Server not found in Kerberos Database

Archives Ansible Project
1

Control Node:

  • CentOS 7

  • Ansible 2.1

  • pywinrm version from May 19th, 2016

Remote Node:

  • Windows 7

  • Powershell 3

I’m having trouble connecting to my remote node with kerberos. I have carefully followed all the instructions from the Ansible Docs website. When I run “klist” it shows a kerberos-ticket-getting-ticket so I know it is working that far. But then when I run win_ping, I get the error message below. Can I assume all AD accounts are in the Kerberos Database or do they need to be added somehow? Otherwise how can I fix this?

$ cat windows.yml

2

Is both your user and your computer named “ADS-6999”?

3

Yes, they are the same. Is that a problem? I could make a new account local or domain.

4

Probably not. First, make sure you specify ansible_user: ads-6999 including the realm, so ansible_user: ads-6999@acme.com. Not sure if that has any effect, but still. If that fails, I’d create a new user with a different name from the node to see if that helps.

5

Hi,

I think I have the exact same problem.
Running ansible 2.1.1.0-1.el7 on CentOS 7.2.1511

Here is an example of ansible command output:

`

[alfkla@webdmz.no@tvm-alfkla ~]$ ansible -i hosts TVM-ALF2012R2 -m win_ping -vvvvv
Using /etc/ansible/ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<192.168.4.225> ESTABLISH WINRM CONNECTION FOR USER: alfkla@WEBDMZ.NO on PORT 5985 TO 192.168.4.225
<192.168.4.225> WINRM CONNECT: transport=kerberos endpoint=http://192.168.4.225:5985/wsman
<192.168.4.225>
WINRM CONNECTION ERROR: authGSSClientStep() failed: ((‘Unspecified GSS
failure. Minor code may provide more information’, 851968), (‘Server
not found in Kerberos database’, -1765328377))
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py”, line 151, in winrm_connect
self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 132, in open_shell
res = self.send_message(xmltodict.unparse(req))
File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 207, in send_message
return self.transport.send_message(message)
File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 170, in send_message
prepared_request = self.session.prepare_request(request)
File “/usr/lib/python2.7/site-packages/requests/sessions.py”, line 394, in prepare_request
hooks=merge_hooks(request.hooks, self.hooks),
File “/usr/lib/python2.7/site-packages/requests/models.py”, line 298, in prepare
self.prepare_auth(auth, url)
File “/usr/lib/python2.7/site-packages/requests/models.py”, line 500, in prepare_auth
r = auth(self)
File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos.py", line 318, in call
auth_header = self.generate_request_header(None, host, is_preemptive=True)
File “/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py”, line 158, in generate_request_header
raise KerberosExchangeError(“%s failed: %s” % (kerb_stage, str(error.args)))
KerberosExchangeError:
authGSSClientStep() failed: ((‘Unspecified GSS failure. Minor code may
provide more information’, 851968), (‘Server not found in Kerberos
database’, -1765328377))

TVM-ALF2012R2 | UNREACHABLE! => {
“changed”: false,

“msg”: “kerberos: authGSSClientStep() failed: ((‘Unspecified GSS
failure. Minor code may provide more information’, 851968), (‘Server
not found in Kerberos database’, -1765328377))”,
“unreachable”: true
}
`

The kerberos ticket is ok:

`
[alfkla@webdmz.no@tvm-alfkla ~]$ klist
Ticket cache: KEYRING:persistent:1015602603:1015602603
Default principal: alfkla@WEBDMZ.NO

Valid starting Expires Service principal
20. okt. 2016 13:06 20. okt. 2016 23:06 krbtgt/WEBDMZ.NO@WEBDMZ.NO
renew until 27. okt. 2016 13:06

`

The inventory is like this:

`
[alfkla@webdmz.no@tvm-alfkla ~]$ grep ^TVM-ALF2012R2 hosts

TVM-ALF2012R2 ansible_host=192.168.4.225 ansible_user=alfkla@WEBDMZ.NO
ansible_password=xXxXxXxXx ansible_port=5985 ansible_connection=winrm
ansible_winrm_transport=kerberos ansible_winrm_kerberos_delegation=yes
`

Any clue why this happens?

All help will be highly appreciated! :o)

Vennlig hilsen,

Alf Normann Klausen

6

Kerberos is highly dependent on DNS and name->realm mapping; you need to use the host’s FQDN, not its IP, unless you’ve hacked up your krb5.conf and DNS infra significantly to support that.

7

Kerberos is highly dependent on DNS and name->realm mapping; you need to use the host’s FQDN, not its IP, unless you’ve hacked up your krb5.conf and DNS infra significantly to support that.

Wow, I replaced the ip address in variable ansible_host= with the FQDN:

[alfkla@webdmz.no@tvm-alfkla ~]$ grep ^TVM-ALF2012R2 hosts TVM-ALF2012R2 ansible_host=TVM-ALF2012R2.WEBDMZ.NO ansible_user=alfkla@WEBDMZ.NO ansible_password=xXxXxXx ansible_port=5985 ansible_connection=winrm ansible_winrm_transport=kerberos ansible_winrm_kerberos_delegation=yes [alfkla@webdmz.no@tvm-alfkla ~]$

And now it works!

[alfkla@webdmz.no@tvm-alfkla ~]$ ansible -i hosts TVM-ALF2012R2 -m win_ping TVM-ALF2012R2 | SUCCESS => { "changed": false, "ping": "pong" } [alfkla@webdmz.no@tvm-alfkla ~]$

Thanks a million Matt Davis!!! :o)

Kind regards,
Alf Norman Klausen

8

Hi skinnedknuckles,

Does it work for you now? I am getting the same error message.

Server_Name | UNREACHABLE! => {
“changed”: false,
“msg”: “kerberos: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘Server not found in Kerberos database’, -1765328377))”,
“unreachable”: true
}

-Krishan

9

I never got Kerberos to work. I ended up using SSL instead.