common/__init__.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/six/__init__.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/common/file.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/_text.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/common/text/converters.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/parsing/convert_bool.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/common/validation.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/common/parameters.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/common/sys_info.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/common/collections.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/distro/__init__.py
>>>>> Using module_utils file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/module_utils/distro/_distro.py
>>>>> <win2k121> Attempting python interpreter discovery
>>>>> <192.168.169.131> ESTABLISH WINRM CONNECTION FOR USER:
>>>>> ans...@mylab.com on PORT 5986 TO 192.168.169.131
>>>>> creating Kerberos CC at /tmp/tmpjzmms99z
>>>>> calling kinit with subprocess for principal ans...@mylab.com
>>>>> kinit succeeded for principal ans...@mylab.com
>>>>> <192.168.169.131> WINRM CONNECT: transport=kerberos endpoint=
>>>>> https://192.168.169.131:5986/wsman
>>>>> <192.168.169.131> WINRM CONNECTION ERROR: authGSSClientStep() failed:
>>>>> (('Unspecified GSS failure. Minor code may provide more information',
>>>>> 851968), ('Server not found in Kerberos database', -1765328377))
>>>>> Traceback (most recent call last):
>>>>> File
>>>>> "/usr/local/lib/python3.6/site-packages/ansible/plugins/action/__init__.py",
>>>>>
>>>>> line 203, in _configure_module
>>>>> environment=final_environment)
>>>>> File
>>>>> "/usr/local/lib/python3.6/site-packages/ansible/executor/module_common.py",
>>>>>
>>>>> line 1023, in modify_module
>>>>> environment=environment)
>>>>> File
>>>>> "/usr/local/lib/python3.6/site-packages/ansible/executor/module_common.py",
>>>>>
>>>>> line 894, in _find_module_utils
>>>>> shebang, interpreter = _get_shebang(u'/usr/bin/python', task_vars,
>>>>> templar)
>>>>> File
>>>>> "/usr/local/lib/python3.6/site-packages/ansible/executor/module_common.py",
>>>>>
>>>>> line 527, in _get_shebang
>>>>> discovery_mode=interpreter_out)
>>>>> ansible.executor.interpreter_discovery.InterpreterDiscoveryRequiredError:
>>>>> <unprintable InterpreterDiscoveryRequiredError object>
>>>>>
>>>>> During handling of the above exception, another exception occurred:
>>>>>
>>>>> Traceback (most recent call last):
>>>>> File
>>>>> "/usr/local/lib/python3.6/site-packages/requests_kerberos/kerberos_.py",
>>>>> line 229, in generate_request_header
>>>>> negotiate_resp_value)
>>>>> kerberos.GSSError: (('Unspecified GSS failure. Minor code may provide
>>>>> more information', 851968), ('Server not found in Kerberos database',
>>>>> -1765328377))
>>>>>
>>>>> During handling of the above exception, another exception occurred:
>>>>>
>>>>> Traceback (most recent call last):
>>>>> File
>>>>> "/usr/local/lib/python3.6/site-packages/ansible/plugins/connection/winrm.py",
>>>>>
>>>>> line 400, in _winrm_connect
>>>>> self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
>>>>> File "/usr/local/lib/python3.6/site-packages/winrm/protocol.py",
>>>>> line 157, in open_shell
>>>>> res = self.send_message(xmltodict.unparse(req))
>>>>> File "/usr/local/lib/python3.6/site-packages/winrm/protocol.py",
>>>>> line 234, in send_message
>>>>> resp = self.transport.send_message(message)
>>>>> File "/usr/local/lib/python3.6/site-packages/winrm/transport.py",
>>>>> line 254, in send_message
>>>>> prepared_request = self.session.prepare_request(request)
>>>>> File "/usr/local/lib/python3.6/site-packages/requests/sessions.py",
>>>>> line 462, in prepare_request
>>>>> hooks=merge_hooks(request.hooks, self.hooks),
>>>>> File "/usr/local/lib/python3.6/site-packages/requests/models.py",
>>>>> line 317, in prepare
>>>>> self.prepare_auth(auth, url)
>>>>> File "/usr/local/lib/python3.6/site-packages/requests/models.py",
>>>>> line 548, in prepare_auth
>>>>> r = auth(self)
>>>>> File
>>>>> "/usr/local/lib/python3.6/site-packages/requests_kerberos/kerberos_.py",
>>>>> line 438, in __call__
>>>>> auth_header = self.generate_request_header(None, host,
>>>>> is_preemptive=True)
>>>>> File
>>>>> "/usr/local/lib/python3.6/site-packages/requests_kerberos/kerberos_.py",
>>>>> line 245, in generate_request_header
>>>>> raise KerberosExchangeError("%s failed: %s" % (kerb_stage,
>>>>> str(error.args)))
>>>>> requests_kerberos.exceptions.KerberosExchangeError:
>>>>> authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may
>>>>> provide more information', 851968), ('Server not found in Kerberos
>>>>> database', -1765328377))
>>>>>
>>>>> [WARNING]: Unhandled error in Python interpreter discovery for host
>>>>> win2k121: kerberos: authGSSClientStep() failed: (('Unspecified GSS
>>>>> failure. Minor code may
>>>>> provide more information', 851968), ('Server not found in Kerberos
>>>>> database', -1765328377))
>>>>>
>>>>> Using module file
>>>>> /usr/local/lib/python3.6/site-packages/ansible/modules/system/ping.py
>>>>> Pipelining is enabled.
>>>>> <192.168.169.131> ESTABLISH WINRM CONNECTION FOR USER:
>>>>> ans...@mylab.com on PORT 5986 TO 192.168.169.131
>>>>> creating Kerberos CC at /tmp/tmpro863qha
>>>>> calling kinit with subprocess for principal ans...@mylab.com
>>>>> kinit succeeded for principal ans...@mylab.com
>>>>> <192.168.169.131> WINRM CONNECT: transport=kerberos endpoint=
>>>>> https://192.168.169.131:5986/wsman
>>>>> self context is ::::::::: {'192.168.169.131': <capsule object NULL at
>>>>> 0x7fdd6598a4e0>}
>>>>> <192.168.169.131> WINRM CONNECTION ERROR: authGSSClientStep() failed:
>>>>> (('Unspecified GSS failure. Minor code may provide more information',
>>>>> 851968), ('Server not found in Kerberos database', -1765328377))
>>>>> Traceback (most recent call last):
>>>>> File
>>>>> "/usr/local/lib/python3.6/site-packages/requests_kerberos/kerberos_.py",
>>>>> line 229, in generate_request_header
>>>>> negotiate_resp_value)
>>>>> kerberos.GSSError: (('Unspecified GSS failure. Minor code may provide
>>>>> more information', 851968), ('Server not found in Kerberos database',
>>>>> -1765328377))
>>>>>
>>>>> During handling of the above exception, another exception occurred:
>>>>>
>>>>> Traceback (most recent call last):
>>>>> File
>>>>> "/usr/local/lib/python3.6/site-packages/ansible/plugins/connection/winrm.py",
>>>>>
>>>>> line 400, in _winrm_connect
>>>>> self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
>>>>> File "/usr/local/lib/python3.6/site-packages/winrm/protocol.py",
>>>>> line 157, in open_shell
>>>>> res = self.send_message(xmltodict.unparse(req))
>>>>> File "/usr/local/lib/python3.6/site-packages/winrm/protocol.py",
>>>>> line 234, in send_message
>>>>> resp = self.transport.send_message(message)
>>>>> File "/usr/local/lib/python3.6/site-packages/winrm/transport.py",
>>>>> line 254, in send_message
>>>>> prepared_request = self.session.prepare_request(request)
>>>>> File "/usr/local/lib/python3.6/site-packages/requests/sessions.py",
>>>>> line 462, in prepare_request
>>>>> hooks=merge_hooks(request.hooks, self.hooks),
>>>>> File "/usr/local/lib/python3.6/site-packages/requests/models.py",
>>>>> line 317, in prepare
>>>>> self.prepare_auth(auth, url)
>>>>> File "/usr/local/lib/python3.6/site-packages/requests/models.py",
>>>>> line 548, in prepare_auth
>>>>> r = auth(self)
>>>>> File
>>>>> "/usr/local/lib/python3.6/site-packages/requests_kerberos/kerberos_.py",
>>>>> line 438, in __call__
>>>>> auth_header = self.generate_request_header(None, host,
>>>>> is_preemptive=True)
>>>>> File
>>>>> "/usr/local/lib/python3.6/site-packages/requests_kerberos/kerberos_.py",
>>>>> line 245, in generate_request_header
>>>>> raise KerberosExchangeError("%s failed: %s" % (kerb_stage,
>>>>> str(error.args)))
>>>>> requests_kerberos.exceptions.KerberosExchangeError:
>>>>> authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may
>>>>> provide more information', 851968), ('Server not found in Kerberos
>>>>> database', -1765328377))
>>>>>
>>>>> win2k121 | UNREACHABLE! => {
>>>>> "changed": false,
>>>>> "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS
>>>>> failure. Minor code may provide more information', 851968), ('Server not
>>>>> found in Kerberos database', -1765328377))",
>>>>> "unreachable": true
>>>>> }
>>>>> [root@ansible_centos ~]#
>>>>> [root@ansible_centos ~]#
>>>>> [root@ansible_centos ~]#
>>>>> [root@ansible_centos ~]#
>>>>> -------------------------
>>>>>
>>>>>
>>>>> Thanks,
>>>>> Piyush
>>>>> bansalpiy...@gmail.com
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "Ansible Project" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to ansible...@googlegroups.com.
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/d/msgid/ansible-project/CA%2BLLie4Ak5KHmod%2B2AhpGzOot-5eL2GdVJUaUgbeA8nhVNW-4Q%40mail.gmail.com
>>>>>
>>>>> <https://groups.google.com/d/msgid/ansible-project/CA%2BLLie4Ak5KHmod%2B2AhpGzOot-5eL2GdVJUaUgbeA8nhVNW-4Q%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Ansible Project" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to ansible...@googlegroups.com.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/ansible-project/CAJJxXGj6p93S%3DEiLktb9AJJihrbtONvx9JGgN%2Bcrvz6ERnh-sw%40mail.gmail.com
>>>>
>>>> <https://groups.google.com/d/msgid/ansible-project/CAJJxXGj6p93S%3DEiLktb9AJJihrbtONvx9JGgN%2Bcrvz6ERnh-sw%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ansible...@googlegroups.com <javascript:>.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/42e6bd5e-7bd0-434b-acc2-6ccd94edc539%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/ansible-project/42e6bd5e-7bd0-434b-acc2-6ccd94edc539%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/bfc7835c-1022-462f-9b74-69428db88f2d%40googlegroups.com.
