Hi Team,
We have configured ansible to perform activities on windows hosts and all are under the same AD. But some how some of the hosts are not providing positive ping response. Please find the response which we are getting below,
myserver.data.log.doman.com | FAILED => the username/password specified for this server was incorrect
Configurations on Ansible
What version of windows and service pack is on the hosts that won’t respond to ping?
Are you using the win_ping module? win_ping will connect using the wirnm port, rather than the normal ping port. You might have firewall configured not to respond to the normal ping port on the machines which are not responding.
Please ensure https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 has been run on the machines that won’t respond.
Hope this helps,
Jon
Hi Hawkesworth,
What version of windows and service pack is on the hosts that won’t respond to ping?
Windows server 2012 R2 Standard, but all other responding hosts are having same operating system version.
Are you using the win_ping module? win_ping will connect using the wirnm port, rather than the normal ping port. You might have firewall configured not to respond to the normal ping port on the machines which are not responding.
Yes, we are using win_ping module and the port which we are using is 5986. The firewall is configured to enable all port access from ansible server to remote host.
Please ensure https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 has been run on the machines that won’t respond.
We ran the script, even after that we are getting the same response.
Please let us know if you need to have any other details about the infra.
What is the exact error message you are seeing?
Also try running ansible with -v or -vvvvvv to see connection debugging information.
Here are some more suggestions:
1/ In Powershell, running as Administrator, run
winrm get winrm/config
on a machine that can’t be connected to, and compare the same from a machine that can be connected to.
2/ Check the machines you cannot connect to have a current trust relationship with your domain controller (ensure you can log in with the same domain username and password as ansible is using).
Ensure the ansible_ssh_user has fully qualified domain name, and the domain part is in UPPER CASE LETTERS
ansible_ssh_user: testuser@MY.DOMAIN.COM
Not
ansible_ssh_user: testuser@MY
or
ansible_ssh_user: testuser@my.domain.com
3/ use kinit -C user@MY.DOMAIN.COM to acquire a kerberos ticket, and then use klist to examine the ticket.
4/ ensure the hosts you cannot connect to have clocks synchronized with your AD Domain controllers
5/ ensure the hosts you cannot connect to can be found using both hostname and ip address
That is: if you ping hostname, the response gives you an ip address. If you then use that ip address with nslookup, it must return the same hostname, or kerberos will not be able to connect.
For example
C:> ping windows-t1
Pinging windows-t1.my.domain.com [192.168.1.100] with 32 bytes of data:
Reply from 192.168.1.100:…
Control-C
^C
C:> nslookup 192.168.1.100
Server: dc01.my.domain.com
Address: 192.168.1.50
Name: windows-t1.my.domain.com
Address: 192.168.1.100
C:>
Hope this helps,
Jon
Hi Hawkesworth,
Thanks for your quick response.
Please find the responses below,
What is the exact error message you are seeing?
ansible hostname.mydomain.com -m win_ping -vvvvvv
<hostname.mydomain.com > ESTABLISH WINRM CONNECTION FOR USER: on PORT 5986 TO hostname.mydomain.com
<hostname.mydomain.com > WINRM CONNECT: transport=kerberos endpoint=https://hostname.mydomain.com :5986/wsman
hostname.mydomain.com | FAILED => the username/password specified for this server was incorrect
1/ In Powershell, running as Administrator, run winrm get winrm/config
Both working and not working hosts are giving same out put
2/ Check the machines you cannot connect to have a current trust relationship with your domain controller (ensure you can log in with the same domain username and password as ansible is using).
It is working, and the user name is already in the format as you suggested
ansible_ssh_user: testuser@MY.DOMAIN.COM
3/ use kinit -C user@MY.DOMAIN.COM to acquire a kerberos ticket, and then use klist to examine the ticket.
I was able to acquire kerberos ticket and the klist is showing necessary data.
Ticket cache: KEYRING:persistent:0:0
Default principal: username@CORP.MYDOMAIN.COM
Valid starting Expires Service principal
03/07/2016 11:05:32 03/07/2016 21:05:32 krbtgt/CORP.MYDOMAIN.COM@CORP.MYDOMAIN.COM
renew until 03/07/2016 21:05:32
4/ ensure the hosts you cannot connect to have clocks synchronized with your AD Domain controllers
Yes, It is since the machine in which i am able to connect to having the same time as in the machine i am not able to connect.
5/ ensure the hosts you cannot connect to can be found using both hostname and ip address
Yes, we can found the machines with IP and host names. This was tested using RDP.
Please let me know if you want to have any other details.
Thanks,
Akash John
Looks like you have some parent/subdomain relationship going on. In my experience you must use whatever domain name is returned by kinit -C. So kinit -C returns CORP.MYDOMAIN.COM in your case - so that is what you need to put in your kinit command line and ansible_ssh_user - if not the domains don’t match up and maybe that is why you are getting the ‘the username/password specified for this server is incorrect’ message.
Hope this helps,
Jon
Hi Hawkesworth,
kinit -C giving an output as adusername@CORP.MYDOMAIN.COM and is prompting for inputting password. I have used the same as you suggested (ansible_ssh_user: adusername@CORP.MYDOMAIN.COM) and I cannot find any change while executing win_ping.
But, if it is the case how other servers are providing proper response to win_ping…
Do we need to check anything from Windows Server side?
Thanks,
Akash John
Meant to say also need to match the domain names in your /etc/krb5.conf
No harm in checking the event logs on the windows hosts, but if the domain of your kerberos ticket doesn’t exactly match the domain that the windows host is on, that might explain why it thinks the username/password is incorrect.
Hope this helps,
Jon