If you join your Linux machine to AD with SSSD, this all gets filled in for you. Might make life easier.
Walter -- Walter Rowe, Division Chief Infrastructure Services, OISM Mobile: 202.355.4123 On Aug 16, 2022, at 1:11 PM, Nitrous <[email protected]<mailto:[email protected]>> wrote: Also, just checked krb5.conf file : [libdefaults] default_realm = PRIMARYDOMAIN.COM<http://primarydomain.com/> # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # The only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. fcc-mit-ticketflags = true [realms] ATHENA.MIT.EDU<http://athena.mit.edu/> = { kdc = kerberos.mit.edu<http://kerberos.mit.edu/> kdc = kerberos-1.mit.edu<http://kerberos-1.mit.edu/> kdc = kerberos-2.mit.edu:88<http://kerberos-2.mit.edu:88/> admin_server = kerberos.mit.edu<http://kerberos.mit.edu/> default_domain = mit.edu<http://mit.edu/> } ZONE.MIT.EDU<http://zone.mit.edu/> = { kdc = casio.mit.edu<http://casio.mit.edu/> kdc = seiko.mit.edu<http://seiko.mit.edu/> admin_server = casio.mit.edu<http://casio.mit.edu/> } CSAIL.MIT.EDU<http://csail.mit.edu/> = { admin_server = kerberos.csail.mit.edu<http://kerberos.csail.mit.edu/> default_domain = csail.mit.edu<http://csail.mit.edu/> } IHTFP.ORG<http://ihtfp.org/> = { kdc = kerberos.ihtfp.org<http://kerberos.ihtfp.org/> admin_server = kerberos.ihtfp.org<http://kerberos.ihtfp.org/> } 1TS.ORG<http://1ts.org/> = { kdc = kerberos.1ts.org<http://kerberos.1ts.org/> admin_server = kerberos.1ts.org<http://kerberos.1ts.org/> } ANDREW.CMU.EDU<http://andrew.cmu.edu/> = { admin_server = kerberos.andrew.cmu.edu<http://kerberos.andrew.cmu.edu/> default_domain = andrew.cmu.edu<http://andrew.cmu.edu/> } CS.CMU.EDU<http://cs.cmu.edu/> = { kdc = kerberos-1.srv.cs.cmu.edu<http://kerberos-1.srv.cs.cmu.edu/> kdc = kerberos-2.srv.cs.cmu.edu<http://kerberos-2.srv.cs.cmu.edu/> kdc = kerberos-3.srv.cs.cmu.edu<http://kerberos-3.srv.cs.cmu.edu/> admin_server = kerberos.cs.cmu.edu<http://kerberos.cs.cmu.edu/> } DEMENTIA.ORG<http://dementia.org/> = { kdc = kerberos.dementix.org<http://kerberos.dementix.org/> kdc = kerberos2.dementix.org<http://kerberos2.dementix.org/> admin_server = kerberos.dementix.org<http://kerberos.dementix.org/> } stanford.edu<http://stanford.edu/> = { kdc = krb5auth1.stanford.edu<http://krb5auth1.stanford.edu/> kdc = krb5auth2.stanford.edu<http://krb5auth2.stanford.edu/> kdc = krb5auth3.stanford.edu<http://krb5auth3.stanford.edu/> master_kdc = krb5auth1.stanford.edu<http://krb5auth1.stanford.edu/> admin_server = krb5-admin.stanford.edu<http://krb5-admin.stanford.edu/> default_domain = stanford.edu<http://stanford.edu/> } UTORONTO.CA = { kdc = kerberos1.utoronto.ca<http://kerberos1.utoronto.ca/> kdc = kerberos2.utoronto.ca<http://kerberos2.utoronto.ca/> kdc = kerberos3.utoronto.ca<http://kerberos3.utoronto.ca/> admin_server = kerberos1.utoronto.ca<http://kerberos1.utoronto.ca/> default_domain = utoronto.ca<http://utoronto.ca/> } [domain_realm] .mit.edu<http://mit.edu/> = ATHENA.MIT.EDU<http://athena.mit.edu/> mit.edu<http://mit.edu/> = ATHENA.MIT.EDU<http://athena.mit.edu/> .media.mit.edu<http://media.mit.edu/> = MEDIA-LAB.MIT.EDU<http://media-lab.mit.edu/> media.mit.edu<http://media.mit.edu/> = MEDIA-LAB.MIT.EDU<http://media-lab.mit.edu/> .csail.mit.edu<http://csail.mit.edu/> = CSAIL.MIT.EDU<http://csail.mit.edu/> csail.mit.edu<http://csail.mit.edu/> = CSAIL.MIT.EDU<http://csail.mit.edu/> .whoi.edu<http://whoi.edu/> = ATHENA.MIT.EDU<http://athena.mit.edu/> whoi.edu<http://whoi.edu/> = ATHENA.MIT.EDU<http://athena.mit.edu/> .stanford.edu<http://stanford.edu/> = stanford.edu<http://stanford.edu/> .slac.stanford.edu<http://slac.stanford.edu/> = SLAC.STANFORD.EDU<http://slac.stanford.edu/> .toronto.edu<http://toronto.edu/> = UTORONTO.CA .utoronto.ca<http://utoronto.ca/> = UTORONTO.CA I dont know where the other stuff in the file come from, but we have multiple domains, and the playbook that I am trying to run it against is DOMAINB.COM<http://domainb.com/>. I can ping the machine in domainB via IP from the ansible box, but not by its FQDN. On Tuesday, August 16, 2022 at 11:48:29 AM UTC-5 Nitrous wrote: Even a simple playbook for ping fails, but using basic authentication, works: TASK [ping] ********************************************************************************************************************************************************************************************************************* task path: /etc/ansible/playbooks/multiple.yml:8 fatal: [ansible_host=x.x.x.x]: FAILED! => { "changed": false, "module_stderr": "/bin/sh: 1: powershell: not found\n", "module_stdout": "", "msg": "The module failed to execute correctly, you probably need to set the interpreter.\nSee stdout/stderr for the exact error", "rc": 127 } On Tuesday, August 16, 2022 at 11:34:16 AM UTC-5 Nitrous wrote: I changed a few things, and now I see this: TASK [windowsupdates : Check If Windows Updates are Available] ****************************************************************************************************************************************************************** task path: /etc/ansible/roles/windowsupdates/tasks/main.yml:1 fatal: [ansible_host=x.x.x.x]: UNREACHABLE! => { "changed": false, "msg": "Kerberos auth failure for principal [email protected] with pexpect: Cannot find KDC for realm \" XX.LOCAL \" while getting initial credentials", "unreachable": true } fatal: [ansible_host=x.x.x.x]: UNREACHABLE! => { "changed": false, "msg": "Kerberos auth failure for principal [email protected] with pexpect: Cannot find KDC for realm \" XX.LOCAL \" while getting initial credentials", "unreachable": true } My vars look like this : ansible_connection=winrm [email protected] ansible_password=xx ansible_winrm_kerberos_hostname_override ansible_port=5986 ansible_ssh_port=5986 ansible_winrm_transport=kerberos ansible_connection=local ansible_winrm_scheme=https ansible_winrm_server_cert_validation=ignore domain_server=xx.local domain_username=xx.local\xx domain_password=xx Host file looks like this: ansible_host=Ip add of the server The ansible box isnt domain joined, and we have multiple domains. On Tuesday, August 16, 2022 at 11:12:02 AM UTC-5 Igor Turovsky wrote: It sounds like your ansible host does not have Krb5 library installed - https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#installing-the-kerberos-library<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.ansible.com%2Fansible%2Flatest%2Fuser_guide%2Fwindows_winrm.html%23installing-the-kerberos-library&data=05%7C01%7Cwalter.rowe%40nist.gov%7C918660ceb71b4bf2ec6108da7faa6763%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637962667096962327%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bTp5%2FnUBQ6Ck3AKWb3pHR6iqDTsxSEu1p6SYaZIwOCY%3D&reserved=0>. Also, Kerberos uses FQDNs vs ip addresses, so you will need to have dns names set as hostnames in inventory (or to use ansible_winrm_kerberos_hostname_override variable.) вт, 16 авг. 2022 г. в 18:14, Nitrous <[email protected]>: Our ansible box isnt domain joined, and we build alot of VMs from a template, that has an account part of the image, that is local admin. I was reading more into kerboros authentication, and setup my var file as this: [xx:vars] ansible_connection=winrm ansible_user=xx ansible_password=xx ansible_port=5986 ansible_ssh_port=5986 ansible_winrm_transport=kerberos ansible_winrm_scheme=https ansible_winrm_server_cert_validation=ignore domain_server=test.local domain_username=cc domain_password=cc wsus_server=cc When I run my playbook, I get: fatal: [x.x.x.x]: UNREACHABLE! => { "changed": false, "msg": "Kerberos auth failure when calling kinit cmd 'kinit': The command was not found or was not executable: kinit.", "unreachable": true } My host file has the sever entry as below: hostname ansible_host=IP address of host Changing the ansible_winrm_transport to basic works, with no issue. How can I use my existing config to work with kerberos? Please help/Suggest? -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/03d44202-d21d-41e1-b01a-8960faab6c07n%40googlegroups.com<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F03d44202-d21d-41e1-b01a-8960faab6c07n%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C918660ceb71b4bf2ec6108da7faa6763%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637962667097118571%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GJ3SvGrxEpiQDGxWh%2F61akB0f1XwM3pdlxj2ykIhBI0%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2a485348-a3ee-4074-a7a1-26848488b957n%40googlegroups.com<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F2a485348-a3ee-4074-a7a1-26848488b957n%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C918660ceb71b4bf2ec6108da7faa6763%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637962667097118571%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JoheYjBmkHJBvTuZUeMpQ5bH4n5iIIqCPwt2nk7lcfM%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/D85D014E-A9A7-4A6B-B7F4-F23608E66645%40nist.gov.
