That's because you are telling it to run on windows_server but have defined the username in the windows group. Based on your inventory 'windows_server' is not part of the 'windows' group so has no username/password defined. The reason why it may have worked before is if you've gotten the Kerberos ticket manually outside of Ansible with kinit.
I've said this before just recently to you in https://groups.google.com/g/ansible-project/c/V3904K8n7eo/m/lP4b05yZBwAJ but to repeat for the final time - The host you are running on is not in the 'windows' group so it will not inherit those variables defined there. The windows group is not a magic group that applies to all Windows hosts but an arbitrarily named one that should match how your inventory is set up - ansible_winrm_read_timeout_sec shouldn't be set by you. There is little reason for someone to change this option and even so 30 seconds is the default so just remove that altogether - ignore_unreachable, gather_facts, validate_certs don't make sense as vars unless you are using it down in your playbook somewhere but based on your example it isn't so just remove it altogether - If you did want to use ignore_unreachable and gather_facts, they are either play or task directives so putting them in vars is wrong. They should be indented to the same level as hosts in your play and ignore_unreachable can be set per task as well You seem to be just building your playbook on various different components and trying variables left right and center. Start small and define your connection details in your host file like so [windows_server] test.domain.com ansible_user=****** ansible_password=****** [windows_server:vars] ansible_connection = winrm ansible_port = 5986 ansible_winrm_transport = kerberos ansible_winrm_server_cert_validation = ignore Here is what I've changed from your inventory - Added the credentials to the actual host entry itself, typically these are per host but feel free to move them back to the group if multiple hosts have the same credentials - Changed the windows group to windows_servers as that matches what's in your playbook. Now the vars you've defined will be set on the hosts in the windows_servers group - Changed ansible_ssh_port to ansible_port - Removed validate_certs as it wasn't doing anything and would lead to confusion with ansible_winrm_server_cert_validation You should also remove all those connection vars in your playbook as it should be completely agnostic to how to connect to a host. All the playbook should be doing is define what hosts to use and the tasks to run, how to connect is what the inventory is for - name: example playbook hosts: windows_server tasks: - name: first task to run win_ping: On Wednesday, July 29, 2020 at 2:01:35 AM UTC+10 [email protected] wrote: > Oh! Here is the reported error: > > fatal: [test.domain.com]: UNREACHABLE! => {"changed": false, "msg": > "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure. Minor > code may provide more information', 851968), ('No Kerberos credentials > available (default cache: FILE:/tmp/krb5cc_0)', -1765328243))", > "unreachable": true} > > hmmm.. I believe credentials should be read from host file! I am not sure > why it's not reading. > > Thanks, > Work Hard > > > On Monday, July 27, 2020 at 8:53:48 PM UTC-7, [email protected] wrote: >> >> You need to share the error you are getting back, right now we cannot >> tell what is going wrong. >> >> On Tuesday, July 28, 2020 at 8:32:50 AM UTC+10 [email protected] >> wrote: >> >>> Hello, >>> Kerberos authentication is failing on some servers even after providing >>> credentials in host file. >>> >>> *Host File* >>> [windows_server] >>> test.domain.com >>> >>> [windows:vars] >>> ansible_user=***** >>> ansible_password=****** >>> ansible_connection = winrm >>> ansible_ssh_port = 5986 >>> ansible_winrm_transport = kerberos >>> ansible_winrm_server_cert_validation = ignore >>> validate_certs = false >>> >>> *Playbook:* >>> >>> hosts: windows_server >>> vars: >>> ansible_connection: winrm >>> ansible_ssh_port: 5986 >>> ansible_winrm_transport: kerberos >>> ansible_winrm_server_cert_validation: ignore >>> validate_certs: false >>> ansible_winrm_scheme: https >>> ansible_winrm_read_timeout_sec: 30 >>> ignore_unreachable: true >>> gather_facts: false >>> >>> >>> Note - If I provide kinit [email protected] (credentials) the playbook >>> works for some servers and windows machines but not for others. Weird! >>> >>> >>> Thanks, >>> >> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d30cccd5-7672-461a-81c9-111c4a27cd99n%40googlegroups.com.
