6

I have setup my Ansible Tower and Windows Kerberos / Active Directory authentication as specified here. It is the same procedure explained in the official documentation too. For information here is what I did -

  1. Installed the suggested Kerberos packages in the Ubuntu server
  2. Edited the configuration files as suggested

I could verify that my configuration is working fine by running the kinit command as suggested - 

kinit -C username@DOMAIN.COM

The klist command run after that showed the expected information

klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: username@DOMAIN.COM

Valid starting       Expires              Service principal
2016-05-03T10:59:04  2016-05-03T20:59:04  krbtgt/DOMAIN.COM@DOMAIN.COM
    renew until 2016-05-04T10:58:59

My Ansible Tower inventory contains just one VM, where under the variables in host properties, I have specified the following details - 

ansible_connection: winrm
ansible_port: "5986"
ansible_ssh_user: username@DOMAIN.COM

I suppose the password is not necessary since the ticket is obtained through the kinit command. I have tried adding the password above by specifying ansible_ssh_pass but that didn't help.

Now when I run the 'Job Template' it fails instantly with this message.

TASK [setup] *******************************************************************
fatal: [VM-NAME]: FAILED! => {"failed": true, "msg": "kerberos: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('No Kerberos credentials available', -1765328243)), plaintext: 401 Unauthorized."}

How can I resolve this issue?

Chethan S.
  • 558
  • 2
  • 8
  • 28

3 Answers3

8

I have run into a similar issue with approx. 10% of the servers in my environment:

"msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))",

The cause of this was that there was a PTR record configured but it was incorrect or had a duplicate PTR record.

You can check this in bash via the host command or in PowerShell via the Resolve-DnsName.

Example:

Check DNS Record

host {{ Server FQDN }}

Check Reverse DNS Record based on the output from previous DNS lookup:

host {{ Returned IP from Normal DNS lookup }}

Please note: No PTR Record is OK but an incorrect or duplicate PTR Record can cause issues.

Robert J
  • 840
  • 10
  • 20
0

as remarked https://medium.com/@ripon.banik/ansible-windows-domain-authentication-1531d1d256c3

Make sure the Windows Host is joined to the Domain and ansible_host in the inventory is setup using FQDN of the host.

normally I fill the inventory file out with IP's, changing this to the FQDN solved this issue for me..

also more info here: https://groups.google.com/g/ansible-project/c/tdDj4pabj30

Tom
  • 3
  • 3
-3

For any future lurkers to this issue... Set this as admin from a command prompt on your windows client:

winrm set winrm/config/service '@{AllowUnencrypted="true"}'
Community
  • 1
  • 1
josh
  • 3
  • 1