I am working on getting Windows with Ansible working. I have a CentOS 7 control machine joined to my AD domain. I ran through the steps http://docs.ansible.com/ansible/intro_windows.html. When I tried the
[bud@ansible ansible]$ ansible windows -m win_ping
SVR2k8-Update.V-BLOG.LOCAL | FAILED! => {
"failed": true,
"msg": "ssl: 401 Unauthorized. basic auth failed"
}
So I tried below and all looks okay
kinit ansible@V-BLOG.LOCAL
Valid starting Expires Service principal
05/16/2016 23:01:21 05/17/2016 09:01:21 krbtgt/V-
BLOG.LOCAL@V-BLOG.LOCAL
renew until 05/23/2016 23:01:17
Thoughts? Also here is my krb5.conf
[realms]
V-BLOG.LOCAL = {
kdc = dc01.v-blog.local
admin_server = dc01.v-blog.local
}
[domain_realm]
.v-blog.local = V-BLOG.LOCAL
v-blog.local = V-BLOG.LOCAL
Hello
The message you are seeing
ssl: 401 Unauthorized. basic auth failed
says to me that ansible is not communicating via kerberos.
As well as acquiring a kerberos ticket, which you have done, you also need to install the python library that lets
python access kerberos.
So, please check that you have run
pip install kerberos
as mentioned here: http://docs.ansible.com/ansible/intro_windows.html#installing-python-kerberos
Please let me know if this fixes your problem as it might not be clear enough in the documentation that this is required.
Many thanks,
Jon
When trying to run the command I get:
[bud@ansible ~]$ sudo pip install kerberos
[sudo] password for bud:
You are using pip version 7.1.0, however version 8.1.2 is available.
You should consider upgrading via the ‘pip install --upgrade pip’ command.
Collecting kerberos
Using cached kerberos-1.2.4.tar.gz
Installing collected packages: kerberos
Running setup.py install for kerberos
Complete output from command /usr/bin/python -c “import setuptools, tokenize;file=‘/tmp/pip-build-KYPdg4/kerberos/setup.py’;exec(compile(getattr(tokenize, ‘open’, open)(file).read().replace(‘\r\n’, ‘\n’), file, ‘exec’))” install --record /tmp/pip-_U3ASd-record/install-record.txt --single-version-externally-managed --compile:
running install
running build
running build_ext
building ‘kerberos’ extension
creating build
creating build/temp.linux-x86_64-2.7
creating build/temp.linux-x86_64-2.7/src
gcc -pthread -fno-strict-aliasing -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -I/usr/include/python2.7 -c src/base64.c -o build/temp.linux-x86_64-2.7/src/base64.o
unable to execute gcc: No such file or directory
error: command ‘gcc’ failed with exit status 1
I suggest you run
pip install --upgrade pip’
as the error message you are seeing suggests.
Also it looks like gcc is not installed, so install that too.
Hope this helps
Jon
Okay I installed
- yum group install “Development Tools” gor gcc
- pip install --upgrade pip
- sudo pip install kerberos
All went through with success. Rerunning the command gave the same error:
[root@ansible ansible]# ansible windows -m win_ping
SVR2k8-Update.V-BLOG.LOCAL | FAILED! => {
“failed”: true,
“msg”: “ssl: 401 Unauthorized. basic auth failed”
}
Ok, we will figure this out…
It still looks like you aren’t making a kerberos connection.
If you run python and then enter the following
import kerberos
do you get
‘ImportError: No module named kerberos’
If so, ansible is not going to be able to connect via kerberos until that library is available.
Also which version of ansible are you using? If its an older one you may need to use the older style connection parameter names .e.g ansible_ssh_user instead of ansible_user
Make sure that you have the windows group_vars in a group vars file called ‘windows’ (based on the example you give above, the name is arbitrary but it must match) otherwise ansible will not know to apply the windows-specific connection settings and default back to connecting via ssl.
Hope this helps,
Jon
Jon,
On the import kerberos are you asking to do that on the CentOS ansible control machine? I am not following.
I am running
Python 2.7.5
Ansible 2.0.2.0
This is a pretty fresh install (maybe 2 weeks old)
Sorry, yes, run that on the ansible controller.
If you get an error message, then the python kerberos library isn’t available for some reason.
If you don’t get an error then most likely it is something to do with your ansible configuration meaning that ansible simply isn’t attempting to connect via kerberos.
Jon
What commands do you want me to run I am not following.
What commands do you want me to run I am not following.
Sure, here goes:
On your ansible controller, start the interactive python interpreter by running
python
You will see something like the following
`
me@testbox:~$ python
Python 2.7.6 (default, Jun 22 2015, 17:58:13)
[GCC 4.8.2] on linux2
Type “help”, “copyright”, “credits” or “license” for more information.
`
Once the >>> prompt has appeared, type
import kerberos
and press enter
If you get just the >>> prompt again, that’s good, it means python has been able to load the kerberos library.
If you get an error message something like the below then python can’t load the kerberos library, which will stop ansible from connecting to windows via kerberos.
`
File “”, line 1
import kerberos
^
SyntaxError: invalid syntax
`
Hold down the Ctrl key and press D to exit the interactive python interpreter.
Let us know how you get on.
Jon
Jon thank you you. It looks like I have it loaded properly.
[bud@ansible ~]$ python
Python 2.7.5 (default, Nov 20 2015, 02:00:19)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux2
Type “help”, “copyright”, “credits” or “license” for more information.
Ok, well that’s good news, its likely just your ansible configuration then.
In that case can you share your inventory file and your group_vars/windows.yml file.
Jon
Here you go
Hosts File:
[db]
192.168.1.6
[windows]
SVR2k8-Update.V-BLOG.LOCAL
group_vars/windows.yaml
ansible_user: ad username
ansible_password: password
ansible_port: 5986
ansible_connection: winrm
The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates:
ansible_winrm_server_cert_validation: ignore
I think you just need to change
ansible_user: ad username
to
`
ansible_user: ad username@V-BLOG.LOCAL
`
Looking at the code for the connection plugin, you need to put an @ symbol in the ansible_user so that it selects kerberos:.
`
./usr/lib/pymodules/python2.7/ansible/plugins/connection/winrm.py
`
if HAVE_KERBEROS and ('@' in self._winrm_user or self._winrm_realm): self._winrm_transport = 'kerberos,%s' % transport_selector
Hope that’s it, let us know how you get on.
All the best,
Jon
I updated the username to be bud@V-BLOG.LOCAL
I could not find ./usr/lib/pymodules/python2.7/ansible/plugins/connection/winrm.py. The closest I found was /usr/lib/python2.7/site-packages/ansible (I am on CentOS7 minimal)
Here is the error. Looks like the same.
Using /etc/ansible/ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<SVR2k8-Update.V-BLOG.LOCAL> ESTABLISH WINRM CONNECTION FOR USER: bud@V-BLOG.LOCAL on PORT 5986 TO SVR2k8-Update.V-BLOG.LOCAL
<192.168.1.232> ESTABLISH WINRM CONNECTION FOR USER: bud@V-BLOG.LOCAL on PORT 5986 TO 192.168.1.232
192.168.1.232 | FAILED! => {
“failed”: true,
“msg”: “kerberos: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘No Kerberos credentials available’, -1765328243)), ssl: 401 Unauthorized. basic auth failed”
}
Did you do a kinit bud@V-BLOG.LOCAL before running the playbook (or at least a klist to demonstrate that bud@V-BLOG.LOCAL has a kerberos ticket)?
I think ‘No Kerberos credentials available’ probably means there aren’t kerberos credentials for the user you are trying to connect as.
If that isn’t it, it might be worth checking that the machine you are targeting is actually on the domain you are using.
Its crazy cause I could login as the user bud last night into the server. Tried again and today it works!
Thank you for your help.
Don’t forget the kerberos tickets expire after a while.
Also another thing to watch out for is that kerberos is time-sensitive, so make sure your ansible controller’s clock is synchronized with your windows domain controllers.
If you ntp you can set it up to sync with your domain controllers - I found some instructions here: https://community.spiceworks.com/topic/143891-possible-to-synchronize-ntp-on-a-linux-server-to-a-windows-domain-controller
Hope this helps,
Jon
Do you think it worked because I did a kinit bud@V-BLOG.LOCAL? So when that ticket expires it will fail?
I just tried rerunning the playbook and it failed…How do I fix it so I do not have to run a kinit bud@V-BLOG.LOCAL?
fatal: [SVR2k8-Update.V-BLOG.LOCAL]: FAILED! => {“failed”: true, “msg”: “kerberos: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘No Kerberos credentials available’, -1765328243)), ssl: 401 Unauthorized. basic auth failed”}