[root@ansible ~]# ping mikes-wintest
PING mikes-wintest.domain.ca <http://mikes-wintest.sudden.ca> (192.168.12.52)
56(84) bytes of data.
64 bytes from Mikes-WinTest.domain.ca (192.168.12.52): icmp_seq=1 ttl=123
time=14.1 ms
^C
--- mikes-wintest.domain.ca ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 14.127/14.127/14.127/0.000 ms
[root@ansible ~]# nslookup mikes-wintest
Server: 192.168.8.11
Address: 192.168.8.11#53
Name: mikes-wintest.domain.ca
Address: 192.168.12.52
[root@ansible ~]# nslookup domain.ca
Server: 192.168.8.11
Address: 192.168.8.11#53
Name: domain.ca
Address: 192.168.15.202
Name: domain.ca
Address: 192.168.12.153
Name: domain.ca
Address: 192.168.12.20
Name: domain.ca
Address: 192.168.8.11
Name: domain.ca
Address: 192.168.15.201
Name: domain.ca
Address: 192.168.8.44
Name: domain.ca
Address: 192.168.8.21
Name: domain.ca
Address: 192.168.12.201
Name: domain.ca
Address: 192.168.9.150
[root@ansible ~]#
On Monday, June 13, 2022 at 3:27:20 AM UTC-7 urs...@gmail.com wrote:
> Hi Michael,
>
> A stab in the dark winrm or Kerberos specifically depend on a fully
> working DNS.
> Is your tower cluster properly looking up the windows domain DCs?
> I had tried a kludge myself with hard coded names in Hosts files but that
> gave me same error you are getting.
> Oddly the kinit and list cmd works fine, but the actual ansible
> connections trying to use winrm or kerberos transport failed.
> And as soon as I had added my local or internal dns zone to the cluster
> dns things started working for me.
>
> HTH
>
> --
> Urs Rau
>
> On Sunday, 12 June 2022 at 17:17:51 UTC+2 indiem...@gmail.com wrote:
>
>> Here is some more troubleshooting information. Also as a side note. I
>> am running an partner NFR self-support only version of AAP and have zero
>> support from RedHat on this. It also doesn't seem to matter if I run the
>> job through command line ansible or through AAP. The error is the same.
>>
>> My Group Vars
>>
>> ---
>> ansible_connection: winrm
>> ansible_winrm_server_cert_validation: ignore
>>
>> Host Inventory
>>
>> ---
>> ansible_hostname: mikes-wintest.DOMAIN.CA
>>
>> my WinRM settings after running the ConfigureAnsibleRemoting.ps1 script
>>
>> PS C:\Users\ubermike\Desktop> winrm configSDDL default
>> Service
>> RootSDDL =
>> O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)(A;;GAGR;;;S-1-5-21-809043649-619790271-106372718-1977)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
>> MaxConcurrentOperations = 4294967295
>> MaxConcurrentOperationsPerUser = 1500
>> EnumerationTimeoutms = 240000
>> MaxConnections = 300
>> MaxPacketRetrievalTimeSeconds = 120
>> AllowUnencrypted = true
>> Auth
>> Basic = true
>> Kerberos = true
>> Negotiate = true
>> Certificate = false
>> CredSSP = true
>> CbtHardeningLevel = Relaxed
>> DefaultPorts
>> HTTP = 5985
>> HTTPS = 5986
>> IPv4Filter = *
>> IPv6Filter = *
>> EnableCompatibilityHttpListener = false
>> EnableCompatibilityHttpsListener = false
>> CertificateThumbprint
>> AllowRemoteAccess = true
>>
>> My Ansible Host Kerb ticket
>>
>> [uber...@domain.ca@ansible ~]$ klist -c
>> Ticket cache: KCM:1944601976:978
>> Default principal: uber...@domain.ca
>>
>> Valid starting Expires Service principal
>> 2022-06-12 08:10:56 2022-06-12 18:10:56 krbtgt/doma...@domain.ca
>> renew until 2022-06-19 08:10:56
>>
>> Latest Error Output from the job
>>
>> {
>> "unreachable": true,
>> "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS
>> failure. Minor code may provide more information', 851968), ('Server not
>> found in Kerberos database', -1765328377)), ssl:
>> HTTPSConnectionPool(host='inventory_hostname', port=5986): *Max retries
>> exceeded with url: /wsman (Caused by
>> NewConnectionError('<urllib3.connection.HTTPSConnection object at
>> 0x7f3ca1fd2430>: Failed to establish a new connection: [Errno -2] Name or
>> service not known'))*",
>> "changed": false
>> }
>>
>>
>> On Saturday, June 11, 2022 at 6:55:15 PM UTC-7 Michael Kennedy wrote:
>>
>>> I am having a problem running WinRM connections with both basic and
>>> kerberos auth.
>>>
>>> My Ansible is deployed with RedHat AAP 4.2.0 on RHEL 9.
>>>
>>> I setup a test Windows 2019 machine and ran the
>>> ConfigureRemotingForAnsible.ps1 script against the host. Rebooted the host
>>> for good measure. Tested from the Ansible server that I can telnet to 5985
>>> and 5986 (confirmed) but I cannot run a Windows test playbook against the
>>> host.
>>>
>>> Skipping callback 'oneline', as we already have a stdout callback.
>>> 18
>>> 19
>>> PLAYBOOK: test.yml
>>> *************************************************************
>>> 20
>>> 2 plays in windows/test.yml
>>> 21
>>> 22
>>> PLAY [test raw module]
>>> *********************************************************18:47:21
>>> 23
>>> 24
>>> TASK [Gathering Facts]
>>> *********************************************************18:47:21
>>> 25
>>> *task path: /runner/project/windows/test.yml:2*
>>> 26
>>> *[WARNING]: The "winrm" connection plugin has an improperly configured
>>> remote*
>>> 27
>>> *target value, forcing "inventory_hostname" templated value instead of
>>> the*
>>> 28
>>> *string*
>>> 29
>>> redirecting (type: modules) ansible.builtin.setup to
>>> ansible.windows.setup
>>> 30
>>> Using module file
>>> /usr/share/ansible/collections/ansible_collections/ansible/windows/plugins/modules/setup.ps1
>>> 31
>>> Pipelining is enabled.
>>> 32
>>> <inventory_hostname> ESTABLISH WINRM CONNECTION FOR USER: administrator
>>> on PORT 5986 TO inventory_hostname
>>> 33
>>> *fatal: [192.168.12.52]: UNREACHABLE! => {*
>>> 34
>>> * "changed": false,*
>>> 35
>>> * "msg": "ssl: HTTPSConnectionPool(host='inventory_hostname',
>>> port=5986): Max retries exceeded with url: /wsman (Caused by
>>> NewConnectionError('<urllib3.connection.HTTPSConnection object at
>>> 0x7fa35f010f10>: Failed to establish a new connection: [Errno -2] Name or
>>> service not known'))",*
>>> 36
>>> * "unreachable": true*
>>> 37
>>> *}*
>>>
>>> *Running a Windows test against a domain joined machine produces a
>>> different error that I also cannot resolve. *
>>>
>>> PLAY [Ping]
>>> ********************************************************************18:53:19
>>> 3
>>> 4
>>> TASK [Gathering Facts]
>>> *********************************************************18:53:19
>>> 5
>>> *[WARNING]: The "winrm" connection plugin has an improperly configured
>>> remote*
>>> 6
>>> *target value, forcing "inventory_hostname" templated value instead of
>>> the*
>>> 7
>>> *string*
>>> 8
>>> *fatal: [srvrds04]: UNREACHABLE! => {"changed": false, "msg": "kerberos:
>>> authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may
>>> provide more information', 851968), ('Server not found in Kerberos
>>> database', -1765328377))", "unreachable": true}*
>>>
>>> *I am getting this error despite me confirming the SPN is fine.
>>> Confirming I can connect to the host with WinRM from a different domain
>>> joined host. Confirmed my Kerb ticket with kinit and list. *
>>>
>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/57e2f42e-f4e4-4ee1-8545-7bc12ade8ec9n%40googlegroups.com.
