Hi Ansible Community. I’ve been struggling with an issue I’ve actually posted about here before. It’s more of an annoyance than anything but I’d really love to get past it, as I’m trying to demo Infrastructure-as-code to my org.
I have a playbook that spins up a new vm using vmware_guest, and afterwards it adds the new host to a staging group. The playbook machine credentials are using a username that is part of the domain admin group.
The weird part: The first time the playbook runs, the first step after the vmware_guest module that actually connects to the new host fails with a kerberos error:
fatal: [webserver.internal.domain.com]: UNREACHABLE! => {“changed”: false, “msg”: “kerberos: the specified credentials were rejected by the server”, “unreachable”: true}
The even weirder part: If I go to run the playbook again, it will actually perform a few of the plays it got the above error on, but then it will again fail a few plays in. By the 3rd or 4th run, eventually I can run the playbook in its entirety without error.
I’ve done a LOT of troubleshooting on this and I can’t seem to figure out why it’s not working on the first play.
Here are some things I’ve checked:
- I am able to RDP into the server with the same domain admin credentials the playbook is using right around the time we get a kerberos failure in ansible
- I am able to Enter-PSSession at the same time the playbook gets the kerberos failure
- I’ve confirmed that the SPN for WSMan is on the computer object in AD and replicated at the time the Kerberos issue happens
- I’ve checked the RootSDDL and plugin SDDL’s on the win2016 template im using using winrm e winrm/config/plugin -format:pretty and winrm get winrm/config - builtin/administrators group seems to have full access to rootSDDL and the powershell plugins
- I’ve confirmed that a reverse and forward DNS entry exists in <internal.domain.com> DNS for kerberos
- I’ve checked that krb5.conf on the tower machine has rdns set to false
- I’ve confirmed that time is in sync between the new host, and the tower host, and the domain controllers
- I’ve reviewed any GPO’s affecting the new host and ruled out any settings that may interfere with Kerberos/WinRM
I did notice my krb5.conf in my tower box is configured to be part of IDM.internal.domain.com whereas my domain is actually just internal.domain.com. As my linux team is in the process of getting centralized auth going with IdM. I’m not sure if that has something to do with it, but auth does seem to be working once the ‘weird’ issues above go away.
If anyone has any other ideas, they would be greatly appreciated.