Here is some more troubleshooting information. Also as a side note. I am
running an partner NFR self-support only version of AAP and have zero
support from RedHat on this. It also doesn't seem to matter if I run the
job through command line ansible or through AAP. The error is the same.
My Group Vars
---
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
Host Inventory
---
ansible_hostname: mikes-wintest.DOMAIN.CA
my WinRM settings after running the ConfigureAnsibleRemoting.ps1 script
PS C:\Users\ubermike\Desktop> winrm configSDDL default
Service
RootSDDL =
O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)(A;;GAGR;;;S-1-5-21-809043649-619790271-106372718-1977)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
My Ansible Host Kerb ticket
[[email protected]@ansible ~]$ klist -c
Ticket cache: KCM:1944601976:978
Default principal: [email protected]
Valid starting Expires Service principal
2022-06-12 08:10:56 2022-06-12 18:10:56 krbtgt/[email protected]
renew until 2022-06-19 08:10:56
Latest Error Output from the job
{
"unreachable": true,
"msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure.
Minor code may provide more information', 851968), ('Server not found in
Kerberos database', -1765328377)), ssl:
HTTPSConnectionPool(host='inventory_hostname', port=5986): *Max retries
exceeded with url: /wsman (Caused by
NewConnectionError('<urllib3.connection.HTTPSConnection object at
0x7f3ca1fd2430>: Failed to establish a new connection: [Errno -2] Name or
service not known'))*",
"changed": false
}
On Saturday, June 11, 2022 at 6:55:15 PM UTC-7 Michael Kennedy wrote:
> I am having a problem running WinRM connections with both basic and
> kerberos auth.
>
> My Ansible is deployed with RedHat AAP 4.2.0 on RHEL 9.
>
> I setup a test Windows 2019 machine and ran the
> ConfigureRemotingForAnsible.ps1 script against the host. Rebooted the host
> for good measure. Tested from the Ansible server that I can telnet to 5985
> and 5986 (confirmed) but I cannot run a Windows test playbook against the
> host.
>
> Skipping callback 'oneline', as we already have a stdout callback.
> 18
> 19
> PLAYBOOK: test.yml
> *************************************************************
> 20
> 2 plays in windows/test.yml
> 21
> 22
> PLAY [test raw module]
> *********************************************************18:47:21
> 23
> 24
> TASK [Gathering Facts]
> *********************************************************18:47:21
> 25
> *task path: /runner/project/windows/test.yml:2*
> 26
> *[WARNING]: The "winrm" connection plugin has an improperly configured
> remote*
> 27
> *target value, forcing "inventory_hostname" templated value instead of the*
> 28
> *string*
> 29
> redirecting (type: modules) ansible.builtin.setup to ansible.windows.setup
> 30
> Using module file
> /usr/share/ansible/collections/ansible_collections/ansible/windows/plugins/modules/setup.ps1
> 31
> Pipelining is enabled.
> 32
> <inventory_hostname> ESTABLISH WINRM CONNECTION FOR USER: administrator on
> PORT 5986 TO inventory_hostname
> 33
> *fatal: [192.168.12.52]: UNREACHABLE! => {*
> 34
> * "changed": false,*
> 35
> * "msg": "ssl: HTTPSConnectionPool(host='inventory_hostname', port=5986):
> Max retries exceeded with url: /wsman (Caused by
> NewConnectionError('<urllib3.connection.HTTPSConnection object at
> 0x7fa35f010f10>: Failed to establish a new connection: [Errno -2] Name or
> service not known'))",*
> 36
> * "unreachable": true*
> 37
> *}*
>
> *Running a Windows test against a domain joined machine produces a
> different error that I also cannot resolve. *
>
> PLAY [Ping]
> ********************************************************************18:53:19
> 3
> 4
> TASK [Gathering Facts]
> *********************************************************18:53:19
> 5
> *[WARNING]: The "winrm" connection plugin has an improperly configured
> remote*
> 6
> *target value, forcing "inventory_hostname" templated value instead of the*
> 7
> *string*
> 8
> *fatal: [srvrds04]: UNREACHABLE! => {"changed": false, "msg": "kerberos:
> authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may
> provide more information', 851968), ('Server not found in Kerberos
> database', -1765328377))", "unreachable": true}*
>
> *I am getting this error despite me confirming the SPN is fine.
> Confirming I can connect to the host with WinRM from a different domain
> joined host. Confirmed my Kerb ticket with kinit and list. *
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/167d52a5-7848-4181-9bbd-1ba72bb2e69an%40googlegroups.com.
