Have a look at the warning Ansible is giving you, it is telling you it was unable to use your configured remote target value and forced `inventory_hostname`. Solve that and you will probably solve this problem.
On Tuesday, June 14, 2022 at 4:30:08 AM UTC+10 indiem...@gmail.com wrote: > I could add the machines to my hosts file directly but I think I actually > have a bug here. The winRM plugin is actually trying to connect to > https://inventory_hostname:5986/wsman instead of > https://mikes-wintest.domain.ca:5986/wsman. > > > *WARNING]: The "winrm" connection plugin has an improperly configured > remote target value, forcing "inventory_hostname" templated value instead > of the string* > kinit succeeded for principal uber...@domain.ca > redirecting (type: modules) ansible.builtin.win_ping to > ansible.windows.win_ping > Loading collection ansible.windows from > /root/.ansible/collections/ansible_collections/ansible/windows > Using module file > /root/.ansible/collections/ansible_collections/ansible/windows/plugins/modules/win_ping.ps1 > Pipelining is enabled. > <inventory_hostname> ESTABLISH WINRM CONNECTION FOR USER: > uber...@domain.ca on PORT 5986 TO inventory_hostname > > creating Kerberos CC at /tmp/tmp1d3m70sc > calling kinit with pexpect for principal uber...@domain.ca > kinit succeeded for principal uber...@domain.ca > *<inventory_hostname> WINRM CONNECT: transport=kerberos > endpoint=https://inventory_hostname:5986/wsman > <https://inventory_hostname:5986/wsman>* > kinit succeeded for principal uber...@domain.ca > > On Monday, June 13, 2022 at 10:11:56 AM UTC-7 urs...@gmail.com wrote: > >> Hi Michael, >> >> OK, I should have said so earlier but as well as kinit and klist ping >> also worked, but ansible still would not connect … and gave me exactly the >> error message you are getting, I am not sure but I suspect the python >> kerberos transport is making another over the wire query off of the DC or >> another container is involved to open the kerberos winrm session. >> >> I have messed with the resolvers.conf myself and cheated by adding my >> local ones but that alone did not resolve it. I think there is another >> container that tower uses . >> >> I have posted today on this group what I did with getting the local dns >> info injected into the awx cluster. I am using minikube but maybe my way >> works on yours too? >> >> Awx or tower uses a number of containers … >> >> HTH >> >> Urs >> >> On 13. Jun 2022, at 16:40, Michael Kennedy <indiem...@gmail.com> wrote: >> >> Hi Urs, >> >> Yes. Dealing with Active Directory, DNS was the first thing I have >> eliminated as being a problem. My resolv.conf file is setup correctly. >> >> [root@ansible ~]# ping mikes-wintest >> >> PING mikes-wintest.sudden.ca (192.168.12.52) 56(84) bytes of data. >> >> >> 64 bytes from Mikes-WinTest.domain.ca (192.168.12.52): icmp_seq=1 >> ttl=123 time=14.1 ms >> ^C >> --- mikes-wintest.domain.ca ping statistics --- >> 1 packets transmitted, 1 received, 0% packet loss, time 0ms >> rtt min/avg/max/mdev = 14.127/14.127/14.127/0.000 ms >> [root@ansible ~]# nslookup mikes-wintest >> Server: 192.168.8.11 >> Address: 192.168.8.11#53 >> >> Name: mikes-wintest.domain.ca >> Address: 192.168.12.52 >> >> [root@ansible ~]# nslookup domain.ca >> Server: 192.168.8.11 >> Address: 192.168.8.11#53 >> >> Name: domain.ca >> Address: 192.168.15.202 >> Name: domain.ca >> Address: 192.168.12.153 >> Name: domain.ca >> Address: 192.168.12.20 >> Name: domain.ca >> Address: 192.168.8.11 >> Name: domain.ca >> Address: 192.168.15.201 >> Name: domain.ca >> Address: 192.168.8.44 >> Name: domain.ca >> Address: 192.168.8.21 >> Name: domain.ca >> Address: 192.168.12.201 >> Name: domain.ca >> Address: 192.168.9.150 >> >> [root@ansible ~]# >> >> >> >> I have also eliminated other low-hanging fruit such as NTP, Firewalls, >> Windows Firewall, Ethernet adapter zone. >> >> On Monday, June 13, 2022 at 3:27:20 AM UTC-7 urs...@gmail.com wrote: >> >> Hi Michael, >>> >>> A stab in the dark winrm or Kerberos specifically depend on a fully >>> working DNS. >>> Is your tower cluster properly looking up the windows domain DCs? >>> I had tried a kludge myself with hard coded names in Hosts files but >>> that gave me same error you are getting. >>> Oddly the kinit and list cmd works fine, but the actual ansible >>> connections trying to use winrm or kerberos transport failed. >>> And as soon as I had added my local or internal dns zone to the cluster >>> dns things started working for me. >>> >>> HTH >>> >>> -- >>> Urs Rau >>> >>> On Sunday, 12 June 2022 at 17:17:51 UTC+2 indiem...@gmail.com wrote: >>> >>>> Here is some more troubleshooting information. Also as a side note. I >>>> am running an partner NFR self-support only version of AAP and have zero >>>> support from RedHat on this. It also doesn't seem to matter if I run the >>>> job through command line ansible or through AAP. The error is the same. >>>> >>>> My Group Vars >>>> >>>> --- >>>> ansible_connection: winrm >>>> ansible_winrm_server_cert_validation: ignore >>>> >>>> Host Inventory >>>> >>>> --- >>>> ansible_hostname: mikes-wintest.DOMAIN.CA >>>> <http://mikes-wintest.domain.ca/> >>>> >>>> my WinRM settings after running the ConfigureAnsibleRemoting.ps1 script >>>> >>>> PS C:\Users\ubermike\Desktop> winrm configSDDL default >>>> Service >>>> RootSDDL = >>>> O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)(A;;GAGR;;;S-1-5-21-809043649-619790271-106372718-1977)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD) >>>> MaxConcurrentOperations = 4294967295 >>>> MaxConcurrentOperationsPerUser = 1500 >>>> EnumerationTimeoutms = 240000 >>>> MaxConnections = 300 >>>> MaxPacketRetrievalTimeSeconds = 120 >>>> AllowUnencrypted = true >>>> Auth >>>> Basic = true >>>> Kerberos = true >>>> Negotiate = true >>>> Certificate = false >>>> CredSSP = true >>>> CbtHardeningLevel = Relaxed >>>> DefaultPorts >>>> HTTP = 5985 >>>> HTTPS = 5986 >>>> IPv4Filter = * >>>> IPv6Filter = * >>>> EnableCompatibilityHttpListener = false >>>> EnableCompatibilityHttpsListener = false >>>> CertificateThumbprint >>>> AllowRemoteAccess = true >>>> >>>> My Ansible Host Kerb ticket >>>> >>>> [uber...@domain.ca@ansible ~]$ klist -c >>>> Ticket cache: KCM:1944601976:978 >>>> Default principal: uber...@domain.ca >>>> >>>> Valid starting Expires Service principal >>>> 2022-06-12 08:10:56 2022-06-12 18:10:56 krbtgt/doma...@domain.ca >>>> renew until 2022-06-19 08:10:56 >>>> >>>> Latest Error Output from the job >>>> >>>> { >>>> "unreachable": true, >>>> "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS >>>> failure. Minor code may provide more information', 851968), ('Server not >>>> found in Kerberos database', -1765328377)), ssl: >>>> HTTPSConnectionPool(host='inventory_hostname', port=5986): *Max >>>> retries exceeded with url: /wsman (Caused by >>>> NewConnectionError('<urllib3.connection.HTTPSConnection object at >>>> 0x7f3ca1fd2430>: Failed to establish a new connection: [Errno -2] Name or >>>> service not known'))*", >>>> "changed": false >>>> } >>>> >>>> >>>> On Saturday, June 11, 2022 at 6:55:15 PM UTC-7 Michael Kennedy wrote: >>>> >>>>> I am having a problem running WinRM connections with both basic and >>>>> kerberos auth. >>>>> >>>>> My Ansible is deployed with RedHat AAP 4.2.0 on RHEL 9. >>>>> >>>>> I setup a test Windows 2019 machine and ran the >>>>> ConfigureRemotingForAnsible.ps1 script against the host. Rebooted the >>>>> host >>>>> for good measure. Tested from the Ansible server that I can telnet to >>>>> 5985 >>>>> and 5986 (confirmed) but I cannot run a Windows test playbook against the >>>>> host. >>>>> >>>>> Skipping callback 'oneline', as we already have a stdout callback. >>>>> 18 >>>>> 19 >>>>> PLAYBOOK: test.yml >>>>> ************************************************************* >>>>> 20 >>>>> 2 plays in windows/test.yml >>>>> 21 >>>>> 22 >>>>> PLAY [test raw module] >>>>> *********************************************************18:47:21 >>>>> 23 >>>>> 24 >>>>> TASK [Gathering Facts] >>>>> *********************************************************18:47:21 >>>>> 25 >>>>> *task path: /runner/project/windows/test.yml:2* >>>>> 26 >>>>> *[WARNING]: The "winrm" connection plugin has an improperly configured >>>>> remote* >>>>> 27 >>>>> *target value, forcing "inventory_hostname" templated value instead of >>>>> the* >>>>> 28 >>>>> *string* >>>>> 29 >>>>> redirecting (type: modules) ansible.builtin.setup to >>>>> ansible.windows.setup >>>>> 30 >>>>> Using module file >>>>> /usr/share/ansible/collections/ansible_collections/ansible/windows/plugins/modules/setup.ps1 >>>>> 31 >>>>> Pipelining is enabled. >>>>> 32 >>>>> <inventory_hostname> ESTABLISH WINRM CONNECTION FOR USER: >>>>> administrator on PORT 5986 TO inventory_hostname >>>>> 33 >>>>> *fatal: [192.168.12.52]: UNREACHABLE! => {* >>>>> 34 >>>>> * "changed": false,* >>>>> 35 >>>>> * "msg": "ssl: HTTPSConnectionPool(host='inventory_hostname', >>>>> port=5986): Max retries exceeded with url: /wsman (Caused by >>>>> NewConnectionError('<urllib3.connection.HTTPSConnection object at >>>>> 0x7fa35f010f10>: Failed to establish a new connection: [Errno -2] Name or >>>>> service not known'))",* >>>>> 36 >>>>> * "unreachable": true* >>>>> 37 >>>>> *}* >>>>> >>>>> *Running a Windows test against a domain joined machine produces a >>>>> different error that I also cannot resolve. * >>>>> >>>>> PLAY [Ping] >>>>> ********************************************************************18:53:19 >>>>> 3 >>>>> 4 >>>>> TASK [Gathering Facts] >>>>> *********************************************************18:53:19 >>>>> 5 >>>>> *[WARNING]: The "winrm" connection plugin has an improperly configured >>>>> remote* >>>>> 6 >>>>> *target value, forcing "inventory_hostname" templated value instead of >>>>> the* >>>>> 7 >>>>> *string* >>>>> 8 >>>>> *fatal: [srvrds04]: UNREACHABLE! => {"changed": false, "msg": >>>>> "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure. Minor >>>>> code may provide more information', 851968), ('Server not found in >>>>> Kerberos >>>>> database', -1765328377))", "unreachable": true}* >>>>> >>>>> *I am getting this error despite me confirming the SPN is fine. >>>>> Confirming I can connect to the host with WinRM from a different domain >>>>> joined host. Confirmed my Kerb ticket with kinit and list. * >>>>> >>>>> >>>>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ansible-proje...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/b064e330-b0cb-4929-9c4d-8c53a54eafccn%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/b064e330-b0cb-4929-9c4d-8c53a54eafccn%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> >> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8ba38c41-265f-4107-9f8f-92505166eea0n%40googlegroups.com.
