Nikhil, I ran into many problems getting kerberos to work with ansible as well, but finally got it working.
First, ensure that you've obtained a valid kerberos ticket by running 'klist' on the command line after running your kinit command. Please post that back here if you can. Second, make sure your Linux box where you're running Ansible is registered on the same domain as the Windows server you are trying to connect to. Third, your ansible_user domain needs to be in all CAPS like so user@DOMAIN.LOCAL Let us know what you come up with. -Joe On Wednesday, February 3, 2016 at 7:56:27 AM UTC-8, Nikhil Shah wrote: > > I've tested kerberos following > http://docs.ansible.com/ansible/intro_windows.html#id9. I ran > > kinit user@DOMAIN.LOCAL and it doesn't come back with anything but it > also doesn't come back with a failure. I also try inputting the wrong > password on purpose and it throws a "kinit: Preauthentication failed > while getting initial credentials" leading me to believe kerberos auth is > working fine...I don't understand why its not using kerberos and using > "root" and plaintext. I even tried to set the > ansible_user/password/host/port in the hosts file for that inventory group. > > On Wednesday, February 3, 2016 at 8:45:49 AM UTC-5, J Hawkesworth wrote: >> >> You have >> >> ansible_user: user@domain.local >> >> set, implying that you want to use a domain user. >> >> When you run, the following is shown: >> >> transport=plaintext endpoint=https://XXXXX:5986/wsman >> <https://xxxxx:5986/wsman> >> >> The transport needs to be kerberos to connect with a domain user. >> >> I suspect you are missing the python kerberos library. >> >> If this can't be loaded then ansible will attempt a plaintext connection >> which I am fairly certain won't work with a domain user. >> >> You don't mention which OS you are running ansible on but you probably >> need to install >> >> python-kerberos from yum >> or >> pykerberos from pip >> >> Hope this helps >> >> Jon >> >> >> On Tuesday, 2 February 2016 23:00:01 UTC, Nikhil Shah wrote: >>> >>> maybe this might be a bit more insight: >>> >>> ansible windows -m win_ping -vvvv >>> >>> <10.40.1.31> ESTABLISH WINRM CONNECTION FOR USER: *root* on PORT 5986 >>> TO XXXXXXX >>> >>> <10.40.1.31> WINRM CONNECT: transport=plaintext endpoint= >>> https://XXXXX:5986/wsman >>> >>> <10.40.1.31> WINRM CONNECTION ERROR: 500 WinRMTransport. [Errno 111] >>> Connection refused >>> >>> 10.40.1.31 | FAILED => 500 WinRMTransport. [Errno 111] Connection refused >>> >>> >>> >>> I've got a group_var/windows.yml: >>> >>> >>> >>> ansible_user: user@domain.local >>> >>> ansible_password: XXXXXXXX >>> >>> ansible_port: 5986 >>> >>> ansible_connection: winrm >>> >>> # The following is necessary for Python 2.7.9+ when using default WinRM >>> self-signed certificates: >>> >>> ansible_winrm_server_cert_validation: ignore >>> >>> On Tuesday, February 2, 2016 at 4:01:55 PM UTC-5, Nikhil Shah wrote: >>>> >>>> >>>> >>>> Feb 2, 12:42 >>>> >>>> Hello, >>>> >>>> I followed the guidelines in setting up a windows node. >>>> http://docs.ansible.com/ansible/intro_windows.html#windows-system-prep >>>> >>>> I am using Windows 2008 R2, which had PowerShell 2.0 installed; I >>>> upgraded to PowerShell 4.0 (since the requirements said PowerShell 3.0).... >>>> >>>> When trying to run ansible, I am running the following and getting the >>>> below listed error message: >>>> >>>> ansible-playbook -i hosts ipconfig.yml --ask-vault >>>> Vault password: >>>> >>>> PLAY [test raw module] >>>> ******************************************************** >>>> >>>> TASK: [run ipconfig] >>>> ********************************************************** >>>> fatal: [qa-codegen01.theorchard.local] => 500 WinRMTransport. [Errno >>>> 111] Connection refused >>>> >>>> FATAL: all hosts have already failed -- aborting >>>> >>>> >>>> >>>> Note - I went ahead and enabled winRM and configured with the following >>>> settings: >>>> >>>> winrm quickconfig -q >>>> >>>> winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="300"}' >>>> >>>> winrm set winrm/config '@{MaxTimeoutms="1800000"}' >>>> >>>> winrm set winrm/config/service '@{AllowUnencrypted="true"}' >>>> >>>> winrm set winrm/config/service/auth '@{Basic="true"}' >>>> >>>> >>>> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/405ff2dc-8abf-4d7b-a718-af64e2106f15%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
