kerberos: the python kerberos library is not installed

I am trying to authenticated to windows servers using "Kerberos” , but I am getting an error as “kerberos: the python kerberos library is not installed”. The basic authentication to the windows servers works well. Kerberos is installed and i cant authentication to the domain using kinit.

[ansible@NBP-HO7-Ansible01 windows]$ ansible all -i inventory -m win_ping -vvv
ansible 2.9.4
config file = None
configured module search path = [‘/home/ansible/.ansible/plugins/modules’, ‘/usr/share/ansible/plugins/modules’]
ansible python module location = /home/ansible/.local/lib/python3.6/site-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.6.8 (default, Aug 7 2019, 17:28:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
No config file found; using defaults
host_list declined parsing /home/ansible/ansible/windows/inventory as it did not pass its verify_file() method
script declined parsing /home/ansible/ansible/windows/inventory as it did not pass its verify_file() method
auto declined parsing /home/ansible/ansible/windows/inventory as it did not pass its verify_file() method
Parsed /home/ansible/ansible/windows/inventory inventory source with ini plugin
META: ran handlers
Using module file /home/ansible/.local/lib/python3.6/site-packages/ansible/modules/windows/win_ping.ps1
Pipelining is enabled.
<10.9.1.5> ESTABLISH WINRM CONNECTION FOR USER: ansible@DOMAIN.COM on PORT 5986 TO 10.9.1.5
10.9.1.5 | UNREACHABLE! => {
“changed”: false,
“msg”: “kerberos: the python kerberos library is not installed”,
“unreachable”: true
}

[ansible@NBP-HO7-Ansible01 windows]$

[ansible@NBP-HO7-Ansible01 windows]$ ^C

[ansible@NBP-HO7-Ansible01 windows]$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: ansible@DOMAIN.COM
Valid starting Expires Service principal
01/27/2020 14:04:59 01/28/2020 00:04:59 krbtgt/DOMAIN.COM@DOMAIN.COM
renew until 02/03/2020 14:04:50

[ansible@NBP-HO7-Ansible01 windows]$ ^C

[ansible@NBP-HO7-Ansible01 windows]$ cat group_vars/windows.yml

ansible_user: ansible@Domain.COM

ansible_password: xxxxxxx

#ansible_port: 5986

ansible_connection: winrm

ansible_winrm_server_cert_validation: ignore

ansible_winrm_transport: kerberos

[ansible@NBP-HO7-Ansible01 windows]$

Required packages are installed as you can below from pip freeze output

ansible@NBP-HO7-Ansible01 windows]$ pip freeze
backports.ssl-match-hostname==3.5.0.1
certifi==2019.11.28
cffi==1.13.2
chardet==3.0.4
configobj==4.7.2
cryptography==2.8
decorator==3.4.0
enum34==1.1.6
futures==3.1.1
idna==2.8
iniparse==0.4
ipaddress==1.0.16
kerberos==1.3.0
kitchen==1.1.1
langtable==0.0.31
ntlm-auth==1.4.0
pan-python==0.16.0
pandevice==0.14.0
perf==0.1
pycparser==2.19
pycurl==7.19.0
pygobject==3.22.0
pygpgme==0.3
pykerberos==1.2.1
pyliblzma==0.5.3
python-augeas==0.5.0
python-linux-procfs==0.4.9
pyudev==0.15
pywinrm==0.4.1
pyxattr==0.5.1
PyYAML==3.10
requests==2.22.0
requests-kerberos==0.12.0
requests-ntlm==1.1.0
schedutils==0.4
six==1.9.0
slip==0.4.0
slip.dbus==0.4.0
urlgrabber==3.10
urllib3==1.25.8
xmltodict==0.12.0
yum-langpacks==0.4.2
yum-metadata-parser==1.1.4
You are using pip version 8.1.2, however version 20.0.1 is available.
You should consider upgrading via the ‘pip install --upgrade pip’ command

Have got both python 2.7 and 3.6 installed on the machine and 3.6 is default version ansible is being used, whereas the python 2.7 is used as default version on the machine requests-kerberos and pykerberos are installed only pip and pip3.

Any pointers on what can be done here?

Sinc pywinrm 0.4.0, requests-kerberos is not actually used so in your case we don’t really have to worry about that particular library in your pywinrm version. The pykerberos library is still required but it looks like you do have it there. Also you are saying you have both Python 2.7 and 3.6 installed, typically pip points to the 2.x install and pip3 is for Python 3.x (although that’s not always the case). You can run the following to test out what Python is actually being used and the installed libraries for that Python.

`
ANSIBLE_PYTHON=$(head -n 1 $(which ansible) | cut -c 3-)

echo $ANSIBLE_PYTHON
$ANSIBLE_PYTHON -m pip list
$ANSIBLE_PYTHON -c “import winrm; import kerberos”
`

The first step gets the shebang of ansible (#!/usr/bin/python), strips out the #1 part so we can determine what Python is set to execute Ansible. From there we echo the path so we know exactly what Python bin is being used. Finally it calls pip list for that Python then tries to import pywinrm and pykerberos which will tell you if it’s installed properly or not.

Thanks

Jordan

Ansible is default to python3

[ansible@NBP-HO7-Ansible01 windows]$ echo $ANSIBLE_PYTHON
/usr/bin/python3

And when I do pip list for pip3, kerberos doesnt get listed, its available only for pip 2. I did try to install using pip3 but just getting error as following

[ansible@NBP-HO7-Ansible01 windows]$ sudo pip3 install pykerberos
[sudo] password for ansible:
WARNING: Running pip install with root privileges is generally not a good idea. Try pip3 install --user instead.
Collecting pykerberos
Using cached https://files.pythonhosted.org/packages/9a/b8/1ec56b6fa8a2e2a81420bd3d90e70b59fc83f6b857fb2c2c37accddc8be3/pykerberos-1.2.1.tar.gz
Building wheels for collected packages: pykerberos
Running setup.py bdist_wheel for pykerberos … error
Complete output from command /usr/bin/python3 -u -c “import setuptools, tokenize;file=‘/tmp/pip-build-p2kyf16m/pykerberos/setup.py’;f=getattr(tokenize, ‘open’, open)(file);code=f.read().replace(‘\r\n’, ‘\n’);f.close();exec(compile(code, file, ‘exec’))” bdist_wheel -d /tmp/tmpb0iu64ibpip-wheel- --python-tag cp36:
running bdist_wheel
running build
running build_ext
building ‘kerberos’ extension
creating build
creating build/temp.linux-x86_64-3.6
creating build/temp.linux-x86_64-3.6/src
gcc -pthread -Wno-unused-result -Wsign-compare -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -I/usr/include/python3.6m -c src/kerberos.c -o build/temp.linux-x86_64-3.6/src/kerberos.o -DGSSAPI_EXT
src/kerberos.c:17:20: fatal error: Python.h: No such file or directory
#include <Python.h>
^
compilation terminated.
error: command ‘gcc’ failed with exit status 1

That’s telling you it can’t compile the pykerberos library, it’s trying to find headers that are not present. In this case you need the python3-devel package installed with yum/dnf. These headers are different from the Python 2 headers which is why you can install pykerberos in Python 2 and not 3. There may be other headers that are present but you just need to solve them 1 by 1.

Thanks

Jordan

After installing the python3-devel package, i was able to install the pykerberos successfully.

Now i am able to win_ping using the kerberos credentials.

Thanks