Alternate solution needed for winrm connections

sase_kumar · November 7, 2018, 6:35pm

Hi Team,

In our environment , basic , ntlm ,credssp is disabled by default in windows2012 machines and I tried it out with last option that is kerberos .

Scenario -

centos machine has ansible controller
new domain has been created and it has few servers with it
I added the domain fqdn in etc/hosts to make it reachable because initially only IP is reachable from ansible
I installed all kerberos libraries uisng pip and configured krb.conf file accordingly

includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = OPS68.ISYNTAX.NET
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
OPS68.ISYNTAX.NET = {
kdc = OPS68.isyntax.net
default_domain = OPS68.ISYNTAX.NET
}

[domain_realm]
OPS68.ISYNTAX.NET = OPS68.ISYNTAX.NET
.OPS68.ISYNTAX.NET = OPS68.ISYNTAX.NET

But still if i try to run playbooks , it says “Cannot find
KDC for realm "ops68.isyntax.net" while getting initial credentials”,

Any help is appreciated?

S_C_Rigler · November 7, 2018, 7:24pm

Try adding a mapping in your domain_realms section to associate
lowercase ops68.isyntax.net to realm OPS68.ISYNTAX.NET.

jborean · November 7, 2018, 7:44pm

Your realms don’t really make sense, the realm should be the domain part and not a hostname whereas you are using the same realm for the KDC hostname. The KDC is the FQDN of the domain controller whereas the realm is the domain part of that controller. When you go to log in with a UPN do you do username@OPS68.ISYNTAX.NET or username@ISYNTAX.NET and OPS68 is your DC?

Thanks

Jordan

sase_kumar · November 9, 2018, 4:41am

Hi Jordan

My DC FQDN - OPS68MG1.OPS68.ISYNTAX.NET
DC - OPS68.ISYNTAX.NET

I have added now the DC FQDN as KDC and DC name as realm name

but still error says unable to reach KDC to get the initial credentials

Initially FQDN is not reachable from ansible controller machine but now I mapped FQDN with IP on /etc/hosts

Is that sufficient? and is there any specific ports which needs to be checked for this communication from ansible host?

Topic		Replies	Views
Hello All Ansible Project	2	0	May 26, 2023
Ansible Kerberos Cannot contact any KDC for realm Ansible Project	0	4	January 25, 2019
Unable to Authenticate to Satellite Datacenters Using Kerberos Ansible Project	6	0	December 14, 2015
Kerberos Auth - the specified credentials were rejected by the server Ansible Project windows	6	9	April 6, 2017
Ansible Kerberos : Kerberos auth failure: kinit: Cannot contact any KDC for realm 'AD.DOMAIN.COM' Ansible Developer	0	4	January 25, 2019

Alternate solution needed for winrm connections

Related topics