[ansible-project] Re: Ansible V2.7 - kerberos: authGSSClientStep() failed:

2019-11-17 Thread Sushena Parthasarathy 
thanks, Jon

We have *SOLVED *the issue. The problem was with the NTP service where the 
Ansible controller and Domain controller wasn't in sync. Post setting *ntpd 
*on the controller and changed ntp to UTC format, Service account and 
playbooks were working as expected.

thanks and everyone for assisting us.

On Tuesday, 22 October 2019 17:17:16 UTC+5:30, J Hawkesworth wrote:
>
> Server not found in kerberos database means that the domain controller is 
> unaware of the server. You mention using hosts file which suggests to me 
> that the machine you want to connect to has not been joined to the domain. 
> You almost certainly wouldn't need to use hosts file as typically joining a 
> machine to a domain also adds to to your local DNS servers.
>
> Hope this helps,
>
> Jon 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/07e73110-034b-4bd7-a9c4-efd7c08f1b6c%40googlegroups.com.

[ansible-project] Re: Ansible V2.7 - kerberos: authGSSClientStep() failed:

2019-10-22 Thread 'J Hawkesworth' via Ansible Project 
Server not found in kerberos database means that the domain controller is 
unaware of the server. You mention using hosts file which suggests to me that 
the machine you want to connect to has not been joined to the domain. You 
almost certainly wouldn't need to use hosts file as typically joining a machine 
to a domain also adds to to your local DNS servers.

Hope this helps,

Jon 

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/6071f5eb-4c3f-42bf-8282-63d5c19d6df6%40googlegroups.com.

[ansible-project] Re: Ansible V2.7 - kerberos: authGSSClientStep() failed:

2019-10-17 Thread Amal Antony 
Hi Piyush,

Please find below snippet from ansible command for further understanding, 

###

creating Kerberos CC at /tmp/tmpEO9VQo
calling kinit with subprocess for principal Amal.Ant@NORTHIND.INTERNAL
kinit succeeded for principal Amal.Ant@NORTHIND.INTERNAL
 WINRM CONNECT: transport=kerberos 
endpoint=https://GCP-Bast.northhind.internal:5986/wsman
 WINRM CONNECTION ERROR: authGSSClientStep() 
failed: (('Unspecified GSS failure.  Minor code may provide more 
information', 8519 68), ('Server not found in Kerberos database', 
-1765328377))



Please share your thoughts.

Thanks,
Amal


On Tuesday, July 30, 2019 at 9:24:03 PM UTC+5:30, Sushena Parthasarathy 
wrote:
>
> Hi Team,
>we`re using Ansible v 2.7, below python modules for 
> kerberos. We have switched from basic to kerberos auth all playbooks are 
> failing with below error
>
> *Python (Kerberos) modules:*
> kerberos 1.3.0
> requests-kerberos0.12.0
>
> *Ansible host file:*
>  ansible_user= Ansibleservice@NORTHIND.INTERNAL
>  ansible_password= '2*S<5q$Vn#]M'
>  ansible_connection= winrm
>  ansible_winrm_transport= kerberos
> #ansible_winrm_realm= NORTHIND.INTERNAL
> ansible_winrm_scheme= http
> ansible_winrm_server_cert_validation= ignore
> ansible_port= 5985
> ansible_winrm_kerberos_delegation= yes
>
> kinit command succeeds and able to do klist as well. But when we execute 
> win_ping module to the Windows(2012) node which is part of domain 
> (NORTHIND.INTERNAL), failing with below error. Can anyone assists to fix 
> this below error?
>
> *Command:* *ansible -i /home/ansible/hosts win -m win_ping 
> -e="ansible_ssh_port=5985, ansible_connection=winrm"*
>
>
> *Error:*
>
> *gcp-bashost.NORTHIND.INTERNAL | UNREACHABLE! => {*
> *"changed": false,*
> *"msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS 
> failure.  Minor code may provide more information', 851968), ('Server not 
> found in Kerberos database', -1765328377))",*
> *"unreachable": true*
> *}*
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/25fad75e-0859-47a6-a670-8cf7852cd8fb%40googlegroups.com.

Re: [ansible-project] Re: Ansible V2.7 - kerberos: authGSSClientStep() failed:

2019-10-17 Thread Amal Antony 
Hi Piyush Bansal,


 Thanks for your response, I work along with *Sushena*. 
Below are the technical details

   - nslookup working correctly and resolving eachother.
   - only one network interface.
   - hosts file entry: *testhost.NORTHIND.INTERNAL*

Thanks,

Amal Antony


On Tuesday, October 15, 2019 at 1:19:21 PM UTC+5:30, Piyush Bansal wrote:
>
> Hello Sushena,
>
> Hope you are doing well..!!
> I have faced exact same situation and it got resolved.
>
> Please Could u give me following:
>
> -nslookup of the member server fqdn you are pinging from ansible server
> -Output of command setspn -l 
> -ansible hosts file section which shows the server names on which u r 
> running this module
> -how many network interfaces you have on your ansible server
> -are these network interfaces on ansible server in same subnet range or 
> mask ???
>
> Thanks,
> Piyush
> 9650865898
>
>
> On Fri, 11 Oct, 2019, 2:38 PM Sushena Parthasarathy,  > wrote:
>
>> Hi Jordan,
>>  I have tried all the possibilities and your suggestions as well 
>> still the same error for windows alone. Is there any work around for this?
>>
>> *N.B:* I have modified the password before posting it. 
>>
>> --
>> Sushena P
>>
>> On Wednesday, 31 July 2019 04:33:02 UTC+5:30, Jordan Borean wrote:
>>>
>>> Part of the Kerberos authentication process is to lookup the remote 
>>> server in the KDC database (AD database). If it cannot find that server 
>>> then you will get this error. In this case it will lookup the host using 
>>> the SPN 'HTTP/gcp-bashost.NORTHIND.INTERNAL' . If you have defined 
>>> ansible_host for that host then it will be using that hostname as the 2nd 
>>> part of the SPN.
>>>
>>> The fact that you can use kinit to get the credentials shows that your 
>>> Ansible controller is talking to the domain correctly, this issue is around 
>>> not being able to lookup your remote host. Make sure;
>>>
>>>- You are connecting to the host using the FQDN and not an IP address
>>>- The remote host is part of the domain
>>>- If you need to connect with an IP, you can use 
>>>'ansible_winrm_kerberos_hostname_override' to set the host's FQDN so the 
>>>SPN lookup works
>>>
>>>
>>> Also you should change your password right now and never share it in a 
>>> public setting again.
>>>
>>> Thanks
>>>
>>> Jordan
>>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ansible...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ansible-project/ef1652f2-00c3-4f4e-9155-e65023da93c9%40googlegroups.com
>>  
>> 
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/c3eb7359-e23b-4029-afde-0d0eb6b4b53d%40googlegroups.com.

Re: [ansible-project] Re: Ansible V2.7 - kerberos: authGSSClientStep() failed:

2019-10-15 Thread Piyush Bansal 
Hello Sushena,

Hope you are doing well..!!
I have faced exact same situation and it got resolved.

Please Could u give me following:

-nslookup of the member server fqdn you are pinging from ansible server
-Output of command setspn -l 
-ansible hosts file section which shows the server names on which u r
running this module
-how many network interfaces you have on your ansible server
-are these network interfaces on ansible server in same subnet range or
mask ???

Thanks,
Piyush
9650865898


On Fri, 11 Oct, 2019, 2:38 PM Sushena Parthasarathy, 
wrote:

> Hi Jordan,
>  I have tried all the possibilities and your suggestions as well
> still the same error for windows alone. Is there any work around for this?
>
> *N.B:* I have modified the password before posting it.
>
> --
> Sushena P
>
> On Wednesday, 31 July 2019 04:33:02 UTC+5:30, Jordan Borean wrote:
>>
>> Part of the Kerberos authentication process is to lookup the remote
>> server in the KDC database (AD database). If it cannot find that server
>> then you will get this error. In this case it will lookup the host using
>> the SPN 'HTTP/gcp-bashost.NORTHIND.INTERNAL' . If you have defined
>> ansible_host for that host then it will be using that hostname as the 2nd
>> part of the SPN.
>>
>> The fact that you can use kinit to get the credentials shows that your
>> Ansible controller is talking to the domain correctly, this issue is around
>> not being able to lookup your remote host. Make sure;
>>
>>- You are connecting to the host using the FQDN and not an IP address
>>- The remote host is part of the domain
>>- If you need to connect with an IP, you can use
>>'ansible_winrm_kerberos_hostname_override' to set the host's FQDN so the
>>SPN lookup works
>>
>>
>> Also you should change your password right now and never share it in a
>> public setting again.
>>
>> Thanks
>>
>> Jordan
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/ef1652f2-00c3-4f4e-9155-e65023da93c9%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CA%2BLLie6284zsCzrC0VmJoFS_PgrRocQAmwA3%3DYKG8EQcuGJUcA%40mail.gmail.com.

[ansible-project] Re: Ansible V2.7 - kerberos: authGSSClientStep() failed:

2019-10-11 Thread Sushena Parthasarathy 
Hi Jordan,
 I have tried all the possibilities and your suggestions as well 
still the same error for windows alone. Is there any work around for this?

*N.B:* I have modified the password before posting it. 

--
Sushena P

On Wednesday, 31 July 2019 04:33:02 UTC+5:30, Jordan Borean wrote:
>
> Part of the Kerberos authentication process is to lookup the remote server 
> in the KDC database (AD database). If it cannot find that server then you 
> will get this error. In this case it will lookup the host using the SPN 
> 'HTTP/gcp-bashost.NORTHIND.INTERNAL' . If you have defined ansible_host for 
> that host then it will be using that hostname as the 2nd part of the SPN.
>
> The fact that you can use kinit to get the credentials shows that your 
> Ansible controller is talking to the domain correctly, this issue is around 
> not being able to lookup your remote host. Make sure;
>
>- You are connecting to the host using the FQDN and not an IP address
>- The remote host is part of the domain
>- If you need to connect with an IP, you can use 
>'ansible_winrm_kerberos_hostname_override' to set the host's FQDN so the 
>SPN lookup works
>
>
> Also you should change your password right now and never share it in a 
> public setting again.
>
> Thanks
>
> Jordan
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/ef1652f2-00c3-4f4e-9155-e65023da93c9%40googlegroups.com.

[ansible-project] Re: Ansible V2.7 - kerberos: authGSSClientStep() failed:

2019-07-30 Thread Jordan Borean 
Part of the Kerberos authentication process is to lookup the remote server 
in the KDC database (AD database). If it cannot find that server then you 
will get this error. In this case it will lookup the host using the SPN 
'HTTP/gcp-bashost.NORTHIND.INTERNAL' . If you have defined ansible_host for 
that host then it will be using that hostname as the 2nd part of the SPN.

The fact that you can use kinit to get the credentials shows that your 
Ansible controller is talking to the domain correctly, this issue is around 
not being able to lookup your remote host. Make sure;

   - You are connecting to the host using the FQDN and not an IP address
   - The remote host is part of the domain
   - If you need to connect with an IP, you can use 
   'ansible_winrm_kerberos_hostname_override' to set the host's FQDN so the 
   SPN lookup works
   

Also you should change your password right now and never share it in a 
public setting again.

Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/56eb0707-eaa2-4ab5-8aef-863ddbf47a19%40googlegroups.com.