Hello, without joining to the domain, we added entries to krb5.conf to specify which are the kerberos servers to contact for authentication. So we specified credentials via the command line for ansible and we can authenticate to winrm successfully.
Luca On Wed, Aug 17, 2022 at 3:51 PM Nitrous <[email protected]> wrote: > Yes thanks, we dont want to do that due to some restrictions, so hence > asking for help :) > > On Tuesday, August 16, 2022 at 1:42:09 PM UTC-5 [email protected] wrote: > >> If you join your Linux machine to AD with SSSD, this all gets filled in >> for you. Might make life easier. >> >> Walter >> -- >> Walter Rowe, Division Chief >> Infrastructure Services, OISM >> Mobile: 202.355.4123 <(202)%20355-4123> >> >> On Aug 16, 2022, at 1:11 PM, Nitrous <[email protected]> wrote: >> >> Also, just checked krb5.conf file : >> >> [libdefaults] >> default_realm = PRIMARYDOMAIN.COM <http://primarydomain.com/> >> >> # The following krb5.conf variables are only for MIT Kerberos. >> kdc_timesync = 1 >> ccache_type = 4 >> forwardable = true >> proxiable = true >> >> # The following encryption type specification will be used by MIT Kerberos >> # if uncommented. In general, the defaults in the MIT Kerberos code are >> # correct and overriding these specifications only serves to disable new >> # encryption types as they are added, creating interoperability problems. >> # >> # The only time when you might need to uncomment these lines and change >> # the enctypes is if you have local software that will break on ticket >> # caches containing ticket encryption types it doesn't know about (such as >> # old versions of Sun Java). >> >> # default_tgs_enctypes = des3-hmac-sha1 >> # default_tkt_enctypes = des3-hmac-sha1 >> # permitted_enctypes = des3-hmac-sha1 >> >> # The following libdefaults parameters are only for Heimdal Kerberos. >> fcc-mit-ticketflags = true >> >> [realms] >> ATHENA.MIT.EDU <http://athena.mit.edu/> = { >> kdc = kerberos.mit.edu >> kdc = kerberos-1.mit.edu >> kdc = kerberos-2.mit.edu:88 >> admin_server = kerberos.mit.edu >> default_domain = mit.edu >> } >> ZONE.MIT.EDU <http://zone.mit.edu/> = { >> kdc = casio.mit.edu >> kdc = seiko.mit.edu >> admin_server = casio.mit.edu >> } >> CSAIL.MIT.EDU <http://csail.mit.edu/> = { >> admin_server = kerberos.csail.mit.edu >> default_domain = csail.mit.edu >> } >> IHTFP.ORG <http://ihtfp.org/> = { >> kdc = kerberos.ihtfp.org >> admin_server = kerberos.ihtfp.org >> } >> 1TS.ORG <http://1ts.org/> = { >> kdc = kerberos.1ts.org >> admin_server = kerberos.1ts.org >> } >> ANDREW.CMU.EDU <http://andrew.cmu.edu/> = { >> admin_server = kerberos.andrew.cmu.edu >> default_domain = andrew.cmu.edu >> } >> CS.CMU.EDU <http://cs.cmu.edu/> = { >> kdc = kerberos-1.srv.cs.cmu.edu >> kdc = kerberos-2.srv.cs.cmu.edu >> kdc = kerberos-3.srv.cs.cmu.edu >> admin_server = kerberos.cs.cmu.edu >> } >> DEMENTIA.ORG <http://dementia.org/> = { >> kdc = kerberos.dementix.org >> kdc = kerberos2.dementix.org >> admin_server = kerberos.dementix.org >> } >> stanford.edu = { >> kdc = krb5auth1.stanford.edu >> kdc = krb5auth2.stanford.edu >> kdc = krb5auth3.stanford.edu >> master_kdc = krb5auth1.stanford.edu >> admin_server = krb5-admin.stanford.edu >> default_domain = stanford.edu >> } >> UTORONTO.CA = { >> kdc = kerberos1.utoronto.ca >> kdc = kerberos2.utoronto.ca >> kdc = kerberos3.utoronto.ca >> admin_server = kerberos1.utoronto.ca >> default_domain = utoronto.ca >> } >> >> [domain_realm] >> .mit.edu = ATHENA.MIT.EDU <http://athena.mit.edu/> >> mit.edu = ATHENA.MIT.EDU <http://athena.mit.edu/> >> .media.mit.edu = MEDIA-LAB.MIT.EDU <http://media-lab.mit.edu/> >> media.mit.edu = MEDIA-LAB.MIT.EDU <http://media-lab.mit.edu/> >> .csail.mit.edu = CSAIL.MIT.EDU <http://csail.mit.edu/> >> csail.mit.edu = CSAIL.MIT.EDU <http://csail.mit.edu/> >> .whoi.edu = ATHENA.MIT.EDU <http://athena.mit.edu/> >> whoi.edu = ATHENA.MIT.EDU <http://athena.mit.edu/> >> .stanford.edu = stanford.edu >> .slac.stanford.edu = SLAC.STANFORD.EDU >> <http://slac.stanford.edu/> >> .toronto.edu = UTORONTO.CA >> .utoronto.ca = UTORONTO.CA >> >> I dont know where the other stuff in the file come from, but we have >> multiple domains, and the playbook that I am trying to run it against is >> DOMAINB.COM <http://domainb.com/>. >> >> I can ping the machine in domainB via IP from the ansible box, but not by >> its FQDN. >> >> On Tuesday, August 16, 2022 at 11:48:29 AM UTC-5 Nitrous wrote: >> >>> Even a simple playbook for ping fails, but using basic authentication, >>> works: >>> >>> TASK [ping] >>> ********************************************************************************************************************************************************************************************************************* >>> task path: /etc/ansible/playbooks/multiple.yml:8 >>> fatal: [ansible_host=x.x.x.x]: FAILED! => { >>> "changed": false, >>> "module_stderr": "/bin/sh: 1: powershell: not found\n", >>> "module_stdout": "", >>> "msg": "The module failed to execute correctly, you probably need to >>> set the interpreter.\nSee stdout/stderr for the exact error", >>> "rc": 127 >>> } >>> >>> On Tuesday, August 16, 2022 at 11:34:16 AM UTC-5 Nitrous wrote: >>> >>>> I changed a few things, and now I see this: >>>> >>>> TASK [windowsupdates : Check If Windows Updates are Available] >>>> ****************************************************************************************************************************************************************** >>>> task path: /etc/ansible/roles/windowsupdates/tasks/main.yml:1 >>>> fatal: [ansible_host=x.x.x.x]: UNREACHABLE! => { >>>> "changed": false, >>>> "msg": "Kerberos auth failure for principal [email protected] with >>>> pexpect: Cannot find KDC for realm \" XX.LOCAL \" while getting initial >>>> credentials", >>>> "unreachable": true >>>> } >>>> fatal: [ansible_host=x.x.x.x]: UNREACHABLE! => { >>>> "changed": false, >>>> "msg": "Kerberos auth failure for principal [email protected] with >>>> pexpect: Cannot find KDC for realm \" XX.LOCAL \" while getting initial >>>> credentials", >>>> "unreachable": true >>>> } >>>> >>>> My vars look like this : >>>> >>>> ansible_connection=winrm >>>> [email protected] >>>> ansible_password=xx >>>> ansible_winrm_kerberos_hostname_override >>>> ansible_port=5986 >>>> ansible_ssh_port=5986 >>>> ansible_winrm_transport=kerberos >>>> ansible_connection=local >>>> ansible_winrm_scheme=https >>>> ansible_winrm_server_cert_validation=ignore >>>> domain_server=xx.local >>>> domain_username=xx.local\xx >>>> domain_password=xx >>>> >>>> Host file looks like this: >>>> >>>> ansible_host=Ip add of the server >>>> >>>> The ansible box isnt domain joined, and we have multiple domains. >>>> On Tuesday, August 16, 2022 at 11:12:02 AM UTC-5 Igor Turovsky wrote: >>>> >>>>> It sounds like your ansible host does not have Krb5 library installed >>>>> - >>>>> https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#installing-the-kerberos-library >>>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.ansible.com%2Fansible%2Flatest%2Fuser_guide%2Fwindows_winrm.html%23installing-the-kerberos-library&data=05%7C01%7Cwalter.rowe%40nist.gov%7C918660ceb71b4bf2ec6108da7faa6763%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637962667096962327%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bTp5%2FnUBQ6Ck3AKWb3pHR6iqDTsxSEu1p6SYaZIwOCY%3D&reserved=0>. >>>>> >>>>> Also, Kerberos uses FQDNs vs ip addresses, so you will need to have >>>>> dns names set as hostnames in inventory (or to use >>>>> ansible_winrm_kerberos_hostname_override >>>>> variable.) >>>>> >>>>> вт, 16 авг. 2022 г. в 18:14, Nitrous <[email protected]>: >>>>> >>>>>> Our ansible box isnt domain joined, and we build alot of VMs from a >>>>>> template, that has an account part of the image, that is local admin. >>>>>> >>>>>> I was reading more into kerboros authentication, and setup my var >>>>>> file as this: >>>>>> >>>>>> [xx:vars] >>>>>> ansible_connection=winrm >>>>>> ansible_user=xx >>>>>> ansible_password=xx >>>>>> ansible_port=5986 >>>>>> ansible_ssh_port=5986 >>>>>> ansible_winrm_transport=kerberos >>>>>> ansible_winrm_scheme=https >>>>>> ansible_winrm_server_cert_validation=ignore >>>>>> domain_server=test.local >>>>>> domain_username=cc >>>>>> domain_password=cc >>>>>> wsus_server=cc >>>>>> >>>>>> When I run my playbook, I get: >>>>>> fatal: [x.x.x.x]: UNREACHABLE! => { >>>>>> "changed": false, >>>>>> "msg": "Kerberos auth failure when calling kinit cmd 'kinit': The >>>>>> command was not found or was not executable: kinit.", >>>>>> "unreachable": true >>>>>> } >>>>>> >>>>>> My host file has the sever entry as below: >>>>>> >>>>>> hostname ansible_host=IP address of host >>>>>> >>>>>> Changing the ansible_winrm_transport to basic works, with no issue. >>>>>> >>>>>> How can I use my existing config to work with kerberos? >>>>>> >>>>>> Please help/Suggest? >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Ansible Project" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/ansible-project/03d44202-d21d-41e1-b01a-8960faab6c07n%40googlegroups.com >>>>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F03d44202-d21d-41e1-b01a-8960faab6c07n%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C918660ceb71b4bf2ec6108da7faa6763%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637962667097118571%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GJ3SvGrxEpiQDGxWh%2F61akB0f1XwM3pdlxj2ykIhBI0%3D&reserved=0> >>>>>> . >>>>>> >>>>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/2a485348-a3ee-4074-a7a1-26848488b957n%40googlegroups.com >> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F2a485348-a3ee-4074-a7a1-26848488b957n%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C918660ceb71b4bf2ec6108da7faa6763%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637962667097118571%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JoheYjBmkHJBvTuZUeMpQ5bH4n5iIIqCPwt2nk7lcfM%3D&reserved=0> >> . >> >> >> -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/0355159a-e158-4dbe-afb7-46847d401d7en%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/0355159a-e158-4dbe-afb7-46847d401d7en%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- "E' assurdo impiegare gli uomini di intelligenza eccellente per fare calcoli che potrebbero essere affidati a chiunque se si usassero delle macchine" Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716) "Internet è la più grande biblioteca del mondo. Ma il problema è che i libri sono tutti sparsi sul pavimento" John Allen Paulos, Matematico (1945-vivente) Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , < [email protected]> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAKuX69pbKsSZ_3EzaNLi%3DMkZjer0Jk%3DX6Sgr3nVxiqFfU9uNFg%40mail.gmail.com.
