Ansible V2.7 - kerberos: authGSSClientStep() failed:

Archives Ansible Project
,
1

Hi Team,
we`re using Ansible v 2.7, below python modules for kerberos. We have switched from basic to kerberos auth all playbooks are failing with below error

Python (Kerberos) modules:
kerberos 1.3.0
requests-kerberos 0.12.0

Ansible host file:
ansible_user= Ansibleservice@NORTHIND.INTERNAL
ansible_password= ‘2*S<5q$Vn#]M’
ansible_connection= winrm
ansible_winrm_transport= kerberos
#ansible_winrm_realm= NORTHIND.INTERNAL
ansible_winrm_scheme= http
ansible_winrm_server_cert_validation= ignore
ansible_port= 5985
ansible_winrm_kerberos_delegation= yes

kinit command succeeds and able to do klist as well. But when we execute win_ping module to the Windows(2012) node which is part of domain (NORTHIND.INTERNAL), failing with below error. Can anyone assists to fix this below error?

Command: ansible -i /home/ansible/hosts win -m win_ping -e=“ansible_ssh_port=5985, ansible_connection=winrm”

Error:

gcp-bashost.NORTHIND.INTERNAL | UNREACHABLE! => {
“changed”: false,
“msg”: “kerberos: authGSSClientStep() failed: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘Server not found in Kerberos database’, -1765328377))”,
“unreachable”: true
}

2

Part of the Kerberos authentication process is to lookup the remote server in the KDC database (AD database). If it cannot find that server then you will get this error. In this case it will lookup the host using the SPN ‘HTTP/gcp-bashost.NORTHIND.INTERNAL’ . If you have defined ansible_host for that host then it will be using that hostname as the 2nd part of the SPN.

The fact that you can use kinit to get the credentials shows that your Ansible controller is talking to the domain correctly, this issue is around not being able to lookup your remote host. Make sure;

  • You are connecting to the host using the FQDN and not an IP address
  • The remote host is part of the domain
  • If you need to connect with an IP, you can use ‘ansible_winrm_kerberos_hostname_override’ to set the host’s FQDN so the SPN lookup works

Also you should change your password right now and never share it in a public setting again.

Thanks

Jordan

3

Hi Jordan,
I have tried all the possibilities and your suggestions as well still the same error for windows alone. Is there any work around for this?

N.B: I have modified the password before posting it.

4

Hello Sushena,

Hope you are doing well…!!
I have faced exact same situation and it got resolved.

Please Could u give me following:

-nslookup of the member server fqdn you are pinging from ansible server
-Output of command setspn -l
-ansible hosts file section which shows the server names on which u r running this module
-how many network interfaces you have on your ansible server
-are these network interfaces on ansible server in same subnet range or mask ???

Thanks,
Piyush
9650865898

5

Hi Piyush Bansal,

Thanks for your response, I work along with Sushena. Below are the technical details

  • nslookup working correctly and resolving eachother.
  • only one network interface.
  • hosts file entry: testhost.NORTHIND.INTERNAL

Thanks,

Amal Antony

6

Hi Piyush,

Please find below snippet from ansible command for further understanding,

7

Server not found in kerberos database means that the domain controller is unaware of the server. You mention using hosts file which suggests to me that the machine you want to connect to has not been joined to the domain. You almost certainly wouldn't need to use hosts file as typically joining a machine to a domain also adds to to your local DNS servers.

Hope this helps,

Jon

8

thanks, Jon

We have SOLVED the issue. The problem was with the NTP service where the Ansible controller and Domain controller wasn’t in sync. Post setting ntpd on the controller and changed ntp to UTC format, Service account and playbooks were working as expected.

thanks and everyone for assisting us.