Hi,
I have ansible version
ansible 2.1.0.0
config file = /etc/ansible/ansible.cfg
configured module search path = Default w/o overrides
Kerberos is also installled along with request_kerberose and pywinrm0.2.0.
I am getting the error while running a ping module as " “changed”: false,
“msg”: “kerberos: authGSSClientStep() failed: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘Server not found in Kerberos database’, -1765328377))”,
“unreachable”: true
"
Host file is like
[server]
BCDFPO91.PAL.COM
[server:vars]
ansible_user=USER@PAL.COM
ansible_ssh_pass=0987
ansible_connection=winrm
ansible_port=5986
ansible_winrm_transport=kerberos
ansible_winrm_kerberos_delegation=yes
Can you guys please help out what needs to be done to resolve this.
BR
Manoj
Not sure what is wrong but kerberos needs DNS to work fully (both forward and reverse lookups).
Check the hostname can be resolved to an ip from your ansible controller.
Also check you have configured correct domain controllers in your /etc/krb5.conf
Hope this helps,
Jon
Host name is resolvable to an IP. But while resolving IP back for testing reverse DNS mapping it is not happening.
In /etc/krb5.conf we have the correct configuration as below.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = WEBSITE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
WEBSITE.COM = {
kdc = WIN-SA2TXZOTVMV.website.com
admin_server = WIN-SA2TXZOTVMV.website.com
}
[domain_realm]
.website.com = WEBSITE.COM
website.com = WEBSITE.COM
Also I am getting connected to the domain using kinit.
But the servers are not getting recognized. with the error "traceroute AMATLTDMSWEB00.RECALL.COM
AMATLTDMSWEB00.RECALL.COM: Name or service not known
Cannot handle “host” cmdline arg `AMATLTDMSWEB00.RECALL.COM’ on position 1 (argc 1)
"
While using servername/ip in the hosts file and tries to getting conencted the below mentioned error comes up.
Your krb5.conf looks ok, although you might want to add a second kdc machine if you have one. Looks like that side of things is working if you are getting a kerberos ticket ok.
Pretty certain you are going to need to get reverse DNS lookups functioning properly to get kerberos connections working though.
Its worth doing as less than fully functional DNS just makes life difficult for network users. Unfortunately its something I have no experience of fixing so don’t know how to help with that.
If you are just using hostnames in your inventory, check that the search suffixes are set up correctly in your resolv.conf
Jon