I ran into this. Upgrading the python modules *pykerberos* and *pywinrm*
fixed it for me.
On Wednesday, September 29, 2021 at 6:26:23 AM UTC-7 gajendra@gmail.com
wrote:
> Good evening All
>
> I am facing a small issue, could you please let me out
>
> This works if i allow unencrypted is
That's because you are telling it to run on windows_server but have defined
the username in the windows group. Based on your inventory 'windows_server'
is not part of the 'windows' group so has no username/password defined. The
reason why it may have worked before is if you've gotten the
Oh! Here is the reported error:
fatal: [test.domain.com]: UNREACHABLE! => {"changed": false, "msg":
"kerberos: authGSSClientStep() failed: (('Unspecified GSS failure. Minor
code may provide more information', 851968), ('No Kerberos credentials
available (default cache: FILE:/tmp/krb5cc_0)',
You need to share the error you are getting back, right now we cannot tell
what is going wrong.
On Tuesday, July 28, 2020 at 8:32:50 AM UTC+10 workema...@gmail.com wrote:
> Hello,
> Kerberos authentication is failing on some servers even after providing
> credentials in host file.
>
> *Host
Thanks ! that was it
Nice catch ...
On Tuesday, June 2, 2020 at 12:49:08 AM UTC-7, Jordan Borean wrote:
>
> The key you want to use is ‘ansible_winrm_server_cert_validation’, you
> were missing the server part
>
Kerberos is highly dependent on DNS from working. With Kerberos the client
builds an SPN in the format 'HTTP/, in your case that will
be 'HTTP/10.50.1.231'. Active directory only creates automatic SPNs using
the DNS name of a host, i.e. 'HTTP/hostname.domain.com' so that's the SPN
that needs
ok I got kerberos working now. but only via port 5986
why is that?
On Friday, May 15, 2020 at 12:58:37 PM UTC-7, Tony Wong wrote:
>
> trying to get kerberos to work . I got all the libraries and krb5.conf
> file setup. I got a ticket from klist but when i do win_ping
>
> I get errors
>
>
>
After installing the python3-devel package, i was able to install the
pykerberos successfully.
Now i am able to win_ping using the kerberos credentials.
Thanks
On Monday, January 27, 2020 at 4:49:28 PM UTC-4, Jordan Borean wrote:
>
> That's telling you it can't compile the pykerberos library,
That's telling you it can't compile the pykerberos library, it's trying to
find headers that are not present. In this case you need the python3-devel
package installed with yum/dnf. These headers are different from the Python
2 headers which is why you can install pykerberos in Python 2 and not
Ansible is default to python3
[ansible@NBP-HO7-Ansible01 windows]$ echo $ANSIBLE_PYTHON
/usr/bin/python3
And when I do pip list for pip3, kerberos doesnt get listed, its available
only for pip 2. I did try to install using pip3 but just getting error as
following
[ansible@NBP-HO7-Ansible01
Sinc pywinrm 0.4.0, requests-kerberos is not actually used so in your case
we don't really have to worry about that particular library in your pywinrm
version. The pykerberos library is still required but it looks like you do
have it there. Also you are saying you have both Python 2.7 and 3.6
I tried with Kerberos
I am getting error
Msg: Kerberos: requested with method is jerboas, but request- kerbose is
not installed
I tried to run cmd pip install request-kerberos
But firewall restricting
Is there any other way
Thanks
On Mon, Dec 3, 2018 at 12:58 PM Nk Chitturi wrote:
> Use
Use Kerbors it works.
Sent from my iPhone
> On Dec 2, 2018, at 4:27 PM, sateeshaz...@gmail.com wrote:
>
> hi,
>
> [webserver]
> ssk.ms.com
>
> [webserver:vars]
> ansible_user=windows
> ansible_password=PWD
> ansible_connection=winrm
> ansible_winrm_transport=basic
> ansible_winrm_scheme=http
hi,
[webserver]
ssk.ms.com
[webserver:vars]
ansible_user=windows
ansible_password=PWD
ansible_connection=winrm
ansible_winrm_transport=basic
ansible_winrm_scheme=http
ansible_port=5985
#ansible_winrm_operation_timeout_sec=60
#ansible_winrm_read_timeout_sec=70
Hi,
I am getting following error when i am trying to run a playbook to config a
windows machine,
Msg: basic: Bad HTTP response returned from server . code 404.
actually the error getting at gathering facts: i have given my windows host
name
On Tuesday, May 2, 2017 at 2:33:36 PM UTC-4, Allen
Hi,
I had a similar issue and you guys were spot on.
Removing these lines solved my problem:
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
Thanks.
Leo
On Saturday, 3 March 2018 06:31:47 UTC+11, matt...@redhat.com
Yep, the non-default encryption setting is almost certainly the issue. Can
you file a bug on https://github.com/02strich/pykerberos? No promises that
we'll get to it, but I have a couple ideas as to what might be causing it.
I *think* the fix could be pretty simple (there's a code path in there
Without testing it I believe there may be an issue with the RC4 encryption that
is being used. Will have to try it out but that is a pretty old protocol and
believed to be broken. While we should still look at fixing it, you should look
at adding in one of the AES types on your krb5.conf file
I hope I got all:
(venv_ansible)[userid@ansiblehost ~/ansible_test]$ pip list
ansible (2.4.3.0)
asn1crypto (0.24.0)
bcrypt (3.1.4)
certifi (2018.1.18)
cffi (1.11.5)
chardet (3.0.4)
cryptography (2.1.4)
enum34 (1.1.6)
idna (2.6)
ipaddress (1.0.19)
Jinja2 (2.10)
MarkupSafe (1.0)
ntlm-auth (1.0.6)
Yes, this means the message encryption done with Kerberos is failing for
whatever reason and producing a malformed message. This encryption support
was added in pywinrm 0.3.0 and it would be great to find out what may been
happening to cause it to fail as it is quite important to use it when
It isn't a transient error, it occurs always in this setup with the
mentioned module versions. Tested with different windows versions.
Everything is working find with your suggestions:
ansible_port=5986
and also with
ansible_winrm_message_encryption=never
So problem solved for me, thank you
On a related note: maybe try just tweaking the existing setup to use
`ansible_winrm_message_encryption=never` on your Windows host(s) in the
inventory or via `-e` to prove if it's related to the new message
encryption support. You've clearly been running unencrypted in the past-
we'll leave
Just wondering if this is a transient error? I have occasionally had problems
when the windows host is applying windows updates or running ngen to recompile
dotnet code following installation of an upgrade to dotnet framework.
Jon
--
You received this message because you are subscribed to
Are you able to try port 5986 and see if that works. Potentially port 5985
is failing because the encryption process is creating a bad request causing
the 400 but it would be good to know if your setup works with HTTPS where
WinRM encryption isn't happening.
Thanks
Jordan
--
You received
Good that you were able to get it working, I don't know of any
incompatibilities with Ubuntu 14.04 that could cause this but I think the
issue is that requests_kerberos is failing to import a dependency which is
being swallowed. If you wanted to try again you could run python manually
and run
Hi
I've reinstall it on Ubuntu 16.04 and the install was much more straight
forward. And it works now!
Are you aware of any issue with ubuntu 14.04 or it may be my company build?
Thank you!
On Sunday, January 7, 2018 at 4:18:59 PM UTC+2, Jeremie Levy wrote:
>
> I'm trying to connect to my first
Hello Jordan
So I cleanup my environment, and restart from the begininng.
When installing everything according
to http://docs.ansible.com/ansible/latest/intro_windows.html
(had to install setuptools before cryptography could be installed which is
needed by pywinrm)
After installing i get this
This (or IRC) would be the best place for user help, Github is mostly for
bug reports but sometimes you can mix the 2 together. You may need to
uninstall the kerberos library, requests-kerberos uses the pykerberos
package but they both have the same name which can cause conflicts.
Otherwise
Hello Jordan,
Yes, it was me, I didn't know I should post here (searching for help lead
me to the github page multiple times)
So i did as you suggested (have to say i tried it before) but i have
another error, which confused me even more:
ansible windows -m win_ping -
ansible 2.4.2.0
I believe https://github.com/ansible/ansible/issues/34552 may be from
yourself as well, I'll post my response here to go into a bit more detail.
By default, the winrm connector inside Ansible uses basic auth as the
transport authentication mechanism. You can see this happening as your
error
resolved the above error by uncommenting the line " 127.0.0.1 localhost "
in C:\Windows\System32\drivers\etc\hosts file, then it works
On Thursday, May 4, 2017 at 9:06:29 AM UTC-4, Allen Fisher wrote:
>
> Thanks Jordan and J.
>
> I switched to the local administrator account. I also re-ran the
resolved the above error by uncommenting the line " 127.0.0.1 localhost "
in C:\Windows\System32\drivers\etc\hosts file, then it works
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails
resolved the above error by uncommenting the line " 127.0.0.1 localhost "
in C:\Windows\System32\drivers\etc\hosts file, then it works
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails
Just got done configuring some Windows hosts with Ansible Tower.
- Use port 5986 because AllowUnencrypted=False will prevent 5985 from
working (for good reason!) w/ Kerberos
- Use a certificate on 5986, I noticed your CertThumbprint is missing
- Ensure 5986 firewall port is open
- Test
I would only allow unencrypted messages for testing and debugging purposes and
never in any production capacity due to the security risk when running over
HTTP. Useful in this case to see if the HTTP endpoint works but should be
turned back off eventually.
Some other things to try
- use a real
allow unencrypted:
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
On Thursday, May 4, 2017 at 10:38:23 AM UTC-4, Allen Fisher wrote:
>
> Sure thing:
>
> PS C:\Users\Administrator> winrm get winrm/config/service
>> Service
>> RootSDDL =
>>
Sure thing:
PS C:\Users\Administrator> winrm get winrm/config/service
> Service
> RootSDDL =
> O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
> MaxConcurrentOperations = 4294967295
> MaxConcurrentOperationsPerUser = 1500
> EnumerationTimeoutms = 24
>
Can you post the results of "winrm get winrm/config/service" here to show
us your WinRM configuration.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
Thanks Jordan and J.
I switched to the local administrator account. I also re-ran the
ConfigureRemotingForAnsible script. Now I get the dreaded "the specified
credentials were rejected by the server" error
PS C:\Users\afisher\Documents>
>
If I recall I've had problems in the past where a machine has moved from
one domain to another. You can wind up with an orphaned computer account
in active directory in the old domain (IIRC this affected older AD
versions).
Fix was to remove the Computer account from the old domain.
That
I have struggled with this a lot. I have run into the fact that a new
windows host, joined to a domain, sometimes needs to be rebooted again in
order to have its domain name reflected correctly in its group policies. I
have had GPresult /r say another domain name then what is displayed no the
Thanks, I have tried NTLM and basic, and they both work fine. However, I am
evaluating this for a 2+ node enterprise solution, and Kerberos is a
must-have requirement.
On Tuesday, April 4, 2017 at 7:37:03 PM UTC-5, Jarryd Took wrote:
>
> @william:
>
> The latest requests-ntlm in
@william:
The latest requests-ntlm in combination of Ansible 2.2.0 you can use NTLM
against Windows machines. If this floats your boat as an alternative to
kerberos tickets.
ansible_connection: winrm
ansible_winrm_transport: ntlm
On Tuesday, April 4, 2017 at 12:27:21 AM UTC+10, William
Bingo. I was suspecting some kind of isolation thing, because it was so
clear that the environment was different when running a playbook than at
the command line, even when sudo'd as awx. Many thanks. I'll never get that
week back, but I love a mystery solved.
~Bill
On Tue, Apr 4, 2017 at 3:59
Tower uses an isolation tech called proot that will often break shared
ticket caches. If you can't wait for Ansible 2.3 (should be released within
the next couple weeks), I'd suggest disabling proot (IIRC it's in
settings.py, but my Tower-fu is getting rusty).
On Tuesday, April 4, 2017 at
time is definitely good.
i run ntpdate in my vagrant provisioning script just to be sure.
On Tue, Apr 4, 2017 at 2:20 PM, cupcake wrote:
> sanity check; is time in sync? windows AD/kerb wont auth if the skew is
> more than 5 or 10 minutes off. I also saw some weirdness
sanity check; is time in sync? windows AD/kerb wont auth if the skew is
more than 5 or 10 minutes off. I also saw some weirdness like this recently
and a reboot and then kinit again made it work but i think due to another
config reason on my part.
On Tuesday, April 4, 2017 at 9:09:27 AM UTC-4,
I think that's what I'm doing.
I've tried doing the kinit from the console, doing the kinit in a cron job,
doing the kinit manually in a playbook before running the winrm play book,
and doing it as a local_action in the winrm playbook itself.
In all cases (except the last one), the kinit
Ansible doesn't manage the tickets for you until Ansible Core 2.3 (still in
release candidate). Anything earlier, you'll have to do the kinit on the
controller yourself (either via a cron job or as part of your playbook with
a local action).
On Monday, April 3, 2017 at 7:27:21 AM UTC-7,
Okay. Do you know if it would be possible for paid support from Ansible to
assist with troubleshooting?
On Monday, October 31, 2016 at 1:04:10 PM UTC-5, Matt Davis wrote:
>
> Don't know what else to say- works for everyone I know that's tried it, so
> I'm suspecting some sort of local
Don't know what else to say- works for everyone I know that's tried it, so
I'm suspecting some sort of local configuration or installation issue that
hasn't been covered yet.
On Monday, October 31, 2016 at 8:09:02 AM UTC-7, Surred wrote:
>
> Thanks for the response Matt! I did verify we are
Thanks for the response Matt! I did verify we are running ansible version
2.1.1.0
user@ansible:~> ansible --version
ansible 2.1.1.0
config file = /etc/ansible/ansible.cfg
configured module search path = Default w/o overrides
I ran the klist command on the windows host (DC1) that ansible
You mentioned you were using ansible 2.1.0 and that you'd switched to
group_vars- that version has an inventory bug where any ansible_winrm_X
connection vars are ignored if they live in group_vars. Either upgrade to
at least 2.1.1, or move them back. Also, try doing a raw: klist on the
Windows
Apologies for the delayed response... I've been looking for ways to work
around this issue, but I hit a roadblock so I really need to figure this
out. Below are the logs from the server hosting the network share.
Apparently the login was successful, but it was as an anonymous user using
NTLM.
Have a look in the event logs. I suspect all you will see is 'Access is
denied'. Worth looking on the network share machine (if it is an actual
windows box). If it isn't a windows box I guess there will be some kind of
samba share logging that you could examine too.
Make sure that you are
JH,
Do you know of any other tests/logging I could try/review to determine why
the kerberos delegation is not working in my environment?
On Friday, September 16, 2016 at 2:22:05 AM UTC-5, J Hawkesworth wrote:
>
> Sorry, I should have been clearer. 2.0.0.2 and 2.1.1 are ansible versions.
>
>
>
Sorry, I should have been clearer. 2.0.0.2 and 2.1.1 are ansible versions.
On Thursday, September 15, 2016 at 4:11:02 PM UTC+1, Surred wrote:
>
> Thanks for the response JH. I've moved the winrm connection details to
> group_vars as you suggested, but am still not able to list the files of a
Thanks for the response JH. I've moved the winrm connection details to
group_vars as you suggested, but am still not able to list the files of a
network share. You said you are using "2.0.0.2 / 2.1.1" Can you please
clarify those version numbers and what they are associated with?
host file:
I just got this working a couple of days ago.
The only differences I can see between your set up and mine are
I set up win connection vars in group vars, rather than host vars (mixed
environment - not all my hosts are windows). Might be worth trying to
switch to group_vars as at some point I
Great, I'm glad this is working. Setting up kerberos is fiddly but once
it's done you probably won't have to touch it again and you can immediately
start doing a lot of things with a lot of windows boxes.
JOn
On Thursday, August 4, 2016 at 10:01:52 AM UTC+1, fanvalt wrote:
>
> Oh the win_ping
Oh the win_ping command did work, I did replace the IP address in the
inventory file with the server name and I did comment in the krb5.conf file
all descriptions that were not about EMEAD.COM (so many tests !!!).
Thanks a lot, Jon, for your support
Regards
Le jeudi 4 août 2016 10:27:29
I did correct the krb5.conf file, I did install the requests.kerberos
package and rerun the kinit command.
The klist command shows the EMEAD.COM domain.
But when running the ansible win_ping command, I do receive this new
message:
ansible windows -i ./win.ini -m win_ping -vv
Using
I have only ever used kerberos support with Active Directory servers, not
LDAP ones.
However, I think from what you have described that your kdc will be fr.
ldap-ad.dmsi.corp.com
I don't think you need an admin server set up for this purpose ( I don't
have one set in my krb5.conf)
You may have
Thank you very much for your help. I have already done everything you
suggested - I tried to use hostnames instead of IPs, checked 'both way' DNS
configuration, used HTTP instead of HTTPS, verified that Kerberos and HTTP
are enabled. The Powershell scripts was executed on the remote host as
I'd recommend using the hostname, rather than the ip address of the windows
machine you want to connect to in your inventory. Kerberos/Active
Directory seems to be intended to work with host and domain names.
I would also check that ping yourhost and ping yourhost.mycloud.local
return the
Can you share your /etc/krb5.conf?
Is it possible you have KRB5CCNAME environment variable set specifying a
non standard location for the kerberos credential cache? I think that
would probably cause problems?
Not sure if pykerberos expects a particular type of credential cache but
fairly
66 matches
Mail list logo