Hi
In my company we have a forest with multiple domains, EUR / USA …
I can work without any issue with my domain (EUR) with a EUR user

Now i’m trying to access a USA server with and got the following failure:

`

ansible-playbook agent.yml --limit tsthost67.usa.company.com -vvvv

ansible-playbook 2.6.2
config file = /ansible/scripts/ansible.cfg
configured module search path = [u’/usr/local/lib/python2.7/dist-packages/ara/plugins/modules’]
ansible python module location = /usr/lib/python2.7/dist-packages/ansible
executable location = /usr/bin/ansible-playbook
python version = 2.7.12 (default, Dec 4 2017, 14:50:18) [GCC 5.4.0 20160609]
Using /ansible/scripts/ansible.cfg as config file
setting up inventory plugins
Parsed /ansible/scripts/inventory/windows.yml inventory source with yaml plugin
Loading callback plugin default of type stdout, v2.0 from /usr/lib/python2.7/dist-packages/ansible/plugins/callback/default.pyc
Loading callback plugin ara of type notification, v2.0 from /usr/local/lib/python2.7/dist-packages/ara/plugins/callbacks/log_ara.pyc

PLAYBOOK: agent.yml *****************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
1 plays in agent.yml

PLAY [fw] *********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
Trying secret FileVaultSecret(filename=‘/nfs/site/disks/home30/ansible/.ssh/ansible_vault.txt’) for vault_id=default

TASK [Gathering Facts] ********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
task path: /ansible/scripts/agent.yml:2
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/setup.ps1
<tsthost67.usa.company.com> ESTABLISH WINRM CONNECTION FOR USER: ansible@eur.company.com on PORT 5986 TO tsthost67.usa.company.com
checking if winrm_host tsthost67.usa.company.com is an IPv6 address
calling kinit with pexpect for principal ansible@eur.company.com
fatal: [tsthost67.usa.company.com]: UNREACHABLE! => {
“changed”: false,
“msg”: “kerberos: authGSSClientStep() failed: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘Generic error (see e-text)’, -1765328324))”,
“unreachable”: true
}
to retry, use: --limit @/ansible/scripts/qb-agent-fw.retry

PLAY RECAP ********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
tsthost67.usa.company.com : ok=0 changed=0 unreachable=1 failed=0

`

my kerberos file:

`

cat /etc/krb5.conf

[libdefaults]
default_realm = EUR.COMPANY.COM
ticket_lifetime = 36000
renew_lifetime = 2592000
default_keytab_name = /etc/krb5.keytab
forwardable = true
allow_weak_crypto = true
dns_lookup_realm = false
dns_lookup_kdc = false
default_tgs_enctypes = des-cbc-crc arcfour-hmac-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc
preferred_preauth_types = des-cbc-crc
[domain_realm]
.usa.company.com = USA.COMPANY.COM
…

[libvas]
use-dns-srv = true
use-server-referrals = true
[realms]
USA.COMPANY.COM = {
default_domain = usa.company.com
…
}
EUR.COMPANY.COM = {
default_domain = eur.company.com
…
}

`

My group_vars file:

`

ansible_user: ansible@EUR.COMPANY.COM
ansible_password: SECURED_PASSWORD
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_transport: kerberos
ansible_winrm_scheme: https
ansible_winrm_server_cert_validation: ignore
ansible_winrm_kerberos_delegation: true

`

How can i access a computer in the USA domain ?

Hi All,
please help me.

Build ec2 instances with attaching multiple tags names :-
For example- I have launched one ec2 instance with tag name “websever1” the next builds of ec2 instances should start with tag name webserver2 , webserver3 … automatically.

Note: No two ec2 instances have same tag name.

Badraj,

Please start a new topic instead of hijacking an existing one.

Using an USA domain user instead of a EUR domain user move me to another issue
“kerberos: Bad HTTP response returned from server. Code 400”

I found out this question here : https://groups.google.com/forum/#!topic/ansible-project/WJbhN3VYMmI but nothing could help me.

I have to say, my first choice would be to use the same user eventually.

Thanks

Jordan / Jon ?

Because you are running over https, message encryption is not being run so that post you linked to is technically unrelated. In saying that, I have no idea about your environment setup, but RC4 and DES are effectively broken and you should avoid using in any case. Unless you have set that on purpose you shouldn’t be allowing weak cryptos.

To try and find out what exactly is failing can you run Ansible with KRB5_TRACE=/dev/stdout set, e.g. ‘KRB5_TRACE=/dev/stdout ansible-playbook agent.yml --limit …’. This will make gssapi on that host sent the logs to stdout hopefully giving you a better error.

Thanks

Jordan

Hello Jordan
I moved from https to http
I removed the des kerberos options:

default_tgs_enctypes = des-cbc-crc arcfour-hmac-md5

default_tgs_enctypes = arcfour-hmac-md5

default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc

default_tkt_enctypes = arcfour-hmac-md5

preferred_preauth_types = des-cbc-crc

And here is the result of the run - i have to admit this is not helping me much…

KRB5_TRACE=/dev/stdout ansible-playbook playbooks/win_test.yml --limit scststhost67.usa.company.com -vvvv

ansible-playbook 2.6.2
config file = /ansible/scripts/ansible.cfg
configured module search path = [u’/usr/local/lib/python2.7/dist-packages/ara/plugins/modules’]
ansible python module location = /usr/lib/python2.7/dist-packages/ansible
executable location = /usr/bin/ansible-playbook
python version = 2.7.12 (default, Dec 4 2017, 14:50:18) [GCC 5.4.0 20160609]
Using /ansible/scripts/ansible.cfg as config file
setting up inventory plugins
Parsed /ansible/scripts/inventory/windows.yml inventory source with yaml plugin
Loading callback plugin default of type stdout, v2.0 from /usr/lib/python2.7/dist-packages/ansible/plugins/callback/default.pyc
Loading callback plugin ara of type notification, v2.0 from /usr/local/lib/python2.7/dist-packages/ara/plugins/callbacks/log_ara.pyc

PLAYBOOK: win_test.yml *************************************************************************************************************************************
1 plays in playbooks/win_test.yml

PLAY [windows] *********************************************************************************************************************************************
META: ran handlers
Trying secret FileVaultSecret(filename=‘/nfs/site/disks/home30/ansible/.ssh/ansible_vault.txt’) for vault_id=default

TASK [Simple Ping] *****************************************************************************************************************************************
task path: /ansible/scripts/playbooks/win_test.yml:5
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/win_ping.ps1
<scststhost67.usa.company.com> ESTABLISH WINRM CONNECTION FOR USER: usa_ansible@USA.COMPANY.COM on PORT 5986 TO scststhost67.usa.company.com
checking if winrm_host scststhost67.usa.company.com is an IPv6 address
calling kinit with pexpect for principal usa_ansible@USA.COMPANY.COM
[5574] 1535488714.966934: Retrieving usa_ansible@USA.COMPANY.COM from FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result: 2/Key table file ‘/etc/krb5/user/30254/client.keytab’ not found
[5574] 1535488714.967925: Retrieving usa_ansible@USA.COMPANY.COM from FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result: 2/Key table file ‘/etc/krb5/user/30254/client.keytab’ not found
[5574] 1535488714.968917: Retrieving usa_ansible@USA.COMPANY.COM from FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result: 2/Key table file ‘/etc/krb5/user/30254/client.keytab’ not found
[5574] 1535488714.969845: Retrieving usa_ansible@USA.COMPANY.COM from FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result: 2/Key table file ‘/etc/krb5/user/30254/client.keytab’ not found
[5574] 1535488714.970790: Retrieving usa_ansible@USA.COMPANY.COM from FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result: 2/Key table file ‘/etc/krb5/user/30254/client.keytab’ not found
[5574] 1535488714.974593: Retrieving usa_ansible@USA.COMPANY.COM from FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result: 2/Key table file ‘/etc/krb5/user/30254/client.keytab’ not found
[5574] 1535488714.975957: Retrieving usa_ansible@USA.COMPANY.COM from FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result: 2/Key table file ‘/etc/krb5/user/30254/client.keytab’ not found
[5574] 1535488714.976891: Retrieving usa_ansible@USA.COMPANY.COM from FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result: 2/Key table file ‘/etc/krb5/user/30254/client.keytab’ not found
[5574] 1535488714.979603: Getting credentials usa_ansible@USA.COMPANY.COM → HTTP/scststhost67.usa.company.com@USA.COMPANY.COM using ccache FILE:/tmp/tmpa0pCw0
[5574] 1535488714.979722: Retrieving usa_ansible@USA.COMPANY.COM → HTTP/scststhost67.usa.company.com@USA.COMPANY.COM from FILE:/tmp/tmpa0pCw0 with result: -1765328243/Matching credential not found
[5574] 1535488714.979790: Retrieving usa_ansible@USA.COMPANY.COM → krbtgt/USA.COMPANY.COM@USA.COMPANY.COM from FILE:/tmp/tmpa0pCw0 with result: 0/Success
[5574] 1535488714.979801: Starting with TGT for client realm: usa_ansible@USA.COMPANY.COM → krbtgt/USA.COMPANY.COM@USA.COMPANY.COM
[5574] 1535488714.979809: Requesting tickets for HTTP/scststhost67.usa.company.com@USA.COMPANY.COM, referrals on
[5574] 1535488714.979835: Generated subkey for TGS request: rc4-hmac/DA64
[5574] 1535488714.979855: etypes requested in TGS request: rc4-hmac
[5574] 1535488714.979986: Encoding request body and padata into FAST request
[5574] 1535488714.980151: Sending request (8510 bytes) to USA.COMPANY.COM
[5574] 1535488714.980237: Resolving hostname 10.104.193.41
[5574] 1535488714.980329: Initiating TCP connection to stream 10.104.193.41:88
[5574] 1535488714.980736: Sending TCP request to stream 10.104.193.41:88
[5574] 1535488715.46929: Received answer (8503 bytes) from stream 10.104.193.41:88
[5574] 1535488715.46941: Terminating TCP connection to stream 10.104.193.41:88
[5574] 1535488715.46968: Response was not from master KDC
[5574] 1535488715.46992: Decoding FAST response
[5574] 1535488715.47089: FAST reply key: rc4-hmac/AD14
[5574] 1535488715.47115: TGS reply is for usa_ansible@USA.COMPANY.COM → HTTP/scststhost67.usa.company.com@USA.COMPANY.COM with session key rc4-hmac/C716
[5574] 1535488715.47172: TGS request result: 0/Success
[5574] 1535488715.47178: Received creds for desired service HTTP/scststhost67.usa.company.com@USA.COMPANY.COM
[5574] 1535488715.47186: Storing usa_ansible@USA.COMPANY.COM → HTTP/scststhost67.usa.company.com@USA.COMPANY.COM in FILE:/tmp/tmpa0pCw0
[5574] 1535488715.47336: Retrieving usa_ansible@USA.COMPANY.COM → krbtgt/USA.COMPANY.COM@USA.COMPANY.COM from FILE:/tmp/tmpa0pCw0 with result: 0/Success
[5574] 1535488715.47345: Get cred via TGT krbtgt/USA.COMPANY.COM@USA.COMPANY.COM after requesting krbtgt/USA.COMPANY.COM@USA.COMPANY.COM (canonicalize off)
[5574] 1535488715.47358: Generated subkey for TGS request: rc4-hmac/C5C1
[5574] 1535488715.47368: etypes requested in TGS request: rc4-hmac
[5574] 1535488715.47448: Encoding request body and padata into FAST request
[5574] 1535488715.47557: Sending request (8526 bytes) to USA.COMPANY.COM
[5574] 1535488715.47614: Resolving hostname 10.104.193.41
[5574] 1535488715.47663: Initiating TCP connection to stream 10.104.193.41:88
[5574] 1535488715.48125: Sending TCP request to stream 10.104.193.41:88
[5574] 1535488715.50778: Received answer (8459 bytes) from stream 10.104.193.41:88
[5574] 1535488715.50796: Terminating TCP connection to stream 10.104.193.41:88
[5574] 1535488715.50831: Response was not from master KDC
[5574] 1535488715.50860: Decoding FAST response
[5574] 1535488715.51036: FAST reply key: rc4-hmac/E764
[5574] 1535488715.51075: TGS reply is for usa_ansible@USA.COMPANY.COM → krbtgt/USA.COMPANY.COM@USA.COMPANY.COM with session key rc4-hmac/B213
[5574] 1535488715.51153: Got cred; 0/Success
[5574] 1535488715.51311: Creating authenticator for usa_ansible@USA.COMPANY.COM → HTTP/scststhost67.usa.company.com@USA.COMPANY.COM, seqnum 63157312, subkey rc4-hmac/C622, session key rc4-hmac/C716
fatal: [scststhost67.usa.company.com]: UNREACHABLE! => {
“changed”: false,
“msg”: “kerberos: (‘Connection aborted.’, error(104, ‘Connection reset by peer’))”,
“unreachable”: true
}
to retry, use: --limit @/ansible/scripts/playbooks/win_test.retry

PLAY RECAP *************************************************************************************************************************************************
scststhost67.usa.company.com : ok=0 changed=0 unreachable=1 failed=0

Do you have any other advise please?

Thanks

arcfour is RC4 which isn’t supported, problematic, and a broken encryption standard. You should be using at least AES, a list of encryption types in krb5 can be found here http://web.mit.edu/kerberos/krb5-1.12/doc/admin/enctypes.html#enctype-compatibility.