kerberos

trying to get kerberos to work . I got all the libraries and krb5.conf file setup. I got a ticket from klist but when i do win_ping

I get errors

ansible windows -i hosts -m win_ping
10.50.1.231 | UNREACHABLE! => {
“changed”: false,
“msg”: “kerberos: authGSSClientStep() failed: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘Server not found in Kerberos database’, -1765328377))”,
“unreachable”: true
}
10.200.1.31 | UNREACHABLE! => {
“changed”: false,
“msg”: “kerberos: authGSSClientStep() failed: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘Server not found in Kerberos database’, -1765328377))”,
“unreachable”: true
}

my group_vars file

ansible_user: ‘svcs@DOMAIN.COM’
ansible_port: 5985
ansible_connection: ‘winrm’
ansible_winrm_server_cert_validation: ‘ignore’
ansible_winrm_transport: ‘kerberos’
ansible_become: false

any idea

ok I got kerberos working now. but only via port 5986

why is that?

Kerberos is highly dependent on DNS from working. With Kerberos the client builds an SPN in the format 'HTTP/, in your case that will be ‘HTTP/10.50.1.231’. Active directory only creates automatic SPNs using the DNS name of a host, i.e. ‘HTTP/hostname.domain.com’ so that’s the SPN that needs to be specified by the Ansible client for Kerberos auth to work.

TLDR you can do on of the following in order of preference

  • Connect to Ansible using the FQDN of the host and not the IP. This will construct the proper SPN
  • Continue connecting using the IP but set ‘ansible_winrm_kerberos_hostname_override: ’
  • Create the SPN in AD for ‘HTTP/’ for the host you are connecting to
    The first option is really the only sane way going forward as you don’t need to maintain 2 sets of data for the Windows host. If you have Kerberos set up correctly in your org then DNS should work just fine and you don’t have to worry about IP addresses at all.