Our ansible box isnt domain joined, and we build alot of VMs from a template, that has an account part of the image, that is local admin.

I was reading more into kerboros authentication, and setup my var file as this:

[xx:vars]
ansible_connection=winrm
ansible_user=xx
ansible_password=xx
ansible_port=5986
ansible_ssh_port=5986
ansible_winrm_transport=kerberos
ansible_winrm_scheme=https
ansible_winrm_server_cert_validation=ignore
domain_server=test.local
domain_username=cc
domain_password=cc
wsus_server=cc

When I run my playbook, I get:
fatal: [x.x.x.x]: UNREACHABLE! => {
“changed”: false,
“msg”: “Kerberos auth failure when calling kinit cmd ‘kinit’: The command was not found or was not executable: kinit.”,
“unreachable”: true
}

My host file has the sever entry as below:

hostname ansible_host=IP address of host

Changing the ansible_winrm_transport to basic works, with no issue.

How can I use my existing config to work with kerberos?

Please help/Suggest?

Your answer is in the error message.

“Kerberos auth failure when calling kinit cmd ‘kinit’: The command was not found or was not executable: kinit.”

Thanks, installed the kinit command, but now getting this error:

TASK [windowsupdates : Check If Windows Updates are Available] ******************************************************************************************************************************************************************
task path: /etc/ansible/roles/windowsupdates/tasks/main.yml:1
The full traceback is:
Traceback (most recent call last):
File “/root/.ansible/collections/ansible_collections/ansible/windows/plugins/action/win_updates.py”, line 761, in run
result = self._run_sync(task_vars, module_options, reboot, reboot_timeout)
File “/root/.ansible/collections/ansible_collections/ansible/windows/plugins/action/win_updates.py”, line 834, in _run_sync
update_result = self._run_updates(task_vars, module_options, poll_script_path, cancel_script_path)
File “/root/.ansible/collections/ansible_collections/ansible/windows/plugins/action/win_updates.py”, line 907, in _run_updates
output_path, task_pid, cancel_id = self._start_updates(task_vars, module_options)
File “/root/.ansible/collections/ansible_collections/ansible/windows/plugins/action/win_updates.py”, line 951, in _start_updates
raise _ReturnResultException(msg, exception=result.get(‘exception’, None))
ansible_collections.ansible.windows.plugins.action.win_updates._ReturnResultException: MODULE FAILURE
See stdout/stderr for the exact error
fatal: [ansible_host=x.x.x.x]: FAILED! => {
“changed”: false,
“failed_update_count”: 0,
“filtered_updates”: {},
“found_update_count”: 0,
“installed_update_count”: 0,
“msg”: “MODULE FAILURE\nSee stdout/stderr for the exact error”,
“updates”: {}
}
…ignoring
The full traceback is:
Traceback (most recent call last):
File “/root/.ansible/collections/ansible_collections/ansible/windows/plugins/action/win_updates.py”, line 761, in run
result = self._run_sync(task_vars, module_options, reboot, reboot_timeout)
File “/root/.ansible/collections/ansible_collections/ansible/windows/plugins/action/win_updates.py”, line 834, in _run_sync
update_result = self._run_updates(task_vars, module_options, poll_script_path, cancel_script_path)
File “/root/.ansible/collections/ansible_collections/ansible/windows/plugins/action/win_updates.py”, line 907, in _run_updates
output_path, task_pid, cancel_id = self._start_updates(task_vars, module_options)
File “/root/.ansible/collections/ansible_collections/ansible/windows/plugins/action/win_updates.py”, line 951, in _start_updates
raise _ReturnResultException(msg, exception=result.get(‘exception’, None))
ansible_collections.ansible.windows.plugins.action.win_updates._ReturnResultException: MODULE FAILURE
See stdout/stderr for the exact error
fatal: [ansible_host=x.x.x.x]: FAILED! => {
“changed”: false,
“failed_update_count”: 0,
“filtered_updates”: {},
“found_update_count”: 0,
“installed_update_count”: 0,
“msg”: “MODULE FAILURE\nSee stdout/stderr for the exact error”,
“updates”: {}
}
…ignoring

The same playbook works when using the basic authentication:

TASK [windowsupdates : Check If Windows Updates are Available] ******************************************************************************************************************************************************************
task path: /etc/ansible/roles/windowsupdates/tasks/main.yml:1
ok: [hostname] => {
“changed”: false,
“failed_update_count”: 0,
“filtered_updates”: {},
“found_update_count”: 0,
“installed_update_count”: 0,
“invocation”: {
“module_args”: {
“accept_list”: null,
“category_names”: [
“Application”,
“Connectors”,
“DefinitionUpdates”,
“FeaturePacks”,
“Guidance”,
“ServicePacks”,
“Tools”,
“UpdateRollups”,
“CriticalUpdates”,
“SecurityUpdates”,
“Drivers”,
“Updates”
],
“log_path”: “C:\ansible_wu.txt”,
“reboot”: false,
“reboot_timeout”: 1200,
“reject_list”: null,
“server_selection”: “managed_server”,
“skip_optional”: false,
“state”: “searched”,
“use_scheduled_task”: false
}
},
“reboot_required”: false,
“updates”: {}
}

It sounds like your ansible host does not have Krb5 library installed - https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#installing-the-kerberos-library.
Also, Kerberos uses FQDNs vs ip addresses, so you will need to have dns names set as hostnames in inventory (or to use ansible_winrm_kerberos_hostname_override variable.)

вт, 16 авг. 2022 г. в 18:14, Nitrous <wassamashraf27@gmail.com>:

I changed a few things, and now I see this:

TASK [windowsupdates : Check If Windows Updates are Available] ******************************************************************************************************************************************************************
task path: /etc/ansible/roles/windowsupdates/tasks/main.yml:1
fatal: [ansible_host=x.x.x.x]: UNREACHABLE! => {
“changed”: false,
“msg”: “Kerberos auth failure for principal xx@XX.LOCAL with pexpect: Cannot find KDC for realm " XX.LOCAL " while getting initial credentials”,
“unreachable”: true
}
fatal: [ansible_host=x.x.x.x]: UNREACHABLE! => {
“changed”: false,
“msg”: “Kerberos auth failure for principal xx@XX.LOCAL with pexpect: Cannot find KDC for realm " XX.LOCAL " while getting initial credentials”,
“unreachable”: true
}

My vars look like this :

ansible_connection=winrm
ansible_user=xx@XX.LOCAL

ansible_password=xx
ansible_winrm_kerberos_hostname_override
ansible_port=5986

ansible_ssh_port=5986
ansible_winrm_transport=kerberos
ansible_connection=local
ansible_winrm_scheme=https
ansible_winrm_server_cert_validation=ignore
domain_server=xx.local
domain_username=xx.local\xx
domain_password=xx

Host file looks like this:

ansible_host=Ip add of the server

The ansible box isnt domain joined, and we have multiple domains.

Even a simple playbook for ping fails, but using basic authentication, works:

TASK [ping] *********************************************************************************************************************************************************************************************************************
task path: /etc/ansible/playbooks/multiple.yml:8
fatal: [ansible_host=x.x.x.x]: FAILED! => {
“changed”: false,
“module_stderr”: “/bin/sh: 1: powershell: not found\n”,
“module_stdout”: “”,
“msg”: “The module failed to execute correctly, you probably need to set the interpreter.\nSee stdout/stderr for the exact error”,
“rc”: 127
}

Also, just checked krb5.conf file :

[libdefaults]
default_realm = PRIMARYDOMAIN.COM

The following krb5.conf variables are only for MIT Kerberos.

kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

The following encryption type specification will be used by MIT Kerberos

if uncommented. In general, the defaults in the MIT Kerberos code are

correct and overriding these specifications only serves to disable new

encryption types as they are added, creating interoperability problems.

If you join your Linux machine to AD with SSSD, this all gets filled in for you. Might make life easier.

Walter

Yes thanks, we dont want to do that due to some restrictions, so hence asking for help

Hello,

without joining to the domain, we added entries to krb5.conf to specify which are the kerberos servers to contact for authentication. So we specified credentials via the command line for ansible and we can authenticate to winrm successfully.

Luca

Thanks, would you mind posting a sample of your krb5.conf file?

We have multiple domains, some domains dont have a trust relationship, so trying to figure out, how to do this in a manner, that works for all our domains.