Ansible falling back to SSL, have keberos and all dependencies

Archives Ansible Project
1

So I am running Ansible on Fedora 25 and this is the issue I’m facing:

  1. I installed all dependencies: dnf install python-devel krb5-devel krb5-libs krb5-workstation
  2. I installed the keberos module: pip install pywinrm[keberos]
  3. I confirmed both of these installations were for Python 2
  4. I tried getting a ticket: kinit user@DOMAIN.COM – it succeeded
  5. I did klist to make sure I got the ticket. I have tho correct domain name
  6. I tried putting FQDN’s of some computers in my host file
  7. I ran ansible -m win_ping and I get:

| UNREACHABLE! => {
“changed”: false,
“msg”: “ssl: the specified credentials were rejected by the server”,
“unreachable”: true
}

I know this means Anisble is falling back to SSL, but I’m not sure why it would be doing this. Can I get some guidance in debugging this?

Thanks!

2

If you are using port 5986 in your windows group vars, it will communicate with winrm via ssl, so that’s not necessarily your problem.

The ‘the specified credentials were rejected by the server’ usually just means the username and password that were supplied weren’t ones that the server can authenticate with. The good thing here is that you are very likely connecting to the machine, so you are almost there.

To debug I’d suggest making a remote desktop connection using the domain and username that you have configured ansible to use.

One thing I have seen rarely is the domain name used by users is actually an alias and not the actual domain name. You can run the ‘kinit -C youruser@YOURDOMAIN’ command and then klist to check the canonicalized domain is the same as the one you are attempting to connect with.

Not a lot to go on but my guess would be the windows host isn’t on the domain you expect (or perhaps not on a domain yet, in which case it will only be looking at local usernames).

Also I notice you’ve put FQDNs in your hosts file. Kerberos really needs forward and reverse dns lookups to work (from hostname → ip and from ip → hostname). Again if your host isn’t yet on the domain, its very likely not going to be in your local DNS (which may well be being provided by your domain controllers), so checking dns resolution of hostnames from your ansible controller is worth doing too.

Hope this helps.

If not, please share your group vars for your windows hosts and I’ll think again.

Jon