Meanwhile I'm still no step closer to any solution. I enabled Windows Remote Management Analytics and Debug logging. But absolutely nothing is logged in there when the aforementioned delegation is performed. Also the Windows audit logging shows no trace of any failed login.. How should I proceed in debugging this?
Thanks Op woensdag 27 november 2019 16:20:23 UTC+1 schreef Robin Roevens: > > Hi all > > I try to delegate a few tasks to another server during my playbook run > which is executed on a Windows server, and the delegated tasks are also > executed on (another) windows server. > In AWX I have set up machine credentials, which are passed on to the > playbook, and those credentials should be used on both those windows > servers. And it seems like ansible indeed tries to do so, but fails..? > > When I run (another) simpler playbook on both those Windows servers, it > succeeds on both without problems using the same credentials set. > But when I run this playbook that delegates a few tasks to the other > server, it fails the delegation with error 401: kerberos: the specified > credentials were rejected by the server. While those exact same credentials > are accepted when that host is the "main" host for the playbook. > > This is what I see in the logging: > > TASK [tsm-client-win : Check if Client is registered to TSM] > ******************* > task path: > /tmp/awx_609_b2y0mq2m/requirements_roles/tsm-client-win/tasks/register-client.yml:3 > Using module file > /var/lib/awx/custom-venv/windows/lib/python3.6/site-packages/ansible/modules/windows/win_command.ps1 > Pipelining is enabled. > <winhost2> ESTABLISH WINRM CONNECTION FOR USER: user@DOMAIN on PORT 5985 > TO winhost2 > creating Kerberos CC at /tmp/tmpkcp5yccl > calling kinit with subprocess for principal user@DOMAIN > kinit succeeded for principal user@DOMAIN > <winhost2> WINRM CONNECT: transport=kerberos endpoint= > http://winhost2:5985/wsman > <winhost2> WINRM CONNECTION ERROR: the specified credentials were rejected > by the server > Traceback (most recent call last): > File > "/var/lib/awx/custom-venv/windows/lib/python3.6/site-packages/winrm/transport.py", > > line 262, in _send_message_request > response.raise_for_status() > File > "/var/lib/awx/custom-venv/windows/lib/python3.6/site-packages/requests/models.py", > > line 940, in raise_for_status > raise HTTPError(http_error_msg, response=self) > requests.exceptions.HTTPError: 401 Client Error: for url: > http://winhost2:5985/wsman > > During handling of the above exception, another exception occurred: > > Traceback (most recent call last): > File > "/var/lib/awx/custom-venv/windows/lib/python3.6/site-packages/ansible/plugins/connection/winrm.py", > > line 400, in _winrm_connect > self.shell_id = protocol.open_shell(codepage=65001) # UTF-8 > File > "/var/lib/awx/custom-venv/windows/lib/python3.6/site-packages/winrm/protocol.py", > > line 157, in open_shell > res = self.send_message(xmltodict.unparse(req)) > File > "/var/lib/awx/custom-venv/windows/lib/python3.6/site-packages/winrm/protocol.py", > > line 234, in send_message > resp = self.transport.send_message(message) > File > "/var/lib/awx/custom-venv/windows/lib/python3.6/site-packages/winrm/transport.py", > > line 243, in send_message > self.build_session() > File > "/var/lib/awx/custom-venv/windows/lib/python3.6/site-packages/winrm/transport.py", > > line 232, in build_session > self.setup_encryption() > File > "/var/lib/awx/custom-venv/windows/lib/python3.6/site-packages/winrm/transport.py", > > line 238, in setup_encryption > self._send_message_request(prepared_request, '') > File > "/var/lib/awx/custom-venv/windows/lib/python3.6/site-packages/winrm/transport.py", > > line 266, in _send_message_request > raise InvalidCredentialsError("the specified credentials were rejected > by the server") > winrm.exceptions.InvalidCredentialsError: the specified credentials were > rejected by the server > > Can anyone shed some light onto this ? As I don't see why authentication > fails on this host when it is addressed using delegate_to and succeeds when > the host is the main target of the playbook. What am I missing? > > Thanks > > Robin > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/165a8e3f-df0d-4b89-95ca-04edacd3f690%40googlegroups.com.
