Hello Jordan
I moved from https to http
I removed the des kerberos options:
# default_tgs_enctypes = des-cbc-crc arcfour-hmac-md5
 default_tgs_enctypes = arcfour-hmac-md5
# default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc
 default_tkt_enctypes = arcfour-hmac-md5
# preferred_preauth_types = des-cbc-crc


And here is the result of the run - i have to admit this is not helping me
much...

# KRB5_TRACE=/dev/stdout ansible-playbook playbooks/win_test.yml --limit
scststhost67.usa.company.com -vvvv


ansible-playbook 2.6.2

  config file = /ansible/scripts/ansible.cfg

  configured module search path =
[u'/usr/local/lib/python2.7/dist-packages/ara/plugins/modules']

  ansible python module location =
/usr/lib/python2.7/dist-packages/ansible

  executable location = /usr/bin/ansible-playbook

  python version = 2.7.12 (default, Dec  4 2017, 14:50:18) [GCC 5.4.0
20160609]
Using /ansible/scripts/ansible.cfg as config file

setting up inventory plugins

Parsed /ansible/scripts/inventory/windows.yml inventory source with yaml
plugin
Loading callback plugin default of type stdout, v2.0 from
/usr/lib/python2.7/dist-packages/ansible/plugins/callback/default.pyc

Loading callback plugin ara of type notification, v2.0 from
/usr/local/lib/python2.7/dist-packages/ara/plugins/callbacks/log_ara.pyc


PLAYBOOK: win_test.yml
*************************************************************************************************************************************
1 plays in playbooks/win_test.yml



PLAY [windows]
*********************************************************************************************************************************************
META: ran handlers


Trying secret
FileVaultSecret(filename='/nfs/site/disks/home30/ansible/.ssh/ansible_vault.txt')
for vault_id=default

TASK [Simple Ping]
*****************************************************************************************************************************************
task path: /ansible/scripts/playbooks/win_test.yml:5

Using module file
/usr/lib/python2.7/dist-packages/ansible/modules/windows/win_ping.ps1

<scststhost67.usa.company.com> ESTABLISH WINRM CONNECTION FOR USER:
usa_ansi...@usa.company.com on PORT 5986 TO scststhost67.usa.company.com

checking if winrm_host scststhost67.usa.company.com is an IPv6 address


calling kinit with pexpect for principal usa_ansi...@usa.company.com


[5574] 1535488714.966934: Retrieving usa_ansi...@usa.company.com from
FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result:
2/Key table file '/etc/krb5/user/30254/client.keytab' not found


[5574] 1535488714.967925: Retrieving usa_ansi...@usa.company.com from
FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result:
2/Key table file '/etc/krb5/user/30254/client.keytab' not found


[5574] 1535488714.968917: Retrieving usa_ansi...@usa.company.com from
FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result:
2/Key table file '/etc/krb5/user/30254/client.keytab' not found


[5574] 1535488714.969845: Retrieving usa_ansi...@usa.company.com from
FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result:
2/Key table file '/etc/krb5/user/30254/client.keytab' not found


[5574] 1535488714.970790: Retrieving usa_ansi...@usa.company.com from
FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result:
2/Key table file '/etc/krb5/user/30254/client.keytab' not found


[5574] 1535488714.974593: Retrieving usa_ansi...@usa.company.com from
FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result:
2/Key table file '/etc/krb5/user/30254/client.keytab' not found


[5574] 1535488714.975957: Retrieving usa_ansi...@usa.company.com from
FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result:
2/Key table file '/etc/krb5/user/30254/client.keytab' not found


[5574] 1535488714.976891: Retrieving usa_ansi...@usa.company.com from
FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result:
2/Key table file '/etc/krb5/user/30254/client.keytab' not found


[5574] 1535488714.979603: Getting credentials usa_ansi...@usa.company.com
-> HTTP/scststhost67.usa.company....@usa.company.com using ccache
FILE:/tmp/tmpa0pCw0


[5574] 1535488714.979722: Retrieving usa_ansi...@usa.company.com -> HTTP/
scststhost67.usa.company....@usa.company.com from FILE:/tmp/tmpa0pCw0 with
result: -1765328243/Matching credential not found


[5574] 1535488714.979790: Retrieving usa_ansi...@usa.company.com -> krbtgt/
usa.company....@usa.company.com from FILE:/tmp/tmpa0pCw0 with result:
0/Success


[5574] 1535488714.979801: Starting with TGT for client realm:
usa_ansi...@usa.company.com -> krbtgt/usa.company....@usa.company.com

[5574] 1535488714.979809: Requesting tickets for HTTP/
scststhost67.usa.company....@usa.company.com, referrals on

[5574] 1535488714.979835: Generated subkey for TGS request: rc4-hmac/DA64


[5574] 1535488714.979855: etypes requested in TGS request: rc4-hmac


[5574] 1535488714.979986: Encoding request body and padata into FAST
request

[5574] 1535488714.980151: Sending request (8510 bytes) to USA.COMPANY.COM


[5574] 1535488714.980237: Resolving hostname 10.104.193.41


[5574] 1535488714.980329: Initiating TCP connection to stream
10.104.193.41:88

[5574] 1535488714.980736: Sending TCP request to stream 10.104.193.41:88


[5574] 1535488715.46929: Received answer (8503 bytes) from stream
10.104.193.41:88

[5574] 1535488715.46941: Terminating TCP connection to stream
10.104.193.41:88

[5574] 1535488715.46968: Response was not from master KDC


[5574] 1535488715.46992: Decoding FAST response


[5574] 1535488715.47089: FAST reply key: rc4-hmac/AD14


[5574] 1535488715.47115: TGS reply is for usa_ansi...@usa.company.com ->
HTTP/scststhost67.usa.company....@usa.company.com with session key
rc4-hmac/C716


[5574] 1535488715.47172: TGS request result: 0/Success


[5574] 1535488715.47178: Received creds for desired service HTTP/
scststhost67.usa.company....@usa.company.com
[5574] 1535488715.47186: Storing usa_ansi...@usa.company.com -> HTTP/
scststhost67.usa.company....@usa.company.com in FILE:/tmp/tmpa0pCw0
[5574] 1535488715.47336: Retrieving usa_ansi...@usa.company.com -> krbtgt/
usa.company....@usa.company.com from FILE:/tmp/tmpa0pCw0 with result:
0/Success
[5574] 1535488715.47345: Get cred via TGT krbtgt/
usa.company....@usa.company.com after requesting krbtgt/
usa.company....@usa.company.com (canonicalize off)
[5574] 1535488715.47358: Generated subkey for TGS request: rc4-hmac/C5C1
[5574] 1535488715.47368: etypes requested in TGS request: rc4-hmac
[5574] 1535488715.47448: Encoding request body and padata into FAST request
[5574] 1535488715.47557: Sending request (8526 bytes) to USA.COMPANY.COM
[5574] 1535488715.47614: Resolving hostname 10.104.193.41
[5574] 1535488715.47663: Initiating TCP connection to stream
10.104.193.41:88
[5574] 1535488715.48125: Sending TCP request to stream 10.104.193.41:88
[5574] 1535488715.50778: Received answer (8459 bytes) from stream
10.104.193.41:88
[5574] 1535488715.50796: Terminating TCP connection to stream
10.104.193.41:88
[5574] 1535488715.50831: Response was not from master KDC
[5574] 1535488715.50860: Decoding FAST response
[5574] 1535488715.51036: FAST reply key: rc4-hmac/E764
[5574] 1535488715.51075: TGS reply is for usa_ansi...@usa.company.com ->
krbtgt/usa.company....@usa.company.com with session key rc4-hmac/B213
[5574] 1535488715.51153: Got cred; 0/Success
[5574] 1535488715.51311: Creating authenticator for
usa_ansi...@usa.company.com -> HTTP/
scststhost67.usa.company....@usa.company.com, seqnum 63157312, subkey
rc4-hmac/C622, session key rc4-hmac/C716
fatal: [scststhost67.usa.company.com]: UNREACHABLE! => {
    "changed": false,
    "msg": "kerberos: ('Connection aborted.', error(104, 'Connection reset
by peer'))",
    "unreachable": true
}
        to retry, use: --limit @/ansible/scripts/playbooks/win_test.retry

PLAY RECAP
*************************************************************************************************************************************************
scststhost67.usa.company.com : ok=0    changed=0    unreachable=1
failed=0


Do you have any other advise please?

Thanks

On Tue, Aug 28, 2018 at 12:38 AM Jordan Borean <jborea...@gmail.com> wrote:

> Because you are running over https, message encryption is not being run so
> that post you linked to is technically unrelated. In saying that, I have no
> idea about your environment setup, but RC4 and DES are effectively broken
> and you should avoid using in any case. Unless you have set that on purpose
> you shouldn't be allowing weak cryptos.
>
> To try and find out what exactly is failing can you run Ansible with
> KRB5_TRACE=/dev/stdout set, e.g. '*KRB5_TRACE=/dev/stdout
> ansible-playbook agent.yml --limit ....*'. This will make gssapi on that
> host sent the logs to stdout hopefully giving you a better error.
>
> Thanks
>
> Jordan
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Ansible Project" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ansible-project/1WNZhlNhApg/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/5d092aa8-70d1-4345-abe8-5516b4dfba61%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/5d092aa8-70d1-4345-abe8-5516b4dfba61%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAAK4BEZaOinfoXMX9rExg_7yatNgifipJ9NZXuHpYshPm-WmDg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to