'No Kerberos credentials available' when executing tasks from a server that is not joined to AD.

Archives Ansible Project
1

Hi all,

I’m trying to use winrm to execute tasks on a windows server (after following the steps in http://docs.ansible.com/ansible/intro_windows.html). As a test I use the win_ping module. This works only when a Kerberos ticket present beforehand.

Is it a requirement to have the Linux server be member of the AD infrastructure? If so, then the only way to make this work from a controle machine - without joining the domain - would be to run a kinit from my playbook first, right? I found several similar cases but none mention if AD membership is a ‘hard’ requirement.

** INFO **
rpm -qa | grep -E “ansible|python-devel|krb5-devel|krb5-libs|krb5-workstation|python-kerberos” | sort
ansible-2.0.2.0-1.el7.noarch
krb5-devel-1.13.2-12.el7_2.x86_64
krb5-libs-1.13.2-12.el7_2.x86_64
krb5-workstation-1.13.2-12.el7_2.x86_64
python-devel-2.7.5-34.el7.x86_64
python-kerberos-1.1-15.el7.x86_64

pip list | grep winrm
pywinrm (0.1.1)

** WORKS **
kinit domain-user@AD-DOMAIN

klist
Ticket cache: KEYRING:persistent:0:0
Default principal: domain-user@AD-DOMAIN

Valid starting Expires Service principal
06/07/2016 11:26:20 06/07/2016 21:26:20 krbtgt/AD-DOMAIN@AD-DOMAIN
renew until 06/14/2016 11:26:20

ansible -m win_ping windows-server.ad-domain
windows-server.ad-domain | SUCCESS => {
“changed”: false,
“ping”: “pong”
}

** DOESN’T WORK **
kdestroy -A

ansible -m win_ping windows-server.ad-domain -vvvvv
Using /etc/ansible/ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<windows-server.ad-domain> ESTABLISH WINRM CONNECTION FOR USER: domain-user@AD-DOMAIN on PORT 5986 TO windows-server.ad-domain
<windows-server.ad-domain> WINRM CONNECT: transport=kerberos endpoint=https://windows-server.ad-domain:5986/wsman
<windows-server.ad-domain> WINRM CONNECTION ERROR: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘No Kerberos credentials available’, -1765328243))
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py”, line 134, in _winrm_connect
protocol.send_message(‘’)
File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 193, in send_message
return self.transport.send_message(message)
File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 269, in send_message
krb_ticket = KerberosTicket(self.krb_service)
File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 205, in init
kerberos.authGSSClientStep(krb_context, ‘’)
GSSError: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘No Kerberos credentials available’, -1765328243))

windows-server.ad-domain | FAILED! => {
“failed”: true,
“msg”: “kerberos: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘No Kerberos credentials available’, -1765328243))”
}

Regards,
Willem

2

Hi Willem, this is (for now) by design.

Matt is working on (or at least planning to work on) automatically invoking kinit behind the scenes to automatically get a Kerberos ticket if needed, but for now, that has to be present. You could probably use a local_action to make sure one exists on the control node before executing the windows part of your playbook.

3

Hi Trond,

Thanks for the confirmation. So, as it is already planned I take it there’s no need to file a feature request?

Regards,
Willem.

4

Hi,
Nope, that’s work in progress afaik.

5

For people running into the same problem, this is (more or less) the playbook I use :

  • hosts: all

tasks:

  • name: Install prerequisite software (using yum)
    yum:
    enablerepo: epel
    update_cache: yes
    name: “{{ item }}”
    state: present
    with_items:

  • python-pip

  • python-ptyprocess
    delegate_to: localhost

  • name: Uninstall old pexpect package (using yum)
    yum:
    name: pexpect
    state: absent
    delegate_to: localhost

  • name: Install prerequisite software (using pip)
    pip:
    name: pexpect
    version: 3.3
    state: present
    delegate_to: localhost

  • name: Check for precense of Kerberos ticket
    command: /usr/bin/klist
    register: klist_result
    changed_when: no
    ignore_errors: yes
    delegate_to: localhost

  • name: Request Kerberos ticket if none present
    expect:
    command: /usr/bin/kinit domain-user@AD-DOMAIN
    responses:
    ‘(?i)password’: domain-user-password
    changed_when: no
    when: klist_result.rc != 0
    delegate_to: localhost

The first task installs prerequisite software for the expect module using rpm’s from EPEL. The version of pexpect (another prerequisite) that the Red Hat and CentOS rpm’s provide is too old for Ansible, so we uninstall this in the second task. The third task installs the required version of pexpect using pip. The third and fourth tasks actually deal with requesting a Kerberos ticket granting ticket when it is not present.

Regards,Willem.

6

Depending on what you’re doing, NTLM might be a better fit for you (install pywinrm>=0.2.0, set ansible_winrm_transport=ntlm and specify ansible_user/ansible_password).

Automatic ticket management in pywinrm/our connection plugin is definitely on my list of “things I wish we could do”, but it’s tentatively slated for 2.3 (2 releases out).

Docs are forthcoming for all that stuff- I wanted to wait until the new pywinrm bits were actually released before publishing doc updates on NTLM; they released a couple days ago.

7

Just tried pywinrm 0.2rc6. Both ansible_winrm_transport=ntlm and ansible_winrm_transport=kerberos work fine. Thanks!