Yes thanks, we dont want to do that due to some restrictions, so hence asking for help :)
On Tuesday, August 16, 2022 at 1:42:09 PM UTC-5 [email protected] wrote: > If you join your Linux machine to AD with SSSD, this all gets filled in > for you. Might make life easier. > > Walter > -- > Walter Rowe, Division Chief > Infrastructure Services, OISM > Mobile: 202.355.4123 <(202)%20355-4123> > > On Aug 16, 2022, at 1:11 PM, Nitrous <[email protected]> wrote: > > Also, just checked krb5.conf file : > > [libdefaults] > default_realm = PRIMARYDOMAIN.COM <http://primarydomain.com/> > > # The following krb5.conf variables are only for MIT Kerberos. > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > # The following encryption type specification will be used by MIT Kerberos > # if uncommented. In general, the defaults in the MIT Kerberos code are > # correct and overriding these specifications only serves to disable new > # encryption types as they are added, creating interoperability problems. > # > # The only time when you might need to uncomment these lines and change > # the enctypes is if you have local software that will break on ticket > # caches containing ticket encryption types it doesn't know about (such as > # old versions of Sun Java). > > # default_tgs_enctypes = des3-hmac-sha1 > # default_tkt_enctypes = des3-hmac-sha1 > # permitted_enctypes = des3-hmac-sha1 > > # The following libdefaults parameters are only for Heimdal Kerberos. > fcc-mit-ticketflags = true > > [realms] > ATHENA.MIT.EDU <http://athena.mit.edu/> = { > kdc = kerberos.mit.edu > kdc = kerberos-1.mit.edu > kdc = kerberos-2.mit.edu:88 > admin_server = kerberos.mit.edu > default_domain = mit.edu > } > ZONE.MIT.EDU <http://zone.mit.edu/> = { > kdc = casio.mit.edu > kdc = seiko.mit.edu > admin_server = casio.mit.edu > } > CSAIL.MIT.EDU <http://csail.mit.edu/> = { > admin_server = kerberos.csail.mit.edu > default_domain = csail.mit.edu > } > IHTFP.ORG <http://ihtfp.org/> = { > kdc = kerberos.ihtfp.org > admin_server = kerberos.ihtfp.org > } > 1TS.ORG <http://1ts.org/> = { > kdc = kerberos.1ts.org > admin_server = kerberos.1ts.org > } > ANDREW.CMU.EDU <http://andrew.cmu.edu/> = { > admin_server = kerberos.andrew.cmu.edu > default_domain = andrew.cmu.edu > } > CS.CMU.EDU <http://cs.cmu.edu/> = { > kdc = kerberos-1.srv.cs.cmu.edu > kdc = kerberos-2.srv.cs.cmu.edu > kdc = kerberos-3.srv.cs.cmu.edu > admin_server = kerberos.cs.cmu.edu > } > DEMENTIA.ORG <http://dementia.org/> = { > kdc = kerberos.dementix.org > kdc = kerberos2.dementix.org > admin_server = kerberos.dementix.org > } > stanford.edu = { > kdc = krb5auth1.stanford.edu > kdc = krb5auth2.stanford.edu > kdc = krb5auth3.stanford.edu > master_kdc = krb5auth1.stanford.edu > admin_server = krb5-admin.stanford.edu > default_domain = stanford.edu > } > UTORONTO.CA = { > kdc = kerberos1.utoronto.ca > kdc = kerberos2.utoronto.ca > kdc = kerberos3.utoronto.ca > admin_server = kerberos1.utoronto.ca > default_domain = utoronto.ca > } > > [domain_realm] > .mit.edu = ATHENA.MIT.EDU <http://athena.mit.edu/> > mit.edu = ATHENA.MIT.EDU <http://athena.mit.edu/> > .media.mit.edu = MEDIA-LAB.MIT.EDU <http://media-lab.mit.edu/> > media.mit.edu = MEDIA-LAB.MIT.EDU <http://media-lab.mit.edu/> > .csail.mit.edu = CSAIL.MIT.EDU <http://csail.mit.edu/> > csail.mit.edu = CSAIL.MIT.EDU <http://csail.mit.edu/> > .whoi.edu = ATHENA.MIT.EDU <http://athena.mit.edu/> > whoi.edu = ATHENA.MIT.EDU <http://athena.mit.edu/> > .stanford.edu = stanford.edu > .slac.stanford.edu = SLAC.STANFORD.EDU <http://slac.stanford.edu/> > .toronto.edu = UTORONTO.CA > .utoronto.ca = UTORONTO.CA > > I dont know where the other stuff in the file come from, but we have > multiple domains, and the playbook that I am trying to run it against is > DOMAINB.COM <http://domainb.com/>. > > I can ping the machine in domainB via IP from the ansible box, but not by > its FQDN. > > On Tuesday, August 16, 2022 at 11:48:29 AM UTC-5 Nitrous wrote: > >> Even a simple playbook for ping fails, but using basic authentication, >> works: >> >> TASK [ping] >> ********************************************************************************************************************************************************************************************************************* >> task path: /etc/ansible/playbooks/multiple.yml:8 >> fatal: [ansible_host=x.x.x.x]: FAILED! => { >> "changed": false, >> "module_stderr": "/bin/sh: 1: powershell: not found\n", >> "module_stdout": "", >> "msg": "The module failed to execute correctly, you probably need to >> set the interpreter.\nSee stdout/stderr for the exact error", >> "rc": 127 >> } >> >> On Tuesday, August 16, 2022 at 11:34:16 AM UTC-5 Nitrous wrote: >> >>> I changed a few things, and now I see this: >>> >>> TASK [windowsupdates : Check If Windows Updates are Available] >>> ****************************************************************************************************************************************************************** >>> task path: /etc/ansible/roles/windowsupdates/tasks/main.yml:1 >>> fatal: [ansible_host=x.x.x.x]: UNREACHABLE! => { >>> "changed": false, >>> "msg": "Kerberos auth failure for principal [email protected] with >>> pexpect: Cannot find KDC for realm \" XX.LOCAL \" while getting initial >>> credentials", >>> "unreachable": true >>> } >>> fatal: [ansible_host=x.x.x.x]: UNREACHABLE! => { >>> "changed": false, >>> "msg": "Kerberos auth failure for principal [email protected] with >>> pexpect: Cannot find KDC for realm \" XX.LOCAL \" while getting initial >>> credentials", >>> "unreachable": true >>> } >>> >>> My vars look like this : >>> >>> ansible_connection=winrm >>> [email protected] >>> ansible_password=xx >>> ansible_winrm_kerberos_hostname_override >>> ansible_port=5986 >>> ansible_ssh_port=5986 >>> ansible_winrm_transport=kerberos >>> ansible_connection=local >>> ansible_winrm_scheme=https >>> ansible_winrm_server_cert_validation=ignore >>> domain_server=xx.local >>> domain_username=xx.local\xx >>> domain_password=xx >>> >>> Host file looks like this: >>> >>> ansible_host=Ip add of the server >>> >>> The ansible box isnt domain joined, and we have multiple domains. >>> On Tuesday, August 16, 2022 at 11:12:02 AM UTC-5 Igor Turovsky wrote: >>> >>>> It sounds like your ansible host does not have Krb5 library installed >>>> - >>>> https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#installing-the-kerberos-library >>>> >>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.ansible.com%2Fansible%2Flatest%2Fuser_guide%2Fwindows_winrm.html%23installing-the-kerberos-library&data=05%7C01%7Cwalter.rowe%40nist.gov%7C918660ceb71b4bf2ec6108da7faa6763%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637962667096962327%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bTp5%2FnUBQ6Ck3AKWb3pHR6iqDTsxSEu1p6SYaZIwOCY%3D&reserved=0>. >>>> >>>> >>>> Also, Kerberos uses FQDNs vs ip addresses, so you will need to have dns >>>> names set as hostnames in inventory (or to use >>>> ansible_winrm_kerberos_hostname_override >>>> variable.) >>>> >>>> вт, 16 авг. 2022 г. в 18:14, Nitrous <[email protected]>: >>>> >>>>> Our ansible box isnt domain joined, and we build alot of VMs from a >>>>> template, that has an account part of the image, that is local admin. >>>>> >>>>> I was reading more into kerboros authentication, and setup my var file >>>>> as this: >>>>> >>>>> [xx:vars] >>>>> ansible_connection=winrm >>>>> ansible_user=xx >>>>> ansible_password=xx >>>>> ansible_port=5986 >>>>> ansible_ssh_port=5986 >>>>> ansible_winrm_transport=kerberos >>>>> ansible_winrm_scheme=https >>>>> ansible_winrm_server_cert_validation=ignore >>>>> domain_server=test.local >>>>> domain_username=cc >>>>> domain_password=cc >>>>> wsus_server=cc >>>>> >>>>> When I run my playbook, I get: >>>>> fatal: [x.x.x.x]: UNREACHABLE! => { >>>>> "changed": false, >>>>> "msg": "Kerberos auth failure when calling kinit cmd 'kinit': The >>>>> command was not found or was not executable: kinit.", >>>>> "unreachable": true >>>>> } >>>>> >>>>> My host file has the sever entry as below: >>>>> >>>>> hostname ansible_host=IP address of host >>>>> >>>>> Changing the ansible_winrm_transport to basic works, with no issue. >>>>> >>>>> How can I use my existing config to work with kerberos? >>>>> >>>>> Please help/Suggest? >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Ansible Project" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/ansible-project/03d44202-d21d-41e1-b01a-8960faab6c07n%40googlegroups.com >>>>> >>>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F03d44202-d21d-41e1-b01a-8960faab6c07n%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C918660ceb71b4bf2ec6108da7faa6763%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637962667097118571%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GJ3SvGrxEpiQDGxWh%2F61akB0f1XwM3pdlxj2ykIhBI0%3D&reserved=0> >>>>> . >>>>> >>>> > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/2a485348-a3ee-4074-a7a1-26848488b957n%40googlegroups.com > > <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F2a485348-a3ee-4074-a7a1-26848488b957n%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C918660ceb71b4bf2ec6108da7faa6763%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637962667097118571%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JoheYjBmkHJBvTuZUeMpQ5bH4n5iIIqCPwt2nk7lcfM%3D&reserved=0> > . > > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0355159a-e158-4dbe-afb7-46847d401d7en%40googlegroups.com.
