Ansible on Windows host with two FQDNs

Archives Ansible Project
1

Hi,
I posted a similar question over on Stack Overflow but without any helpful replies so I thought I’d try this group too… I don’t think it is an Ansible question per se but has arisen from our use of Ansible

We have Windows servers with two NICs, two separate IPs and two FQDNs in DNS, e.g.

SERVER01.ADdomain.company.corp [10.0.0.1]

SERVER01.management.company.corp [192.168.0.1]

Both are configured in Windows and I can RDP, Telnet, HTTP or whatever to both names and both IPs (assuming firewalls & routing are configured correctly and there is something listening on the relevant ports). This set-up is primarily to enable our management traffic (e.g. Backups) to communicate over an alternative NIC to the primary traffic.

WinRM has been configured (using the ConfigureRemotingForAnsible.ps1 script) and I can prove that it works if I use Ansible or PowerShell on the AD name:

$ ansible -m win_ping SERVER01.ADdomain.company.corp
SERVER01.ADdomain.company.corp | SUCCESS => {
“changed”: false,
“ping”: “pong”
}

Invoke-Command -scriptblock{hostname} -ComputerName SERVER01.ADdomain.company.corp

SERVER01

My problems come when I try to use the other FQDN. Ansible returns:

SERVER01.management.company.corp | UNREACHABLE! => {
“changed”: false,
“msg”: “kerberos: authGSSClientStep() failed: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘Server not found in Kerberos database’, -1765328377)), ssl: the specified credentials were rejected by the server”,
“unreachable”: true
}

And PowerShell sayeth:

[SERVER01.management.company.corp] Connecting to remote server SERVER01.management.company.corp failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: Cannot find the computer SERVER01.management.company.corp. Verify that the computer exists on the network and that the name provided is spelled correctly. For more information, see the about_Remote_Troubleshooting
Help topic.

  • CategoryInfo : OpenError: (SERVER01.management.company.corp:String) , PSRemotingTransportException
  • FullyQualifiedErrorId : NetworkPathNotFound,PSSessionStateBroken

From reading about this I think it is because the Kerberos Authentication that WinRM uses only works on the AD name but my question is this: Is there any way to get the Ansible/WinRM/PowerShell working using the second FQDN? If not, why not? Any documents (particularly from Ansible and/or Microsoft) to back this up would be appreciated.

Cheers
Phil

2

Is the second domain “setup” either in AD as an alternate UPN suffix or via a trust relationship with the forest? If it was, it would likely work.

Also, what auth are you using; local acct, domain acct; ntlm, kerberos, etc.

-cupcake

3

Also worth checking your /etc/krb5.conf to make sure that the domain controllers you are pointing at are aware of management.company.corp domain ?