On the Windows server, my user is in a EMEAD domain
On Centos, I tried to parameter the /etc/krb5.conf file , I don’t understand if the ldap server can be set in the kbc or admin_server and what domain has to be set (the one of the user EMEAD, of the server fr.com ? ):
I have only ever used kerberos support with Active Directory servers, not LDAP ones.
However, I think from what you have described that your kdc will be fr.ldap-ad.dmsi.corp.com
I don’t think you need an admin server set up for this purpose ( I don’t have one set in my krb5.conf)
You may have a domain alias in place in which case you may not know the canonical name for the domain you are authenticating with.
I suggest you try running kinit -C someuser@EMEAD.COM
and then running klist.
This should show the actual domain used to authenticate. That domain what you will need to set up in /etc/krb5.conf and use in ansible.
Also I understand it is possible to set up domain trust relationships so that users of domain A are allowed to use machines belonging to domain B. I only tried this briefly and didn’t get it working and wound up setting up machines on the same domain as the user. Probably worth talking to your domain administrators to discover if you have domain trust relationships set up.
I did correct the krb5.conf file, I did install the requests.kerberos package and rerun the kinit command.
The klist command shows the EMEAD.COM domain.
But when running the ansible win_ping command, I do receive this new message:
ansible windows -i ./win.ini -m win_ping -vvvvvv
Using /etc/ansible/ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<172.17.56.66> ESTABLISH WINRM CONNECTION FOR USER: fvaltat@EMEAD.COM on PORT 5986 TO 172.17.56.66
<172.17.56.66> WINRM CONNECT: transport=kerberos endpoint=https://172.17.56.66:5986/wsman
<172.17.56.66> WINRM CONNECTION ERROR: authGSSClientStep() failed: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘Server not found in Kerberos database’, -1765328377))
I guess because the server is not on the EMEAD.COM domain, there is an issue ? I don’t understand how all this works
Oh the win_ping command did work, I did replace the IP address in the inventory file with the server name and I did comment in the krb5.conf file all descriptions that were not about EMEAD.COM (so many tests !!!).
Great, I’m glad this is working. Setting up kerberos is fiddly but once it’s done you probably won’t have to touch it again and you can immediately start doing a lot of things with a lot of windows boxes.