Hi
Currently I have been connecting to servers to using local server accounts, and therefore my ‘group_vars/winservers.yml’ file has looked like the following:
ansible_ssh_user: Administrator
ansible_ssh_pass: PASSWORD
ansible_ssh_port: 5986
ansible_connection: winrm
But now I need to authenticate to servers that are connected on the domain. How would I change this file? Is it as simple as…
ansible_ssh_user: my.domain\mark.matthews
ansible_ssh_pass: PASSWORD
ansible_ssh_port: 5986
ansible_connection: winrm
Cheers
You have to setup a kerberos ticket for the user you want to connect with. After which, if you specify the ansible_ssh_user in the format of user@MY.DOMAIN.COM, Ansible will attempt to use a kerberos ticket before falling back to basic authentication.
See the support site for more details:
http://docs.ansible.com/ansible/intro_windows.html#configuring-kerberos
Hi Zacharias
I have setup a kerberos ticket and all seems to be working fine. I am able to do a “knit username” and create a ticket.
I then add the following entry into /etc/ansible/hosts file
[win]
servername.COMPANY.COM
I have create the following /etc/ansible/group_vars/win.yml file with the following information
ansible_ssh_user: username@COMPANY.COM
ansible_ssh_port: 5986
ansible_connection: winrm
Bu when I try run a playbook to the server in ‘win’ I get the following error:
fatal: [uk-ansible-test02.WINTECH.LOCAL]: FAILED! => {“failed”: true, “msg”: “ssl: 401 Unauthorized. basic auth failed”}
Any ideas as too what could be causing this?
Cheers
Mark
Hi Zacharias
I have setup a kerberos ticket and all seems to be working fine. I am able to do a “knit username” and create a ticket.
I then add the following entry into /etc/ansible/hosts file
[win]
servername.COMPANY.COM
I have create the following /etc/ansible/group_vars/win.yml file with the following information
ansible_ssh_user: username@COMPANY.COM
ansible_ssh_port: 5986
ansible_connection: winrm
Bu when I try run a playbook to the server in ‘win’ I get the following error:
fatal: [uk-ansible-test02.WINTECH.LOCAL]: FAILED! => {“failed”: true, “msg”: “ssl: 401 Unauthorized. basic auth failed”}
Any ideas as too what could be causing this?
Dumb question: how are you running the playbook? And, what do you get if you crank up the debug? You should see it trying the diff auths.
Hi
Im just running the playbook as follows: ansible-playbook test_ping.yml
The playbook looks like this:
- name: Ping Servers
hosts: win
tasks:
I run the playbook now with -vvvvv, and got the following output:
TASK [setup] *******************************************************************
<uk-ansible-test02.COMPANY.COM> ESTABLISH WINRM CONNECTION FOR USER: markm_admin@COMPANY.COM on PORT 5986 TO uk-ansible-test02.COMPANY.COM
<uk-ansible-test02.COMPANY.COM> WINRM CONNECT: transport=ssl endpoint=https://uk-ansible-test02.COMPANY.COM:5986/wsman
<uk-ansible-test02.COMPANY.COM> WINRM CONNECTION ERROR: 401 Unauthorized. basic auth failed
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py”, line 138, in _winrm_connect
protocol.send_message(‘’)
File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 193, in send_message
return self.transport.send_message(message)
File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 125, in send_message
raise UnauthorizedError(transport=‘plaintext’, message=ex.msg)
UnauthorizedError: 401 Unauthorized. basic auth failed
Its like its making the connection to the server but not authorized to do anything??
If i run the ‘klist’ command to view the token, this is the output:
[root@uk-ansible01 windows]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: user@COMPANY.COM
Valid starting Expires Service principal
08/04/16 13:52:21 08/04/16 23:52:21 krbtgt/COMPANY.COM@COMPANY.COM
renew until 08/04/16 23:52:21
Hi guys
Was doing some digging around and noticed that there were security errors on the test server I was trying to access.
Could it be possible that this could be causing the issue: https://www.winhelp.info/windows/resolve-kerberos-error-0xc000006d-in-windows/
As nothing is defined there on my server…so there is nothing checked.
Cheers
Mark
Are you running the kinit under the same user you’re running ansible as?
What version of Ansible are you running?
I would expect his logs to show ssh trying to do kerberos auth and
then failing back to whatever. The fact it is going straight to plain
auth is odd.
Maybe play around with ansible_ssh_common_args or ansible.cfg to get
ssh more verbose?
Hi,
My guess would be you haven’t got pykerberos installed. on your ansible controller.
If you see
transport=ssl
in the connection information it isn’t going via kerberos.
Since you have a ticket set up I think its just that you don’t have the pykerberos package installed.
Hope this helps,
Jon
I am having similar problem and afterwards used the kerberos for host variable ansible_winrm_transport.
I am using ansible version 2.0.1.0.
The worked configuration:
[Win]
.XXXX.XXXX.LOCAL
[Win:vars]
ansible_user=‘xxx.xxx@XXXX.XXXXX.LOCAL’
ansible_password=…
ansible_port=5986
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
#ansible_winrm_transport=ssl
ansible_winrm_transport=kerberos
but the problem with this is subsequent runs on this host first throwing following errors and then giving successful result.
/usr/local/lib/python2.7/dist-packages/winrm/transport.py:283: RuntimeError: kerberos.authGSSClientClean is deprecated.
krb_ticket.verify_response(response.headers[‘WWW-Authenticate’])
.XXXX.XXXX.LOCAL | SUCCESS => {
“changed”: false,
“ping”: “pong”
}
If anyone can help that would be better.
Anjana,
I have not seen this error before but please advise the following:
version of whichever python-kerberos libraries you are using on your ansible controller (see http://docs.ansible.com/ansible/intro_windows.html#installing-python-kerberos-dependencies)
version of the python kerberos wrapper you are using.
version of pywinrm you are using
which OS you are running ansible controller on.
Many thanks,
Jon
Hi Anjana
Where exactly on you putting those varibales [win:var]? Are you putting those variables in /etc/ansible/hosts file?
Im still getting the following error: fatal: [server.COMPANY.COM]: FAILED! => {“failed”: true, “msg”: “ssl: 401 Unauthorized.”}
I have changed my groups_vars file (/etc/ansible/group_vars/win.yml) to the following
ansible_user: user@COMPANY.COM
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
And the entry on the host file is:
[win]
server.COMPANY.COM
I have double checked that I have a token logged in when I run ‘klist’.
No idea what could still be causing this error??
Any ideas would be appreciated.
Cheers
Mark
Hi Mark,
If you run a
(sudo) pip list
on your ansible controller
what version is reported for the ‘kerberos’ library?
For some reason, ansible is still falling back to using basic auth in your case. When I’ve seen that its either that the connection variables aren’t getting set up, or there is something up with the python kerberos wrapper (such as it being missing).
Jon
Hi Jon
If I do a pip list I get the followining:
ansible (2.0.1.0)
ansible-tower (2.4.4)
Babel (0.9.6)
backports.ssl-match-hostname (3.4.0.2)
chardet (2.2.1)
configobj (4.7.2)
decorator (3.4.0)
ecdsa (0.13)
httplib2 (0.9.2)
iniparse (0.4)
IPy (0.75)
isodate (0.5.4)
Jinja2 (2.8)
kitchen (1.1.1)
langtable (0.0.31)
MarkupSafe (0.23)
meld3 (0.6.10)
mercurial (2.6.2)
paramiko (1.16.0)
perf (0.1)
pip (8.1.1)
policycoreutils-default-encoding (0.1)
psycopg2 (2.6.1)
pyasn1 (0.1.6)
pycrypto (2.6.1)
pycurl (7.19.0)
pygobject (3.14.0)
pygpgme (0.3)
pyliblzma (0.5.3)
python-augeas (0.5.0)
python-dmidecode (3.10.13)
python-keyczar (0.71rc0)
pyudev (0.15)
pywinrm (0.1.1)
pyxattr (0.5.1)
PyYAML (3.11)
seobject (0.1)
sepolicy (1.1)
setuptools (20.6.7)
six (1.9.0)
slip (0.4.0)
slip.dbus (0.4.0)
supervisor (3.1.3)
urlgrabber (3.10)
xmltodict (0.10.1)
yum-langpacks (0.4.2)
yum-metadata-parser (1.1.4)
I then ran through the following directions again: http://docs.ansible.com/ansible-tower/latest/html/administration/kerberos_auth.html
yum install krb5-workstation
yum install krb5-devel
yum install krb5-libs
All three of those said that they were already installed and up to date. But when I ran the following:
pip install kerberos
I get the following error:
[root@ie-ansible01 group_vars]# sudo pip install kerberos
Collecting kerberos
Using cached kerberos-1.2.4.tar.gz
Installing collected packages: kerberos
Running setup.py install for kerberos … error
Complete output from command /usr/bin/python -u -c “import setuptools, tokenize;file=‘/tmp/pip-build-bTccYY/kerberos/setup.py’;exec(compile(getattr(tokenize, ‘open’, open)(file).read().replace(‘\r\n’, ‘\n’), file, ‘exec’))” install --record /tmp/pip-H50rsj-record/install-record.txt --single-version-externally-managed --compile:
running install
running build
running build_ext
building ‘kerberos’ extension
creating build
creating build/temp.linux-x86_64-2.7
creating build/temp.linux-x86_64-2.7/src
gcc -pthread -fno-strict-aliasing -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -I/usr/include/python2.7 -c src/base64.c -o build/temp.linux-x86_64-2.7/src/base64.o
unable to execute gcc: No such file or directory
error: command ‘gcc’ failed with exit status 1
I got it working!!
I needed to install ‘gcc’.
So I ran the following: sudo yum -y install gcc
I was then able to run: sudo yum -y install kerberos
After that was all installed successfully I was able to run a playbook using AD credentials.
Jon - thanks all your help!!!
Cheers
Mark
Hi,
Sorry it took so long to respond. I actually followed the same document and installed everything as suggested.
As per AMI I am using AWS ubuntu image and python version 2.7.6.
my sudo pip list output
ansible (2.0.1.0)
ansible-tower (2.4.4)
apt-xapian-index (0.45)
argparse (1.2.1)
awscli (1.10.20)
boto (2.39.0)
boto3 (1.3.0)
botocore (1.4.11)
chardet (2.0.1)
Cheetah (2.4.4)
cloud-init (0.7.5)
colorama (0.2.5)
configobj (4.7.2)
docutils (0.12)
futures (3.0.5)
html5lib (0.999)
httplib2 (0.8)
isodate (0.5.4)
Jinja2 (2.7.2)
jmespath (0.9.0)
jsonpatch (1.3)
jsonpointer (1.0)
kerberos (1.2.4)
Landscape-Client (14.12)
MarkupSafe (0.18)
meld3 (0.6.10)
mercurial (2.8.2)
oauth (1.0.1)
PAM (0.4.2)
paramiko (1.10.1)
passlib (1.5.3)
pip (1.5.4)
prettytable (0.7.2)
psycopg2 (2.4.5)
pyasn1 (0.1.9)
pycrypto (2.6.1)
pycurl (7.19.3)
pyOpenSSL (0.13)
pyserial (2.6)
python-apt (0.9.3.5ubuntu2)
python-dateutil (2.5.2)
python-debian (0.1.21-nmu2ubuntu2)
pywinrm (0.1.1)
PyYAML (3.10)
requests (2.2.1)
rsa (3.3)
s3transfer (0.0.1)
setuptools (3.3)
six (1.5.2)
ssh-import-id (3.21)
supervisor (3.0b2)
Twisted-Core (13.2.0)
Twisted-Names (13.2.0)
Twisted-Web (13.2.0)
urllib3 (1.7.1)
wheel (0.24.0)
wsgiref (0.1.2)
xmltodict (0.10.1)
zope.interface (4.0.5)
As this is simply a warning, right now I am not taking it as high priority. We are starting new and exploring ansible as of now.