[ansible-project] Kerberos Authentication Failed | kerberos: authGSSClientStep() failed | Help URGENT

Piyush Bansal Wed, 02 Oct 2019 05:07:39 -0700

Hello,

I am trying to use Windows-2008-R2 AD domain authentication for my windows
infrastructure playbooks however its failing with following error:
Also tried just for win_ping and ping but still everything fails.


ERROR:
---------------------------
"kerberos: authGSSClientStep() failed: (('Unspecified GSS failure.  Minor
code may provide more information', 851968), ('Server not found in Kerberos
database', -1765328377))", [0m
---------------------------

WinRM is configured correctly and working fine from other windows server.
Ansible server is pinging DNS/AD server fine.
Kerberos Ticket is successfully getting generated with "kinit" commands on
Ansible control node
DNS resolution is tested with hostname from Ansible controller node and
working fine. /etc/hosts and resolv.conf files updated appropriately.

Verbose output, inventory file, library version, krb5.conf all these
outputs and files are mentioned in below sections of this email.

Pre-requisite libraries, and configuration files are all configured fine as
per following link:
https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html

Here is the version details:
Ansible: 2.8.5 (also tried with 2.7.13 ansible version in LAB but still no
success)
Python: 3.6.6
requests-kerberos 0.12.0
pykerberos        1.2.1
pywinrm           0.3.0
kerberos          1.3.0

Inventory File:
-------------------
[win_infra]
win2k121.MYLAB.COM

[win_infra:vars]
ansible_connection=winrm
ansible_winrm_transport=kerberos
ansible_user=ansi...@mylab.com
ansible_password=xxxxxxxx
ansible_port=5986
-------------------

krb5.conf file:
--------------------------
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 8h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = MYLAB.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 MYLAB.COM = {
  kdc = win2k8r2.mylab.com
  admin_server = win2k8r2.mylab.com
 }

[domain_realm]
 .mylab.com = MYLAB.COM
 mylab.com = MYLAB.com
--------------------------


VERBOSE OUTPUT:
-------------------------
[root@ansible_centos ~]# ansible win_infra -m ping -vvvvvv
ansible 2.8.5
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules',
'/usr/share/ansible/plugins/modules']
  ansible python module location =
/usr/local/lib/python3.6/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.6.6 (default, Aug 13 2018, 18:24:23) [GCC 4.8.5
20150623 (Red Hat 4.8.5-28)]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /etc/ansible/hosts as it did not pass it's
verify_file() method
script declined parsing /etc/ansible/hosts as it did not pass it's
verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass it's
verify_file() method
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading callback plugin minimal of type stdout, v2.0 from
/usr/local/lib/python3.6/site-packages/ansible/plugins/callback/minimal.py
META: ran handlers
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/basic.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/common/process.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/common/text/__init__.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/pycompat24.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/common/_utils.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/common/_json_compat.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/common/_collections_compat.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/common/text/formatters.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/parsing/__init__.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/common/__init__.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/six/__init__.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/common/file.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/_text.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/common/text/converters.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/parsing/convert_bool.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/common/validation.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/common/parameters.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/common/sys_info.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/common/collections.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/distro/__init__.py
Using module_utils file
/usr/local/lib/python3.6/site-packages/ansible/module_utils/distro/_distro.py
<win2k121> Attempting python interpreter discovery
<192.168.169.131> ESTABLISH WINRM CONNECTION FOR USER: ansi...@mylab.com on
PORT 5986 TO 192.168.169.131
creating Kerberos CC at /tmp/tmpjzmms99z
calling kinit with subprocess for principal ansi...@mylab.com
kinit succeeded for principal ansi...@mylab.com
<192.168.169.131> WINRM CONNECT: transport=kerberos endpoint=
https://192.168.169.131:5986/wsman
<192.168.169.131> WINRM CONNECTION ERROR: authGSSClientStep() failed:
(('Unspecified GSS failure.  Minor code may provide more information',
851968), ('Server not found in Kerberos database', -1765328377))
Traceback (most recent call last):
  File
"/usr/local/lib/python3.6/site-packages/ansible/plugins/action/__init__.py",
line 203, in _configure_module
    environment=final_environment)
  File
"/usr/local/lib/python3.6/site-packages/ansible/executor/module_common.py",
line 1023, in modify_module
    environment=environment)
  File
"/usr/local/lib/python3.6/site-packages/ansible/executor/module_common.py",
line 894, in _find_module_utils
    shebang, interpreter = _get_shebang(u'/usr/bin/python', task_vars,
templar)
  File
"/usr/local/lib/python3.6/site-packages/ansible/executor/module_common.py",
line 527, in _get_shebang
    discovery_mode=interpreter_out)
ansible.executor.interpreter_discovery.InterpreterDiscoveryRequiredError:
<unprintable InterpreterDiscoveryRequiredError object>

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File
"/usr/local/lib/python3.6/site-packages/requests_kerberos/kerberos_.py",
line 229, in generate_request_header
    negotiate_resp_value)
kerberos.GSSError: (('Unspecified GSS failure.  Minor code may provide more
information', 851968), ('Server not found in Kerberos database',
-1765328377))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File
"/usr/local/lib/python3.6/site-packages/ansible/plugins/connection/winrm.py",
line 400, in _winrm_connect
    self.shell_id = protocol.open_shell(codepage=65001)  # UTF-8
  File "/usr/local/lib/python3.6/site-packages/winrm/protocol.py", line
157, in open_shell
    res = self.send_message(xmltodict.unparse(req))
  File "/usr/local/lib/python3.6/site-packages/winrm/protocol.py", line
234, in send_message
    resp = self.transport.send_message(message)
  File "/usr/local/lib/python3.6/site-packages/winrm/transport.py", line
254, in send_message
    prepared_request = self.session.prepare_request(request)
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line
462, in prepare_request
    hooks=merge_hooks(request.hooks, self.hooks),
  File "/usr/local/lib/python3.6/site-packages/requests/models.py", line
317, in prepare
    self.prepare_auth(auth, url)
  File "/usr/local/lib/python3.6/site-packages/requests/models.py", line
548, in prepare_auth
    r = auth(self)
  File
"/usr/local/lib/python3.6/site-packages/requests_kerberos/kerberos_.py",
line 438, in __call__
    auth_header = self.generate_request_header(None, host,
is_preemptive=True)
  File
"/usr/local/lib/python3.6/site-packages/requests_kerberos/kerberos_.py",
line 245, in generate_request_header
    raise KerberosExchangeError("%s failed: %s" % (kerb_stage,
str(error.args)))
requests_kerberos.exceptions.KerberosExchangeError: authGSSClientStep()
failed: (('Unspecified GSS failure.  Minor code may provide more
information', 851968), ('Server not found in Kerberos database',
-1765328377))

 [WARNING]: Unhandled error in Python interpreter discovery for host
win2k121: kerberos: authGSSClientStep() failed: (('Unspecified GSS
failure.  Minor code may
provide more information', 851968), ('Server not found in Kerberos
database', -1765328377))

Using module file
/usr/local/lib/python3.6/site-packages/ansible/modules/system/ping.py
Pipelining is enabled.
<192.168.169.131> ESTABLISH WINRM CONNECTION FOR USER: ansi...@mylab.com on
PORT 5986 TO 192.168.169.131
creating Kerberos CC at /tmp/tmpro863qha
calling kinit with subprocess for principal ansi...@mylab.com
kinit succeeded for principal ansi...@mylab.com
<192.168.169.131> WINRM CONNECT: transport=kerberos endpoint=
https://192.168.169.131:5986/wsman
self context is ::::::::: {'192.168.169.131': <capsule object NULL at
0x7fdd6598a4e0>}
<192.168.169.131> WINRM CONNECTION ERROR: authGSSClientStep() failed:
(('Unspecified GSS failure.  Minor code may provide more information',
851968), ('Server not found in Kerberos database', -1765328377))
Traceback (most recent call last):
  File
"/usr/local/lib/python3.6/site-packages/requests_kerberos/kerberos_.py",
line 229, in generate_request_header
    negotiate_resp_value)
kerberos.GSSError: (('Unspecified GSS failure.  Minor code may provide more
information', 851968), ('Server not found in Kerberos database',
-1765328377))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File
"/usr/local/lib/python3.6/site-packages/ansible/plugins/connection/winrm.py",
line 400, in _winrm_connect
    self.shell_id = protocol.open_shell(codepage=65001)  # UTF-8
  File "/usr/local/lib/python3.6/site-packages/winrm/protocol.py", line
157, in open_shell
    res = self.send_message(xmltodict.unparse(req))
  File "/usr/local/lib/python3.6/site-packages/winrm/protocol.py", line
234, in send_message
    resp = self.transport.send_message(message)
  File "/usr/local/lib/python3.6/site-packages/winrm/transport.py", line
254, in send_message
    prepared_request = self.session.prepare_request(request)
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line
462, in prepare_request
    hooks=merge_hooks(request.hooks, self.hooks),
  File "/usr/local/lib/python3.6/site-packages/requests/models.py", line
317, in prepare
    self.prepare_auth(auth, url)
  File "/usr/local/lib/python3.6/site-packages/requests/models.py", line
548, in prepare_auth
    r = auth(self)
  File
"/usr/local/lib/python3.6/site-packages/requests_kerberos/kerberos_.py",
line 438, in __call__
    auth_header = self.generate_request_header(None, host,
is_preemptive=True)
  File
"/usr/local/lib/python3.6/site-packages/requests_kerberos/kerberos_.py",
line 245, in generate_request_header
    raise KerberosExchangeError("%s failed: %s" % (kerb_stage,
str(error.args)))
requests_kerberos.exceptions.KerberosExchangeError: authGSSClientStep()
failed: (('Unspecified GSS failure.  Minor code may provide more
information', 851968), ('Server not found in Kerberos database',
-1765328377))

win2k121 | UNREACHABLE! => {
    "changed": false,
    "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS
failure.  Minor code may provide more information', 851968), ('Server not
found in Kerberos database', -1765328377))",
    "unreachable": true
}
[root@ansible_centos ~]#
[root@ansible_centos ~]#
[root@ansible_centos ~]#
[root@ansible_centos ~]#
-------------------------


Thanks,
Piyush
bansalpiyush.198...@gmail.com

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CA%2BLLie4Ak5KHmod%2B2AhpGzOot-5eL2GdVJUaUgbeA8nhVNW-4Q%40mail.gmail.com.

[ansible-project] Kerberos Authentication Failed | kerberos: authGSSClientStep() failed | Help URGENT

Reply via email to