hi all!
I am currently using ansible 1.9.2 on a RHEL 6 server. what I would like is to connect to a windows 2008 R2 server via kerberos to be able to use domain accounts.
What i did: creating a ticket on the linux server for the concerned domain account. Synchronized the clocks.
What it is not working: i have a: 401 unauthorized access when i try to run a playbook.
Do you know what i am missing?
Thanks for your help on this!
Guillaume Q
Have you installed pykerberos?
Also, use klist to check that the tgt ticket is for the user and domain you expect.
be aware that the domain name seems to need to be in upper case so
kinit user@MY.DOMAIN.COM
not
kinit user@my.domain.com
Also, make sure you have patched windows server 2008 R2 - as per this advice on http://docs.ansible.com/intro_windows.html#windows-system-prep
“On Windows 7 and Server 2008 R2 machines, due to a bug in Windows Management Framework 3.0, it may be necessary to install this hotfix http://support.microsoft.com/kb/2842230 to avoid receiving out of memory and stack overflow exceptions. Newly-installed Server 2008 R2 systems which are not fully up to date with windows updates are known to have this issue.”
I recommend running your ansible-playbook -vvvvv to see the connection debugging information if it still fails.
Also running eventvwr on the windows machine and checking if there are any logon events in Windows Logs → Security
Hope this helps.
If you discover anything that helps please reply so we can provide more information in the documentation.
Jon
Pykerberos is installed on the server, i have already requested a ticket for the user and domain expected with the right syntax. The server is running powershell 4 and i have checked that the encryption for the ticket and the key is the same on both sides.
what i can see on the eventvwr is that there is an “Unknown user name or bad password” while they are right…
do you have anything else in mind that could help? or just ideas to identify the problem? can it be a proxy/firewall issue?
hi, quick update for this topic:
apparently, we need to use python 2.7.6 (the newest) otherwise ansible doesn’t try kerberos properly (you should have transport=kerberos in the verbose).
the problem is now the following:
i try to ping my windows server but i have this message:
GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Unknown credential cache type', -1765328244))\n’, ‘stdout’: ‘’}
thank you for your help!
Seems unlikely to be a firewall issue if eventvwr is showing a failed login.
Is the windows server 2008 machine joined to the domain? If it isn’t it won’t know how to check with the domain controller that the username/password are valid?