Kerberos authentication failed on windows

Hello,
Kerberos authentication is failing on some servers even after providing credentials in host file.

Host File

[windows_server]
test.domain.com

[windows:vars]
ansible_user=*****
ansible_password=******
ansible_connection = winrm
ansible_ssh_port = 5986
ansible_winrm_transport = kerberos
ansible_winrm_server_cert_validation = ignore
validate_certs = false

Playbook:

hosts: windows_server
vars:
ansible_connection: winrm
ansible_ssh_port: 5986
ansible_winrm_transport: kerberos
ansible_winrm_server_cert_validation: ignore
validate_certs: false
ansible_winrm_scheme: https
ansible_winrm_read_timeout_sec: 30
ignore_unreachable: true
gather_facts: false

Note - If I provide kinit test@domain.com (credentials) the playbook works for some servers and windows machines but not for others. Weird!

Thanks,

You need to share the error you are getting back, right now we cannot tell what is going wrong.

Oh! Here is the reported error:

fatal: [test.domain.com]: UNREACHABLE! => {“changed”: false, “msg”: “kerberos: authGSSClientStep() failed: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0)’, -1765328243))”, “unreachable”: true}

hmmm… I believe credentials should be read from host file! I am not sure why it’s not reading.

Thanks,
Work Hard

That’s because you are telling it to run on windows_server but have defined the username in the windows group. Based on your inventory ‘windows_server’ is not part of the ‘windows’ group so has no username/password defined. The reason why it may have worked before is if you’ve gotten the Kerberos ticket manually outside of Ansible with kinit.

I’ve said this before just recently to you in https://groups.google.com/g/ansible-project/c/V3904K8n7eo/m/lP4b05yZBwAJ but to repeat for the final time

  • The host you are running on is not in the ‘windows’ group so it will not inherit those variables defined there. The windows group is not a magic group that applies to all Windows hosts but an arbitrarily named one that should match how your inventory is set up

  • ansible_winrm_read_timeout_sec shouldn’t be set by you. There is little reason for someone to change this option and even so 30 seconds is the default so just remove that altogether

  • ignore_unreachable, gather_facts, validate_certs don’t make sense as vars unless you are using it down in your playbook somewhere but based on your example it isn’t so just remove it altogether

  • If you did want to use ignore_unreachable and gather_facts, they are either play or task directives so putting them in vars is wrong. They should be indented to the same level as hosts in your play and ignore_unreachable can be set per task as well

You seem to be just building your playbook on various different components and trying variables left right and center. Start small and define your connection details in your host file like so

[windows_server]
test.domain.com ansible_user=****** ansible_password=******

[windows_server:vars]
ansible_connection = winrm
ansible_port = 5986
ansible_winrm_transport = kerberos
ansible_winrm_server_cert_validation = ignore

Here is what I’ve changed from your inventory

  • Added the credentials to the actual host entry itself, typically these are per host but feel free to move them back to the group if multiple hosts have the same credentials

  • Changed the windows group to windows_servers as that matches what’s in your playbook. Now the vars you’ve defined will be set on the hosts in the windows_servers group

  • Changed ansible_ssh_port to ansible_port

  • Removed validate_certs as it wasn’t doing anything and would lead to confusion with ansible_winrm_server_cert_validation

You should also remove all those connection vars in your playbook as it should be completely agnostic to how to connect to a host. All the playbook should be doing is define what hosts to use and the tasks to run, how to connect is what the inventory is for

  • name: example playbook
    hosts: windows_server
    tasks:
  • name: first task to run
    win_ping: