Hello Jordan I moved from https to http I removed the des kerberos options: # default_tgs_enctypes = des-cbc-crc arcfour-hmac-md5 default_tgs_enctypes = arcfour-hmac-md5 # default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc default_tkt_enctypes = arcfour-hmac-md5 # preferred_preauth_types = des-cbc-crc
And here is the result of the run - i have to admit this is not helping me much... # KRB5_TRACE=/dev/stdout ansible-playbook playbooks/win_test.yml --limit scststhost67.usa.company.com -vvvv ansible-playbook 2.6.2 config file = /ansible/scripts/ansible.cfg configured module search path = [u'/usr/local/lib/python2.7/dist-packages/ara/plugins/modules'] ansible python module location = /usr/lib/python2.7/dist-packages/ansible executable location = /usr/bin/ansible-playbook python version = 2.7.12 (default, Dec 4 2017, 14:50:18) [GCC 5.4.0 20160609] Using /ansible/scripts/ansible.cfg as config file setting up inventory plugins Parsed /ansible/scripts/inventory/windows.yml inventory source with yaml plugin Loading callback plugin default of type stdout, v2.0 from /usr/lib/python2.7/dist-packages/ansible/plugins/callback/default.pyc Loading callback plugin ara of type notification, v2.0 from /usr/local/lib/python2.7/dist-packages/ara/plugins/callbacks/log_ara.pyc PLAYBOOK: win_test.yml ************************************************************************************************************************************* 1 plays in playbooks/win_test.yml PLAY [windows] ********************************************************************************************************************************************* META: ran handlers Trying secret FileVaultSecret(filename='/nfs/site/disks/home30/ansible/.ssh/ansible_vault.txt') for vault_id=default TASK [Simple Ping] ***************************************************************************************************************************************** task path: /ansible/scripts/playbooks/win_test.yml:5 Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/win_ping.ps1 <scststhost67.usa.company.com> ESTABLISH WINRM CONNECTION FOR USER: usa_ansi...@usa.company.com on PORT 5986 TO scststhost67.usa.company.com checking if winrm_host scststhost67.usa.company.com is an IPv6 address calling kinit with pexpect for principal usa_ansi...@usa.company.com [5574] 1535488714.966934: Retrieving usa_ansi...@usa.company.com from FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/30254/client.keytab' not found [5574] 1535488714.967925: Retrieving usa_ansi...@usa.company.com from FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/30254/client.keytab' not found [5574] 1535488714.968917: Retrieving usa_ansi...@usa.company.com from FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/30254/client.keytab' not found [5574] 1535488714.969845: Retrieving usa_ansi...@usa.company.com from FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/30254/client.keytab' not found [5574] 1535488714.970790: Retrieving usa_ansi...@usa.company.com from FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/30254/client.keytab' not found [5574] 1535488714.974593: Retrieving usa_ansi...@usa.company.com from FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/30254/client.keytab' not found [5574] 1535488714.975957: Retrieving usa_ansi...@usa.company.com from FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/30254/client.keytab' not found [5574] 1535488714.976891: Retrieving usa_ansi...@usa.company.com from FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/30254/client.keytab' not found [5574] 1535488714.979603: Getting credentials usa_ansi...@usa.company.com -> HTTP/scststhost67.usa.company....@usa.company.com using ccache FILE:/tmp/tmpa0pCw0 [5574] 1535488714.979722: Retrieving usa_ansi...@usa.company.com -> HTTP/ scststhost67.usa.company....@usa.company.com from FILE:/tmp/tmpa0pCw0 with result: -1765328243/Matching credential not found [5574] 1535488714.979790: Retrieving usa_ansi...@usa.company.com -> krbtgt/ usa.company....@usa.company.com from FILE:/tmp/tmpa0pCw0 with result: 0/Success [5574] 1535488714.979801: Starting with TGT for client realm: usa_ansi...@usa.company.com -> krbtgt/usa.company....@usa.company.com [5574] 1535488714.979809: Requesting tickets for HTTP/ scststhost67.usa.company....@usa.company.com, referrals on [5574] 1535488714.979835: Generated subkey for TGS request: rc4-hmac/DA64 [5574] 1535488714.979855: etypes requested in TGS request: rc4-hmac [5574] 1535488714.979986: Encoding request body and padata into FAST request [5574] 1535488714.980151: Sending request (8510 bytes) to USA.COMPANY.COM [5574] 1535488714.980237: Resolving hostname 10.104.193.41 [5574] 1535488714.980329: Initiating TCP connection to stream 10.104.193.41:88 [5574] 1535488714.980736: Sending TCP request to stream 10.104.193.41:88 [5574] 1535488715.46929: Received answer (8503 bytes) from stream 10.104.193.41:88 [5574] 1535488715.46941: Terminating TCP connection to stream 10.104.193.41:88 [5574] 1535488715.46968: Response was not from master KDC [5574] 1535488715.46992: Decoding FAST response [5574] 1535488715.47089: FAST reply key: rc4-hmac/AD14 [5574] 1535488715.47115: TGS reply is for usa_ansi...@usa.company.com -> HTTP/scststhost67.usa.company....@usa.company.com with session key rc4-hmac/C716 [5574] 1535488715.47172: TGS request result: 0/Success [5574] 1535488715.47178: Received creds for desired service HTTP/ scststhost67.usa.company....@usa.company.com [5574] 1535488715.47186: Storing usa_ansi...@usa.company.com -> HTTP/ scststhost67.usa.company....@usa.company.com in FILE:/tmp/tmpa0pCw0 [5574] 1535488715.47336: Retrieving usa_ansi...@usa.company.com -> krbtgt/ usa.company....@usa.company.com from FILE:/tmp/tmpa0pCw0 with result: 0/Success [5574] 1535488715.47345: Get cred via TGT krbtgt/ usa.company....@usa.company.com after requesting krbtgt/ usa.company....@usa.company.com (canonicalize off) [5574] 1535488715.47358: Generated subkey for TGS request: rc4-hmac/C5C1 [5574] 1535488715.47368: etypes requested in TGS request: rc4-hmac [5574] 1535488715.47448: Encoding request body and padata into FAST request [5574] 1535488715.47557: Sending request (8526 bytes) to USA.COMPANY.COM [5574] 1535488715.47614: Resolving hostname 10.104.193.41 [5574] 1535488715.47663: Initiating TCP connection to stream 10.104.193.41:88 [5574] 1535488715.48125: Sending TCP request to stream 10.104.193.41:88 [5574] 1535488715.50778: Received answer (8459 bytes) from stream 10.104.193.41:88 [5574] 1535488715.50796: Terminating TCP connection to stream 10.104.193.41:88 [5574] 1535488715.50831: Response was not from master KDC [5574] 1535488715.50860: Decoding FAST response [5574] 1535488715.51036: FAST reply key: rc4-hmac/E764 [5574] 1535488715.51075: TGS reply is for usa_ansi...@usa.company.com -> krbtgt/usa.company....@usa.company.com with session key rc4-hmac/B213 [5574] 1535488715.51153: Got cred; 0/Success [5574] 1535488715.51311: Creating authenticator for usa_ansi...@usa.company.com -> HTTP/ scststhost67.usa.company....@usa.company.com, seqnum 63157312, subkey rc4-hmac/C622, session key rc4-hmac/C716 fatal: [scststhost67.usa.company.com]: UNREACHABLE! => { "changed": false, "msg": "kerberos: ('Connection aborted.', error(104, 'Connection reset by peer'))", "unreachable": true } to retry, use: --limit @/ansible/scripts/playbooks/win_test.retry PLAY RECAP ************************************************************************************************************************************************* scststhost67.usa.company.com : ok=0 changed=0 unreachable=1 failed=0 Do you have any other advise please? Thanks On Tue, Aug 28, 2018 at 12:38 AM Jordan Borean <jborea...@gmail.com> wrote: > Because you are running over https, message encryption is not being run so > that post you linked to is technically unrelated. In saying that, I have no > idea about your environment setup, but RC4 and DES are effectively broken > and you should avoid using in any case. Unless you have set that on purpose > you shouldn't be allowing weak cryptos. > > To try and find out what exactly is failing can you run Ansible with > KRB5_TRACE=/dev/stdout set, e.g. '*KRB5_TRACE=/dev/stdout > ansible-playbook agent.yml --limit ....*'. This will make gssapi on that > host sent the logs to stdout hopefully giving you a better error. > > Thanks > > Jordan > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Ansible Project" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ansible-project/1WNZhlNhApg/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ansible-project+unsubscr...@googlegroups.com. > To post to this group, send email to ansible-project@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/5d092aa8-70d1-4345-abe8-5516b4dfba61%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/5d092aa8-70d1-4345-abe8-5516b4dfba61%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAAK4BEZaOinfoXMX9rExg_7yatNgifipJ9NZXuHpYshPm-WmDg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.