Discussion:
[ansible-project] how to set up kerberos
Guillaume Querso
2015-07-16 15:54:58 UTC
Permalink
hi all!

I am currently using ansible 1.9.2 on a RHEL 6 server. what I would like is
to connect to a windows 2008 R2 server via kerberos to be able to use
domain accounts.

- What i did: creating a ticket on the linux server for the concerned
domain account. Synchronized the clocks.
- What it is not working: i have a: 401 unauthorized access when i try
to run a playbook.

Do you know what i am missing?
Thanks for your help on this!

Guillaume Q
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/38f7125f-0d55-42be-b964-03b948075e4b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
J Hawkesworth
2015-07-16 20:25:18 UTC
Permalink
Have you installed pykerberos?

Also, use klist to check that the tgt ticket is for the user and domain you
expect.

be aware that the domain name seems to need to be in upper case so

kinit ***@MY.DOMAIN.COM
not

kinit ***@my.domain.com

Also, make sure you have patched windows server 2008 R2 - as per this
advice on http://docs.ansible.com/intro_windows.html#windows-system-prep

"On Windows 7 and Server 2008 R2 machines, due to a bug in Windows
Management Framework 3.0, it may be necessary to install this hotfix
http://support.microsoft.com/kb/2842230 to avoid receiving out of memory
and stack overflow exceptions. Newly-installed Server 2008 R2 systems which
are not fully up to date with windows updates are known to have this issue."

I recommend running your ansible-playbook -vvvvv to see the connection
debugging information if it still fails.
Also running eventvwr on the windows machine and checking if there are any
logon events in Windows Logs -> Security

Hope this helps.

If you discover anything that helps please reply so we can provide more
information in the documentation.

Jon
Post by Guillaume Querso
hi all!
I am currently using ansible 1.9.2 on a RHEL 6 server. what I would like
is to connect to a windows 2008 R2 server via kerberos to be able to use
domain accounts.
- What i did: creating a ticket on the linux server for the concerned
domain account. Synchronized the clocks.
- What it is not working: i have a: 401 unauthorized access when i try
to run a playbook.
Do you know what i am missing?
Thanks for your help on this!
Guillaume Q
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a1001eab-2619-431e-8fef-d25f4d595476%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Guillaume Querso
2015-07-17 08:55:59 UTC
Permalink
Pykerberos is installed on the server, i have already requested a ticket
for the user and domain expected with the right syntax. The server is
running powershell 4 and i have checked that the encryption for the ticket
and the key is the same on both sides.
what i can see on the eventvwr is that there is an "Unknown user name or
bad password" while they are right..

do you have anything else in mind that could help? or just ideas to
identify the problem? can it be a proxy/firewall issue?
Post by J Hawkesworth
Have you installed pykerberos?
Also, use klist to check that the tgt ticket is for the user and domain
you expect.
be aware that the domain name seems to need to be in upper case so
not
Also, make sure you have patched windows server 2008 R2 - as per this
advice on http://docs.ansible.com/intro_windows.html#windows-system-prep
"On Windows 7 and Server 2008 R2 machines, due to a bug in Windows
Management Framework 3.0, it may be necessary to install this hotfix
http://support.microsoft.com/kb/2842230 to avoid receiving out of memory
and stack overflow exceptions. Newly-installed Server 2008 R2 systems which
are not fully up to date with windows updates are known to have this issue."
I recommend running your ansible-playbook -vvvvv to see the connection
debugging information if it still fails.
Also running eventvwr on the windows machine and checking if there are any
logon events in Windows Logs -> Security
Hope this helps.
If you discover anything that helps please reply so we can provide more
information in the documentation.
Jon
Post by Guillaume Querso
hi all!
I am currently using ansible 1.9.2 on a RHEL 6 server. what I would like
is to connect to a windows 2008 R2 server via kerberos to be able to use
domain accounts.
- What i did: creating a ticket on the linux server for the concerned
domain account. Synchronized the clocks.
- What it is not working: i have a: 401 unauthorized access when i
try to run a playbook.
Do you know what i am missing?
Thanks for your help on this!
Guillaume Q
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/11b06148-fecb-4925-b9b1-e6a93c275e3d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
J Hawkesworth
2015-07-17 17:25:44 UTC
Permalink
Seems unlikely to be a firewall issue if eventvwr is showing a failed login.

Is the windows server 2008 machine joined to the domain? If it isn't it
won't know how to check with the domain controller that the
username/password are valid?
Post by Guillaume Querso
Pykerberos is installed on the server, i have already requested a ticket
for the user and domain expected with the right syntax. The server is
running powershell 4 and i have checked that the encryption for the ticket
and the key is the same on both sides.
what i can see on the eventvwr is that there is an "Unknown user name or
bad password" while they are right..
do you have anything else in mind that could help? or just ideas to
identify the problem? can it be a proxy/firewall issue?
Post by J Hawkesworth
Have you installed pykerberos?
Also, use klist to check that the tgt ticket is for the user and domain
you expect.
be aware that the domain name seems to need to be in upper case so
not
Also, make sure you have patched windows server 2008 R2 - as per this
advice on http://docs.ansible.com/intro_windows.html#windows-system-prep
"On Windows 7 and Server 2008 R2 machines, due to a bug in Windows
Management Framework 3.0, it may be necessary to install this hotfix
http://support.microsoft.com/kb/2842230 to avoid receiving out of memory
and stack overflow exceptions. Newly-installed Server 2008 R2 systems which
are not fully up to date with windows updates are known to have this issue."
I recommend running your ansible-playbook -vvvvv to see the connection
debugging information if it still fails.
Also running eventvwr on the windows machine and checking if there are
any logon events in Windows Logs -> Security
Hope this helps.
If you discover anything that helps please reply so we can provide more
information in the documentation.
Jon
Post by Guillaume Querso
hi all!
I am currently using ansible 1.9.2 on a RHEL 6 server. what I would like
is to connect to a windows 2008 R2 server via kerberos to be able to use
domain accounts.
- What i did: creating a ticket on the linux server for the
concerned domain account. Synchronized the clocks.
- What it is not working: i have a: 401 unauthorized access when i
try to run a playbook.
Do you know what i am missing?
Thanks for your help on this!
Guillaume Q
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0dd61b45-479a-4898-a676-d0d78cf1d1bf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Guillaume Querso
2015-07-17 11:11:01 UTC
Permalink
hi, quick update for this topic:
apparently, we need to use python 2.7.6 (the newest) otherwise ansible
doesn't try kerberos properly (you should have transport=kerberos in the
verbose).

the problem is now the following:
i try to ping my windows server but i have this message:

GSSError: ((\'Unspecified GSS failure. Minor code may provide more
information\', 851968), (\'Unknown credential cache type\',
-1765328244))\n', 'stdout': ''}


thank you for your help!
Post by Guillaume Querso
hi all!
I am currently using ansible 1.9.2 on a RHEL 6 server. what I would like
is to connect to a windows 2008 R2 server via kerberos to be able to use
domain accounts.
- What i did: creating a ticket on the linux server for the concerned
domain account. Synchronized the clocks.
- What it is not working: i have a: 401 unauthorized access when i try
to run a playbook.
Do you know what i am missing?
Thanks for your help on this!
Guillaume Q
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f7b1ed71-d606-4ca1-bfdb-737534bbc091%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...