pywinrm GSSError: No Kerberos credentials available

(Sorry, because I know this has been asked a bunch of times, because I’ve found a bunch of threads on it, but nothing yet has seemed to help.)

I am trying to connect to a Windows Server 2012r2 instance on Rackspace (authed w/ RSA key, in case thats relevant). Since I have a domain account, my understanding is that I must use kerberos authentication. I keep getting the same error, using either port 5985 or 5986:

ESTABLISH WINRM CONNECTION FOR USER: on PORT 5985 TO !REMOVED! WINRM CONNECT: transport=kerberos endpoint=http://!REMOVED!:5985/wsman

!REMOVED! | FAILED => Traceback (most recent call last):
File “/usr/lib/pymodules/python2.7/ansible/runner/init.py”, line 582, in _executor
exec_rc = self._executor_internal(host, new_stdin)
File “/usr/lib/pymodules/python2.7/ansible/runner/init.py”, line 785, in _executor_internal
return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)
File “/usr/lib/pymodules/python2.7/ansible/runner/init.py”, line 964, in _executor_internal_inner
conn = self.connector.connect(actual_host, actual_port, actual_user, actual_pass, actual_transport, actual_private_key_file, delegate_host)
File “/usr/lib/pymodules/python2.7/ansible/runner/connection.py”, line 52, in connect
self.active = conn.connect()
File “/usr/lib/pymodules/python2.7/ansible/runner/connection_plugins/winrm.py”, line 140, in connect
self.protocol = self._winrm_connect()
File “/usr/lib/pymodules/python2.7/ansible/runner/connection_plugins/winrm.py”, line 96, in _winrm_connect
protocol.send_message(‘’)
File “/usr/local/lib/python2.7/dist-packages/winrm/protocol.py”, line 190, in send_message
return self.transport.send_message(message)
File “/usr/local/lib/python2.7/dist-packages/winrm/transport.py”, line 219, in send_message
krb_ticket = KerberosTicket(self.krb_service)
File “/usr/local/lib/python2.7/dist-packages/winrm/transport.py”, line 166, in init
kerberos.authGSSClientStep(krb_context, ‘’)
GSSError: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘No Kerberos credentials available’, -1765328243))

I was debugging all the Ansible (1.9.2) python code (from runner/init.py to connection_plugins/winrm.py) and it was successfully parsing my username like ‘USER@DOMAIN’ and my realm as “DOMAIN”, but, as you can see from the first line of the above, the “vvv” output showed a blank username. I don’t know if that’s relevant, but it’s worth noting. When I opened up the pywinrm file dist-packages/winrm/transport.py, I was alarmed and amused to see:

`
164 def init(self, service):
165 ignored_code, krb_context = kerberos.authGSSClientInit(service)
166 kerberos.authGSSClientStep(krb_context, ‘’)
167 # TODO authGSSClientStep may raise following error:
168 # GSSError: ((‘Unspecified GSS failure.
169 # Minor code may provide more information’, 851968),
170 # (“Credentials cache file ‘/tmp/krb5cc_1000’ not found”, -1765328189))

`

I realize this is not an Ansible issue, at this point, but I am reeling trying to figure out why I cannot connect. I have found a few posted “fixes” and “suggestions”, but they have not helped me so far.
Incidentally, I tried changing my ansible_ssh_user from ‘USER@DOMAIN’ to ‘USER’ to try connecting without kerberos and got the following:

With ansible_ssh_port: 5985:

ESTABLISH WINRM CONNECTION FOR USER: !REMOVED! on PORT 5985 TO !REMOVED! WINRM CONNECT: transport=plaintext endpoint=http://!REMOVED!:5985/wsman WINRM CONNECTION ERROR: 401 Unauthorized. basic auth failed WINRM CONNECT: transport=plaintext endpoint=https://!REMOVED!:5985/wsman WINRM CONNECTION ERROR: 500 WinRMTransport. [Errno 1] _ssl.c:510: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

With ansible_ssh_port: 5986:

ESTABLISH WINRM CONNECTION FOR USER: !REMOVED on PORT 5986 TO !REMOVED! WINRM CONNECT: transport=plaintext endpoint=https://!REMOVED!:5986/wsman WINRM CONNECTION ERROR: 500 WinRMTransport. [Errno 104] Connection reset by peer

!REMOVED! | FAILED => 500 WinRMTransport. [Errno 104] Connection reset by peer

On the target host, I have run the ConfigureRemotingForAnsible.ps1 script, added my domain account to the WinRM group, and get the following winrm command-line output:

**C:\Users\!REMOVED!>**winrm get winrm/config Config MaxEnvelopeSizekb = 500 MaxTimeoutms = 1800000 MaxBatchItems = 32000 MaxProviderRequests = 4294967295 Client NetworkDelayms = 5000 URLPrefix = wsman AllowUnencrypted = false Auth Basic = true Digest = true Kerberos = true Negotiate = true Certificate = true CredSSP = false DefaultPorts HTTP = 5985 HTTPS = 5986 TrustedHosts Service !REMOVED! MaxConcurrentOperations = 4294967295 MaxConcurrentOperationsPerUser = 1500 EnumerationTimeoutms = 240000 MaxConnections = 300 MaxPacketRetrievalTimeSeconds = 120 AllowUnencrypted = true Auth Basic = true Kerberos = true Negotiate = true Certificate = false CredSSP = false CbtHardeningLevel = Relaxed DefaultPorts HTTP = 5985 HTTPS = 5986 IPv4Filter = * IPv6Filter = * EnableCompatibilityHttpListener = false EnableCompatibilityHttpsListener = false CertificateThumbprint AllowRemoteAccess = true Winrs AllowRemoteShellAccess = true IdleTimeout = 7200000 MaxConcurrentUsers = 10 MaxShellRunTime = 2147483647 MaxProcessesPerShell = 25 MaxMemoryPerShellMB = 1024 MaxShellsPerUser = 30

Does anyone have any ideas??

I think you need to set up your ansible controller as a kerberos client. Your ansible box needs to know how to talk to your windows domain controllers. Assuming you have pykerberos installed, you probably already have the command line kerberos tools installed.

I suggest you configure your /etc/krb5.conf so that your domain is listed and your domain controllers are listed too. Once that's done you can probably test ansible connection again or try the command line like this

kinit domain_user@FULLY.QUALIFIED.DOMAIN.NAME

Note that the domain name needs to be in upper case

You can use klist to show if you have any kerberos credentials cached.
Hope that's enough to get you started

Jon

In fact I did not have pykerberos installed! I had tried installing awhile ago via “pip install kerberos” (no “py”) to no avail, and, at some point installed libkrb5-dev, thinking it would suffice. Well, TIL!

Incidentally, now that I have that installed and have run the kinit command, I am at least getting more meaningful error messages like GSSError:…Cannot find KDC for realm “MAIN”, which is much better.
I think I can take it from here. Just need to get more info from my company about how to configure my machine to talk to its infrastructure. Thanks a bunch!

I should have perhaps made it clear that you’ll need to know and use the full domain name, rather than the netbios name so instead of user@MAIN it probably needs to be something like user@MAIN.YOURDOMAIN.COM or such.

Ask your administrators for the primary and secondary domain controller names of the domain or domains you need to connect to.

One other thing, you’ll need to make sure your ansible controller clock is pretty close to synchronised with your domain controllers, otherwise you’ll get ‘clock skew too great’ messages instead of authorising.

Hope this helps.

Jon

Thanks again, Jon. I actually did infer that that’s what you meant by F.Q.D.N. but it does warrant explicit mention.