That bug was introduced in 2.13.0 and recently resolved: https://github.com/ansible/ansible/pull/77894
It'll be included in 2.13.1 on June 20. On Mon, Jun 13, 2022 at 5:04 PM [email protected] <[email protected]> wrote: > Have a look at the warning Ansible is giving you, it is telling you it was > unable to use your configured remote target value and forced > `inventory_hostname`. Solve that and you will probably solve this problem. > > On Tuesday, June 14, 2022 at 4:30:08 AM UTC+10 [email protected] wrote: > >> I could add the machines to my hosts file directly but I think I actually >> have a bug here. The winRM plugin is actually trying to connect to >> https://inventory_hostname:5986/wsman instead of >> https://mikes-wintest.domain.ca:5986/wsman. >> >> >> *WARNING]: The "winrm" connection plugin has an improperly configured >> remote target value, forcing "inventory_hostname" templated value instead >> of the string* >> kinit succeeded for principal [email protected] >> redirecting (type: modules) ansible.builtin.win_ping to >> ansible.windows.win_ping >> Loading collection ansible.windows from >> /root/.ansible/collections/ansible_collections/ansible/windows >> Using module file >> /root/.ansible/collections/ansible_collections/ansible/windows/plugins/modules/win_ping.ps1 >> Pipelining is enabled. >> <inventory_hostname> ESTABLISH WINRM CONNECTION FOR USER: >> [email protected] on PORT 5986 TO inventory_hostname >> >> creating Kerberos CC at /tmp/tmp1d3m70sc >> calling kinit with pexpect for principal [email protected] >> kinit succeeded for principal [email protected] >> *<inventory_hostname> WINRM CONNECT: transport=kerberos >> endpoint=https://inventory_hostname:5986/wsman >> <https://inventory_hostname:5986/wsman>* >> kinit succeeded for principal [email protected] >> >> On Monday, June 13, 2022 at 10:11:56 AM UTC-7 [email protected] wrote: >> >>> Hi Michael, >>> >>> OK, I should have said so earlier but as well as kinit and klist ping >>> also worked, but ansible still would not connect … and gave me exactly the >>> error message you are getting, I am not sure but I suspect the python >>> kerberos transport is making another over the wire query off of the DC or >>> another container is involved to open the kerberos winrm session. >>> >>> I have messed with the resolvers.conf myself and cheated by adding my >>> local ones but that alone did not resolve it. I think there is another >>> container that tower uses . >>> >>> I have posted today on this group what I did with getting the local dns >>> info injected into the awx cluster. I am using minikube but maybe my way >>> works on yours too? >>> >>> Awx or tower uses a number of containers … >>> >>> HTH >>> >>> Urs >>> >>> On 13. Jun 2022, at 16:40, Michael Kennedy <[email protected]> wrote: >>> >>> Hi Urs, >>> >>> Yes. Dealing with Active Directory, DNS was the first thing I have >>> eliminated as being a problem. My resolv.conf file is setup correctly. >>> >>> [root@ansible ~]# ping mikes-wintest >>> >>> PING mikes-wintest.sudden.ca (192.168.12.52) 56(84) bytes of data. >>> >>> >>> 64 bytes from Mikes-WinTest.domain.ca (192.168.12.52): icmp_seq=1 >>> ttl=123 time=14.1 ms >>> ^C >>> --- mikes-wintest.domain.ca ping statistics --- >>> 1 packets transmitted, 1 received, 0% packet loss, time 0ms >>> rtt min/avg/max/mdev = 14.127/14.127/14.127/0.000 ms >>> [root@ansible ~]# nslookup mikes-wintest >>> Server: 192.168.8.11 >>> Address: 192.168.8.11#53 >>> >>> Name: mikes-wintest.domain.ca >>> Address: 192.168.12.52 >>> >>> [root@ansible ~]# nslookup domain.ca >>> Server: 192.168.8.11 >>> Address: 192.168.8.11#53 >>> >>> Name: domain.ca >>> Address: 192.168.15.202 >>> Name: domain.ca >>> Address: 192.168.12.153 >>> Name: domain.ca >>> Address: 192.168.12.20 >>> Name: domain.ca >>> Address: 192.168.8.11 >>> Name: domain.ca >>> Address: 192.168.15.201 >>> Name: domain.ca >>> Address: 192.168.8.44 >>> Name: domain.ca >>> Address: 192.168.8.21 >>> Name: domain.ca >>> Address: 192.168.12.201 >>> Name: domain.ca >>> Address: 192.168.9.150 >>> >>> [root@ansible ~]# >>> >>> >>> >>> I have also eliminated other low-hanging fruit such as NTP, Firewalls, >>> Windows Firewall, Ethernet adapter zone. >>> >>> On Monday, June 13, 2022 at 3:27:20 AM UTC-7 [email protected] wrote: >>> >>> Hi Michael, >>>> >>>> A stab in the dark winrm or Kerberos specifically depend on a fully >>>> working DNS. >>>> Is your tower cluster properly looking up the windows domain DCs? >>>> I had tried a kludge myself with hard coded names in Hosts files but >>>> that gave me same error you are getting. >>>> Oddly the kinit and list cmd works fine, but the actual ansible >>>> connections trying to use winrm or kerberos transport failed. >>>> And as soon as I had added my local or internal dns zone to the cluster >>>> dns things started working for me. >>>> >>>> HTH >>>> >>>> -- >>>> Urs Rau >>>> >>>> On Sunday, 12 June 2022 at 17:17:51 UTC+2 [email protected] wrote: >>>> >>>>> Here is some more troubleshooting information. Also as a side note. >>>>> I am running an partner NFR self-support only version of AAP and have zero >>>>> support from RedHat on this. It also doesn't seem to matter if I run the >>>>> job through command line ansible or through AAP. The error is the same. >>>>> >>>>> My Group Vars >>>>> >>>>> --- >>>>> ansible_connection: winrm >>>>> ansible_winrm_server_cert_validation: ignore >>>>> >>>>> Host Inventory >>>>> >>>>> --- >>>>> ansible_hostname: mikes-wintest.DOMAIN.CA >>>>> <http://mikes-wintest.domain.ca/> >>>>> >>>>> my WinRM settings after running the ConfigureAnsibleRemoting.ps1 script >>>>> >>>>> PS C:\Users\ubermike\Desktop> winrm configSDDL default >>>>> Service >>>>> RootSDDL = >>>>> O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)(A;;GAGR;;;S-1-5-21-809043649-619790271-106372718-1977)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD) >>>>> MaxConcurrentOperations = 4294967295 >>>>> MaxConcurrentOperationsPerUser = 1500 >>>>> EnumerationTimeoutms = 240000 >>>>> MaxConnections = 300 >>>>> MaxPacketRetrievalTimeSeconds = 120 >>>>> AllowUnencrypted = true >>>>> Auth >>>>> Basic = true >>>>> Kerberos = true >>>>> Negotiate = true >>>>> Certificate = false >>>>> CredSSP = true >>>>> CbtHardeningLevel = Relaxed >>>>> DefaultPorts >>>>> HTTP = 5985 >>>>> HTTPS = 5986 >>>>> IPv4Filter = * >>>>> IPv6Filter = * >>>>> EnableCompatibilityHttpListener = false >>>>> EnableCompatibilityHttpsListener = false >>>>> CertificateThumbprint >>>>> AllowRemoteAccess = true >>>>> >>>>> My Ansible Host Kerb ticket >>>>> >>>>> [[email protected]@ansible ~]$ klist -c >>>>> Ticket cache: KCM:1944601976:978 >>>>> Default principal: [email protected] >>>>> >>>>> Valid starting Expires Service principal >>>>> 2022-06-12 08:10:56 2022-06-12 18:10:56 krbtgt/[email protected] >>>>> renew until 2022-06-19 08:10:56 >>>>> >>>>> Latest Error Output from the job >>>>> >>>>> { >>>>> "unreachable": true, >>>>> "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS >>>>> failure. Minor code may provide more information', 851968), ('Server not >>>>> found in Kerberos database', -1765328377)), ssl: >>>>> HTTPSConnectionPool(host='inventory_hostname', port=5986): *Max >>>>> retries exceeded with url: /wsman (Caused by >>>>> NewConnectionError('<urllib3.connection.HTTPSConnection object at >>>>> 0x7f3ca1fd2430>: Failed to establish a new connection: [Errno -2] Name or >>>>> service not known'))*", >>>>> "changed": false >>>>> } >>>>> >>>>> >>>>> On Saturday, June 11, 2022 at 6:55:15 PM UTC-7 Michael Kennedy wrote: >>>>> >>>>>> I am having a problem running WinRM connections with both basic and >>>>>> kerberos auth. >>>>>> >>>>>> My Ansible is deployed with RedHat AAP 4.2.0 on RHEL 9. >>>>>> >>>>>> I setup a test Windows 2019 machine and ran the >>>>>> ConfigureRemotingForAnsible.ps1 script against the host. Rebooted the >>>>>> host >>>>>> for good measure. Tested from the Ansible server that I can telnet to >>>>>> 5985 >>>>>> and 5986 (confirmed) but I cannot run a Windows test playbook against the >>>>>> host. >>>>>> >>>>>> Skipping callback 'oneline', as we already have a stdout callback. >>>>>> 18 >>>>>> 19 >>>>>> PLAYBOOK: test.yml >>>>>> ************************************************************* >>>>>> 20 >>>>>> 2 plays in windows/test.yml >>>>>> 21 >>>>>> 22 >>>>>> PLAY [test raw module] >>>>>> *********************************************************18:47:21 >>>>>> 23 >>>>>> 24 >>>>>> TASK [Gathering Facts] >>>>>> *********************************************************18:47:21 >>>>>> 25 >>>>>> *task path: /runner/project/windows/test.yml:2* >>>>>> 26 >>>>>> *[WARNING]: The "winrm" connection plugin has an improperly >>>>>> configured remote* >>>>>> 27 >>>>>> *target value, forcing "inventory_hostname" templated value instead >>>>>> of the* >>>>>> 28 >>>>>> *string* >>>>>> 29 >>>>>> redirecting (type: modules) ansible.builtin.setup to >>>>>> ansible.windows.setup >>>>>> 30 >>>>>> Using module file >>>>>> /usr/share/ansible/collections/ansible_collections/ansible/windows/plugins/modules/setup.ps1 >>>>>> 31 >>>>>> Pipelining is enabled. >>>>>> 32 >>>>>> <inventory_hostname> ESTABLISH WINRM CONNECTION FOR USER: >>>>>> administrator on PORT 5986 TO inventory_hostname >>>>>> 33 >>>>>> *fatal: [192.168.12.52]: UNREACHABLE! => {* >>>>>> 34 >>>>>> * "changed": false,* >>>>>> 35 >>>>>> * "msg": "ssl: HTTPSConnectionPool(host='inventory_hostname', >>>>>> port=5986): Max retries exceeded with url: /wsman (Caused by >>>>>> NewConnectionError('<urllib3.connection.HTTPSConnection object at >>>>>> 0x7fa35f010f10>: Failed to establish a new connection: [Errno -2] Name or >>>>>> service not known'))",* >>>>>> 36 >>>>>> * "unreachable": true* >>>>>> 37 >>>>>> *}* >>>>>> >>>>>> *Running a Windows test against a domain joined machine produces a >>>>>> different error that I also cannot resolve. * >>>>>> >>>>>> PLAY [Ping] >>>>>> ********************************************************************18:53:19 >>>>>> 3 >>>>>> 4 >>>>>> TASK [Gathering Facts] >>>>>> *********************************************************18:53:19 >>>>>> 5 >>>>>> *[WARNING]: The "winrm" connection plugin has an improperly >>>>>> configured remote* >>>>>> 6 >>>>>> *target value, forcing "inventory_hostname" templated value instead >>>>>> of the* >>>>>> 7 >>>>>> *string* >>>>>> 8 >>>>>> *fatal: [srvrds04]: UNREACHABLE! => {"changed": false, "msg": >>>>>> "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure. Minor >>>>>> code may provide more information', 851968), ('Server not found in >>>>>> Kerberos >>>>>> database', -1765328377))", "unreachable": true}* >>>>>> >>>>>> *I am getting this error despite me confirming the SPN is fine. >>>>>> Confirming I can connect to the host with WinRM from a different domain >>>>>> joined host. Confirmed my Kerb ticket with kinit and list. * >>>>>> >>>>>> >>>>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/b064e330-b0cb-4929-9c4d-8c53a54eafccn%40googlegroups.com >>> <https://groups.google.com/d/msgid/ansible-project/b064e330-b0cb-4929-9c4d-8c53a54eafccn%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >>> >>> -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/8ba38c41-265f-4107-9f8f-92505166eea0n%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/8ba38c41-265f-4107-9f8f-92505166eea0n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Matt Martz @sivel sivel.net -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAD8N0v83-wjSnHtpN24Fru0%2BeutjUSMTe7rB3mA7JVU-oAcJVQ%40mail.gmail.com.
