CentOS 7 control server can't connect to Windows with kerberos

Archives Ansible Project
1

I’ve set up a new CentOS 7 VM and installed ansible fine and the kerberos components according to this guide https://docs.ansible.com/ansible/intro_windows.html#kerberos

I’ve done the following:
Added the ansible control server Computer account to AD.
Added a test windows machine into /etc/ansible/hosts (called wisteria.duck.loc)
Created /etc/ansible/group_vars/windows.yml with this text:

ansible_user: mark@DUCK.LOC
ansible_password: SecretPasswordGoesHere
ansible_port: 5986
ansible_connection: winrm

The following is necessary for Python 2.7.9+ (or any older Python that has backported SSLContext, eg, Python 2.7.5 on RHEL7) when using default WinRM self-signed certificates:

ansible_winrm_server_cert_validation: ignore

Ran kinit and klist and it worked fine.

[mark@carnation ansible]$ ansible --version

ansible 2.2.1.0
config file = /etc/ansible/ansible.cfg
configured module search path = Default w/o overrides

[mark@carnation ansible]$ ansible windows -m win_ping
wisteria.duck.loc | UNREACHABLE! => {
“changed”: false,
“msg”: “kerberos: HTTPSConnectionPool(host=‘wisteria.duck.loc’, port=5986): Max retries exceeded with url: /wsman (Caused by NewConnectionError(‘<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x27b8510>: Failed to establish a new connection: [Errno 111] Connection refused’,)), ssl: HTTPSConnectionPool(host=‘wisteria.duck.loc’, port=5986): Max retries exceeded with url: /wsman (Caused by NewConnectionError(‘<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x285d750>: Failed to establish a new connection: [Errno 111] Connection refused’,))”,
“unreachable”: true
}
[mark@carnation ansible]$

Any ideas on next steps to troubleshoot?

2

The “connection refused” error doesn’t have anything to do with Kerberos- WinRM is not answering on 5986. Have you run the ConfigureRemotingForAnsible.ps1 script on the target host (or taken manual steps) to set up an HTTPS WinRM listener? If so, I’d suspect a firewall or some other networking issue is part of the problem.

I’d also suggest that you get things working with a local account and Basic auth first, as Kerberos can be a complicated beast to debug, and it sounds like you’ve got other problems to solve first that aren’t Kerb-related.

-Matt

3

Thanks Matt

I created a local user on my target machine called ansible. Have not added it to any groups.

I’ve changed /etc/ansible/group_vars/windows.yml file to:

ansible_user: ansible
ansible_password: ans1bleUser
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
ansible_winrm_transport: Basic

When I try and connect I get this error:

[mark@carnation ~]$ ansible windows -m win_ping
wisteria.duck.loc | FAILED! => {
“failed”: true,
“msg”: “The installed version of WinRM does not support transport(s) [u’Basic’]”
}

Are there any tutorials you know of that shows you how to connect to Windows targets with the different authentication options?

4

Basic auth just means using a simple username and password to login. I suggest you remove the ansible_winrm_transport: Basic
line from your configuration and try again.

Hope this helps,

Jon

5

Thanks Jon,

I did that and tried again and now get this:

[mark@carnation ~]$ ansible windows -m win_ping
wisteria.duck.loc | UNREACHABLE! => {
“changed”: false,
“msg”: “ssl: the specified credentials were rejected by the server”,
“unreachable”: true
}

6

I made the ansible user a member of local Administrators and then it worked

[mark@carnation ~]$ ansible windows -m win_ping
wisteria.duck.loc | SUCCESS => {
“changed”: false,
“ping”: “pong”
}

Thanks for looking.