trying to get kerberos to work . I got all the libraries and krb5.conf file setup. I got a ticket from klist but when i do win_ping
I get errors
ansible windows -i hosts -m win_ping
10.50.1.231 | UNREACHABLE! => {
“changed”: false,
“msg”: “kerberos: authGSSClientStep() failed: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘Server not found in Kerberos database’, -1765328377))”,
“unreachable”: true
}
10.200.1.31 | UNREACHABLE! => {
“changed”: false,
“msg”: “kerberos: authGSSClientStep() failed: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘Server not found in Kerberos database’, -1765328377))”,
“unreachable”: true
}
Kerberos is highly dependent on DNS from working. With Kerberos the client builds an SPN in the format 'HTTP/, in your case that will be ‘HTTP/10.50.1.231’. Active directory only creates automatic SPNs using the DNS name of a host, i.e. ‘HTTP/hostname.domain.com’ so that’s the SPN that needs to be specified by the Ansible client for Kerberos auth to work.
TLDR you can do on of the following in order of preference
Connect to Ansible using the FQDN of the host and not the IP. This will construct the proper SPN
Continue connecting using the IP but set ‘ansible_winrm_kerberos_hostname_override: ’
Create the SPN in AD for ‘HTTP/’ for the host you are connecting to
The first option is really the only sane way going forward as you don’t need to maintain 2 sets of data for the Windows host. If you have Kerberos set up correctly in your org then DNS should work just fine and you don’t have to worry about IP addresses at all.