I have multiple AWX instances running fine with AWX 17.10 version for past year or so without any issues with below Kerberos config(/etc/krb5.conf in the task container). As part of the upgrade, I have deployed AWX 19.2.2 in OpenShift cluster, noticed that same krb5.conf is injected into the task container as a ConfigMap and I have compared and verified the contents multiple times, and the content matches exactly with the existing config.

Error:
fatal: [windows_server_name.org.com]: UNREACHABLE! => {
“changed”: false,
“msg”: “Kerberos auth failure for principal windows_id@CORP.ORG.COM with pexpect: KDC has no support for encryption type while getting initial credentials”,
“unreachable”: true
}

/etc/krb5.conf contents:

To opt out of the system crypto-policies configuration of krb5, remove the

symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.

includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_realm = CORP.ORG.COM

Added below 2 entries to resolve ‘KDC has no support for encryption type while getting initial credentials’ error while connecting to Windows Server

default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

[realms]
CORP.ORG.COM = {
kdc = server1.corp.org.com
admin_server = server1.corp.org.com
}

[domain_realm]
.corp.org.com = CORP.ORG.COM
corp.org.com = CORP.ORG.COM

Note that authentication is done against Microsoft Active Directory(AD), I see the same error when I tried kinit windows_id@CORP.ORG.COM in SSH terminal for the task container. Same command works fine in the old task container terminal(17.2.2).

Could this be due to any missing libraries or other?
Any help is really appreciated as I am unable to proceed further.

Thanks

No clue why it’s working now versus it didn’t work earlier with the default EE images.

Created a custom EE image for adding open ldap utilities, jq, and wget tools, other than that it’s pretty much out of box EE image.

ee_images:

• name: custom-awx-ee
  image: myorg.private.repo.com:443/awx-ee:0.5.0
  control_plane_ee_image: middleware-docker-local.rtfx.aepsc.com:443/awx-ee:0.5.0

I now have following entries in every AWX instance, verified that Windows WINRM connections with above krb5.conf file are working now.

Here is the content of the above custom-awx-ee image Dockerfile if anyone is interested.