Here is some more troubleshooting information. Also as a side note. I am
running an partner NFR self-support only version of AAP and have zero
support from RedHat on this. It also doesn't seem to matter if I run the
job through command line ansible or through AAP. The error is the same.
My Group Vars
---
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
Host Inventory
---
ansible_hostname: mikes-wintest.DOMAIN.CA
my WinRM settings after running the ConfigureAnsibleRemoting.ps1 script
PS C:\Users\ubermike\Desktop> winrm configSDDL default
Service
RootSDDL =
O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)(A;;GAGR;;;S-1-5-21-809043649-619790271-106372718-1977)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
My Ansible Host Kerb ticket
[uberm...@domain.ca@ansible ~]$ klist -c
Ticket cache: KCM:1944601976:978
Default principal: uberm...@domain.ca
Valid starting Expires Service principal
2022-06-12 08:10:56 2022-06-12 18:10:56 krbtgt/domain...@domain.ca
renew until 2022-06-19 08:10:56
Latest Error Output from the job
{
"unreachable": true,
"msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure.
Minor code may provide more information', 851968), ('Server not found in
Kerberos database', -1765328377)), ssl:
HTTPSConnectionPool(host='inventory_hostname', port=5986): *Max retries
exceeded with url: /wsman (Caused by
NewConnectionError('<urllib3.connection.HTTPSConnection object at
0x7f3ca1fd2430>: Failed to establish a new connection: [Errno -2] Name or
service not known'))*",
"changed": false
}
On Saturday, June 11, 2022 at 6:55:15 PM UTC-7 Michael Kennedy wrote:
> I am having a problem running WinRM connections with both basic and
> kerberos auth.
>
> My Ansible is deployed with RedHat AAP 4.2.0 on RHEL 9.
>
> I setup a test Windows 2019 machine and ran the
> ConfigureRemotingForAnsible.ps1 script against the host. Rebooted the host
> for good measure. Tested from the Ansible server that I can telnet to 5985
> and 5986 (confirmed) but I cannot run a Windows test playbook against the
> host.
>
> Skipping callback 'oneline', as we already have a stdout callback.
> 18
> 19
> PLAYBOOK: test.yml
> *************************************************************
> 20
> 2 plays in windows/test.yml
> 21
> 22
> PLAY [test raw module]
> *********************************************************18:47:21
> 23
> 24
> TASK [Gathering Facts]
> *********************************************************18:47:21
> 25
> *task path: /runner/project/windows/test.yml:2*
> 26
> *[WARNING]: The "winrm" connection plugin has an improperly configured
> remote*
> 27
> *target value, forcing "inventory_hostname" templated value instead of the*
> 28
> *string*
> 29
> redirecting (type: modules) ansible.builtin.setup to ansible.windows.setup
> 30
> Using module file
> /usr/share/ansible/collections/ansible_collections/ansible/windows/plugins/modules/setup.ps1
> 31
> Pipelining is enabled.
> 32
> <inventory_hostname> ESTABLISH WINRM CONNECTION FOR USER: administrator on
> PORT 5986 TO inventory_hostname
> 33
> *fatal: [192.168.12.52]: UNREACHABLE! => {*
> 34
> * "changed": false,*
> 35
> * "msg": "ssl: HTTPSConnectionPool(host='inventory_hostname', port=5986):
> Max retries exceeded with url: /wsman (Caused by
> NewConnectionError('<urllib3.connection.HTTPSConnection object at
> 0x7fa35f010f10>: Failed to establish a new connection: [Errno -2] Name or
> service not known'))",*
> 36
> * "unreachable": true*
> 37
> *}*
>
> *Running a Windows test against a domain joined machine produces a
> different error that I also cannot resolve. *
>
> PLAY [Ping]
> ********************************************************************18:53:19
> 3
> 4
> TASK [Gathering Facts]
> *********************************************************18:53:19
> 5
> *[WARNING]: The "winrm" connection plugin has an improperly configured
> remote*
> 6
> *target value, forcing "inventory_hostname" templated value instead of the*
> 7
> *string*
> 8
> *fatal: [srvrds04]: UNREACHABLE! => {"changed": false, "msg": "kerberos:
> authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may
> provide more information', 851968), ('Server not found in Kerberos
> database', -1765328377))", "unreachable": true}*
>
> *I am getting this error despite me confirming the SPN is fine.
> Confirming I can connect to the host with WinRM from a different domain
> joined host. Confirmed my Kerb ticket with kinit and list. *
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/167d52a5-7848-4181-9bbd-1ba72bb2e69an%40googlegroups.com.
