Ansible windows kerberos issue

Mayur_Barge · January 15, 2016, 6:54pm

Hi I’m facing below issue while connecting to windows machine using AD accounts

File “/usr/lib/python2.7/site-packages/ansible/runner/init.py”, line 586, in _executor
exec_rc = self._executor_internal(host, new_stdin)
File “/usr/lib/python2.7/site-packages/ansible/runner/init.py”, line 789, in _executor_internal
return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)
File “/usr/lib/python2.7/site-packages/ansible/runner/init.py”, line 968, in _executor_internal_inner
conn = self.connector.connect(actual_host, actual_port, actual_user, actual_pass, actual_transport, actual_private_key_file, delegate_host)
File “/usr/lib/python2.7/site-packages/ansible/runner/connection.py”, line 52, in connect
self.active = conn.connect()
File “/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py”, line 140, in connect
self.protocol = self._winrm_connect()
File “/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py”, line 96, in _winrm_connect
protocol.send_message(‘’)
File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 193, in send_message
return self.transport.send_message(message)
File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 269, in send_message
krb_ticket = KerberosTicket(self.krb_service)
File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 205, in init
kerberos.authGSSClientStep(krb_context, ‘’)
GSSError: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘Server not found in Kerberos database’, -1765328377))

Please help

Thanks,
Mayur

j.r.hawkesworth · January 18, 2016, 2:09pm

Hi Mayur,

You usually get that message when kerberos is not configured properly on your ansible controller.

Please ensure you have followed the setup instructions here:

http://docs.ansible.com/ansible/intro_windows.html#configuring-kerberos

Without this, the ansible controller does cannot connect to your windows domain, because it is unaware of the network location of your windows domain controllers.

Hope this helps,

Jon

Mayur_Barge · January 22, 2016, 12:30pm

Hi Jon,

Thanks for your inputs

If I manage windows machine using local administrator account then it works. But for AD account following is the error. I can successfully do kinit with domain user and klist displays appropriate ticket

ESTABLISH WINRM CONNECTION FOR USER: on PORT 5986 TO win2k8r2-client

WINRM CONNECT: transport=kerberos endpoint=https://win2k8r2-client:5986/wsman

win2k8r2-client | FAILED => Traceback (most recent call last):

File “/usr/lib/python2.7/site-packages/ansible/runner/init.py”, line 586, in _executor

exec_rc = self._executor_internal(host, new_stdin)

File “/usr/lib/python2.7/site-packages/ansible/runner/init.py”, line 789, in _executor_internal

return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)

File “/usr/lib/python2.7/site-packages/ansible/runner/init.py”, line 968, in _executor_internal_inner

conn = self.connector.connect(actual_host, actual_port, actual_user, actual_pass, actual_transport, actual_private_key_file, delegate_host)

File “/usr/lib/python2.7/site-packages/ansible/runner/connection.py”, line 52, in connect

self.active = conn.connect()

File “/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py”, line 140, in connect

self.protocol = self._winrm_connect()

File “/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py”, line 96, in _winrm_connect

protocol.send_message(‘’)

File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 193, in send_message

return self.transport.send_message(message)

File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 269, in send_message

krb_ticket = KerberosTicket(self.krb_service)

File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 205, in init

kerberos.authGSSClientStep(krb_context, ‘’)

GSSError: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘Server not found in Kerberos database’, -1765328377))

Joe_Levis · January 22, 2016, 6:21pm

Mayur,

Make sure your Linux Control Machine is bound to the same domain as your target Windows VM. After much reading and debugging, I realized my Ubuntu server where I was running Ansible was not bound to the Domain.

Another thing…
I had to run the kinit command with the below flags on the Control Machine to get past the auth failures (according to https://github.com/diyan/pywinrm/issues/36#issuecomment-60175388):
kinit -l 7d -r 7d -pAf user@MY.DOMAIN.COM

NOTE: I had run the kinit command before, but not with the flags. The forwarding flags of kinit is what got me over the hump.

Mayur_Barge · January 23, 2016, 4:19pm

I will give it a try and let you know.
Thanks in advance for your help !

Topic		Replies	Views
Use kerberos error Ansible Project	1	0	August 15, 2015
No Kerberos credentials available' Ansible Project windows	8	1	May 1, 2015
pywinrm GSSError: No Kerberos credentials available Ansible Project windows	4	0	August 14, 2015
Kerberos authentication failed (while following instructions.) Ansible Project ubuntu , windows	6	2	January 9, 2018
failing while connecting to Windows using AD credentials Ansible Project windows	1	0	April 24, 2017

Ansible windows kerberos issue

Related topics