Thanks, would you mind posting a sample of your krb5.conf file? We have multiple domains, some domains dont have a trust relationship, so trying to figure out, how to do this in a manner, that works for all our domains.
On Wednesday, August 17, 2022 at 8:55:59 AM UTC-5 [email protected] wrote: > Hello, > > without joining to the domain, we added entries to krb5.conf to specify > which are the kerberos servers to contact for authentication. So we > specified credentials via the command line for ansible and we can > authenticate to winrm successfully. > > Luca > > On Wed, Aug 17, 2022 at 3:51 PM Nitrous <[email protected]> wrote: > >> Yes thanks, we dont want to do that due to some restrictions, so hence >> asking for help :) >> >> On Tuesday, August 16, 2022 at 1:42:09 PM UTC-5 [email protected] wrote: >> >>> If you join your Linux machine to AD with SSSD, this all gets filled in >>> for you. Might make life easier. >>> >>> Walter >>> -- >>> Walter Rowe, Division Chief >>> Infrastructure Services, OISM >>> Mobile: 202.355.4123 <(202)%20355-4123> >>> >>> On Aug 16, 2022, at 1:11 PM, Nitrous <[email protected]> wrote: >>> >>> Also, just checked krb5.conf file : >>> >>> [libdefaults] >>> default_realm = PRIMARYDOMAIN.COM <http://primarydomain.com/> >>> >>> # The following krb5.conf variables are only for MIT Kerberos. >>> kdc_timesync = 1 >>> ccache_type = 4 >>> forwardable = true >>> proxiable = true >>> >>> # The following encryption type specification will be used by MIT >>> Kerberos >>> # if uncommented. In general, the defaults in the MIT Kerberos code are >>> # correct and overriding these specifications only serves to disable new >>> # encryption types as they are added, creating interoperability problems. >>> # >>> # The only time when you might need to uncomment these lines and change >>> # the enctypes is if you have local software that will break on ticket >>> # caches containing ticket encryption types it doesn't know about (such >>> as >>> # old versions of Sun Java). >>> >>> # default_tgs_enctypes = des3-hmac-sha1 >>> # default_tkt_enctypes = des3-hmac-sha1 >>> # permitted_enctypes = des3-hmac-sha1 >>> >>> # The following libdefaults parameters are only for Heimdal Kerberos. >>> fcc-mit-ticketflags = true >>> >>> [realms] >>> ATHENA.MIT.EDU <http://athena.mit.edu/> = { >>> kdc = kerberos.mit.edu >>> kdc = kerberos-1.mit.edu >>> kdc = kerberos-2.mit.edu:88 >>> admin_server = kerberos.mit.edu >>> default_domain = mit.edu >>> } >>> ZONE.MIT.EDU <http://zone.mit.edu/> = { >>> kdc = casio.mit.edu >>> kdc = seiko.mit.edu >>> admin_server = casio.mit.edu >>> } >>> CSAIL.MIT.EDU <http://csail.mit.edu/> = { >>> admin_server = kerberos.csail.mit.edu >>> default_domain = csail.mit.edu >>> } >>> IHTFP.ORG <http://ihtfp.org/> = { >>> kdc = kerberos.ihtfp.org >>> admin_server = kerberos.ihtfp.org >>> } >>> 1TS.ORG <http://1ts.org/> = { >>> kdc = kerberos.1ts.org >>> admin_server = kerberos.1ts.org >>> } >>> ANDREW.CMU.EDU <http://andrew.cmu.edu/> = { >>> admin_server = kerberos.andrew.cmu.edu >>> default_domain = andrew.cmu.edu >>> } >>> CS.CMU.EDU <http://cs.cmu.edu/> = { >>> kdc = kerberos-1.srv.cs.cmu.edu >>> kdc = kerberos-2.srv.cs.cmu.edu >>> kdc = kerberos-3.srv.cs.cmu.edu >>> admin_server = kerberos.cs.cmu.edu >>> } >>> DEMENTIA.ORG <http://dementia.org/> = { >>> kdc = kerberos.dementix.org >>> kdc = kerberos2.dementix.org >>> admin_server = kerberos.dementix.org >>> } >>> stanford.edu = { >>> kdc = krb5auth1.stanford.edu >>> kdc = krb5auth2.stanford.edu >>> kdc = krb5auth3.stanford.edu >>> master_kdc = krb5auth1.stanford.edu >>> admin_server = krb5-admin.stanford.edu >>> default_domain = stanford.edu >>> } >>> UTORONTO.CA = { >>> kdc = kerberos1.utoronto.ca >>> kdc = kerberos2.utoronto.ca >>> kdc = kerberos3.utoronto.ca >>> admin_server = kerberos1.utoronto.ca >>> default_domain = utoronto.ca >>> } >>> >>> [domain_realm] >>> .mit.edu = ATHENA.MIT.EDU <http://athena.mit.edu/> >>> mit.edu = ATHENA.MIT.EDU <http://athena.mit.edu/> >>> .media.mit.edu = MEDIA-LAB.MIT.EDU <http://media-lab.mit.edu/> >>> media.mit.edu = MEDIA-LAB.MIT.EDU <http://media-lab.mit.edu/> >>> .csail.mit.edu = CSAIL.MIT.EDU <http://csail.mit.edu/> >>> csail.mit.edu = CSAIL.MIT.EDU <http://csail.mit.edu/> >>> .whoi.edu = ATHENA.MIT.EDU <http://athena.mit.edu/> >>> whoi.edu = ATHENA.MIT.EDU <http://athena.mit.edu/> >>> .stanford.edu = stanford.edu >>> .slac.stanford.edu = SLAC.STANFORD.EDU >>> <http://slac.stanford.edu/> >>> .toronto.edu = UTORONTO.CA >>> .utoronto.ca = UTORONTO.CA >>> >>> I dont know where the other stuff in the file come from, but we have >>> multiple domains, and the playbook that I am trying to run it against is >>> DOMAINB.COM <http://domainb.com/>. >>> >>> I can ping the machine in domainB via IP from the ansible box, but not >>> by its FQDN. >>> >>> On Tuesday, August 16, 2022 at 11:48:29 AM UTC-5 Nitrous wrote: >>> >>>> Even a simple playbook for ping fails, but using basic authentication, >>>> works: >>>> >>>> TASK [ping] >>>> ********************************************************************************************************************************************************************************************************************* >>>> task path: /etc/ansible/playbooks/multiple.yml:8 >>>> fatal: [ansible_host=x.x.x.x]: FAILED! => { >>>> "changed": false, >>>> "module_stderr": "/bin/sh: 1: powershell: not found\n", >>>> "module_stdout": "", >>>> "msg": "The module failed to execute correctly, you probably need >>>> to set the interpreter.\nSee stdout/stderr for the exact error", >>>> "rc": 127 >>>> } >>>> >>>> On Tuesday, August 16, 2022 at 11:34:16 AM UTC-5 Nitrous wrote: >>>> >>>>> I changed a few things, and now I see this: >>>>> >>>>> TASK [windowsupdates : Check If Windows Updates are Available] >>>>> ****************************************************************************************************************************************************************** >>>>> task path: /etc/ansible/roles/windowsupdates/tasks/main.yml:1 >>>>> fatal: [ansible_host=x.x.x.x]: UNREACHABLE! => { >>>>> "changed": false, >>>>> "msg": "Kerberos auth failure for principal [email protected] with >>>>> pexpect: Cannot find KDC for realm \" XX.LOCAL \" while getting initial >>>>> credentials", >>>>> "unreachable": true >>>>> } >>>>> fatal: [ansible_host=x.x.x.x]: UNREACHABLE! => { >>>>> "changed": false, >>>>> "msg": "Kerberos auth failure for principal [email protected] with >>>>> pexpect: Cannot find KDC for realm \" XX.LOCAL \" while getting initial >>>>> credentials", >>>>> "unreachable": true >>>>> } >>>>> >>>>> My vars look like this : >>>>> >>>>> ansible_connection=winrm >>>>> [email protected] >>>>> ansible_password=xx >>>>> ansible_winrm_kerberos_hostname_override >>>>> ansible_port=5986 >>>>> ansible_ssh_port=5986 >>>>> ansible_winrm_transport=kerberos >>>>> ansible_connection=local >>>>> ansible_winrm_scheme=https >>>>> ansible_winrm_server_cert_validation=ignore >>>>> domain_server=xx.local >>>>> domain_username=xx.local\xx >>>>> domain_password=xx >>>>> >>>>> Host file looks like this: >>>>> >>>>> ansible_host=Ip add of the server >>>>> >>>>> The ansible box isnt domain joined, and we have multiple domains. >>>>> On Tuesday, August 16, 2022 at 11:12:02 AM UTC-5 Igor Turovsky wrote: >>>>> >>>>>> It sounds like your ansible host does not have Krb5 library installed >>>>>> - >>>>>> https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#installing-the-kerberos-library >>>>>> >>>>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.ansible.com%2Fansible%2Flatest%2Fuser_guide%2Fwindows_winrm.html%23installing-the-kerberos-library&data=05%7C01%7Cwalter.rowe%40nist.gov%7C918660ceb71b4bf2ec6108da7faa6763%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637962667096962327%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bTp5%2FnUBQ6Ck3AKWb3pHR6iqDTsxSEu1p6SYaZIwOCY%3D&reserved=0>. >>>>>> >>>>>> >>>>>> Also, Kerberos uses FQDNs vs ip addresses, so you will need to have >>>>>> dns names set as hostnames in inventory (or to use >>>>>> ansible_winrm_kerberos_hostname_override >>>>>> variable.) >>>>>> >>>>>> вт, 16 авг. 2022 г. в 18:14, Nitrous <[email protected]>: >>>>>> >>>>>>> Our ansible box isnt domain joined, and we build alot of VMs from a >>>>>>> template, that has an account part of the image, that is local admin. >>>>>>> >>>>>>> I was reading more into kerboros authentication, and setup my var >>>>>>> file as this: >>>>>>> >>>>>>> [xx:vars] >>>>>>> ansible_connection=winrm >>>>>>> ansible_user=xx >>>>>>> ansible_password=xx >>>>>>> ansible_port=5986 >>>>>>> ansible_ssh_port=5986 >>>>>>> ansible_winrm_transport=kerberos >>>>>>> ansible_winrm_scheme=https >>>>>>> ansible_winrm_server_cert_validation=ignore >>>>>>> domain_server=test.local >>>>>>> domain_username=cc >>>>>>> domain_password=cc >>>>>>> wsus_server=cc >>>>>>> >>>>>>> When I run my playbook, I get: >>>>>>> fatal: [x.x.x.x]: UNREACHABLE! => { >>>>>>> "changed": false, >>>>>>> "msg": "Kerberos auth failure when calling kinit cmd 'kinit': >>>>>>> The command was not found or was not executable: kinit.", >>>>>>> "unreachable": true >>>>>>> } >>>>>>> >>>>>>> My host file has the sever entry as below: >>>>>>> >>>>>>> hostname ansible_host=IP address of host >>>>>>> >>>>>>> Changing the ansible_winrm_transport to basic works, with no issue. >>>>>>> >>>>>>> How can I use my existing config to work with kerberos? >>>>>>> >>>>>>> Please help/Suggest? >>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "Ansible Project" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/d/msgid/ansible-project/03d44202-d21d-41e1-b01a-8960faab6c07n%40googlegroups.com >>>>>>> >>>>>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F03d44202-d21d-41e1-b01a-8960faab6c07n%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C918660ceb71b4bf2ec6108da7faa6763%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637962667097118571%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GJ3SvGrxEpiQDGxWh%2F61akB0f1XwM3pdlxj2ykIhBI0%3D&reserved=0> >>>>>>> . >>>>>>> >>>>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/2a485348-a3ee-4074-a7a1-26848488b957n%40googlegroups.com >>> >>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F2a485348-a3ee-4074-a7a1-26848488b957n%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C918660ceb71b4bf2ec6108da7faa6763%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C637962667097118571%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JoheYjBmkHJBvTuZUeMpQ5bH4n5iIIqCPwt2nk7lcfM%3D&reserved=0> >>> . >>> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/0355159a-e158-4dbe-afb7-46847d401d7en%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/0355159a-e158-4dbe-afb7-46847d401d7en%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > "E' assurdo impiegare gli uomini di intelligenza eccellente per fare > calcoli che potrebbero essere affidati a chiunque se si usassero delle > macchine" > Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716) > > "Internet è la più grande biblioteca del mondo. > Ma il problema è che i libri sono tutti sparsi sul pavimento" > John Allen Paulos, Matematico (1945-vivente) > > Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <[email protected] > > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a4e3aae6-bb08-48fc-95a1-eb0b7e42d981n%40googlegroups.com.
