在 Windows 上与域用户一起使用 Ansible

Question

I'm starting to learn Ansible but the documentation is not too helpful.

I have installed the control machine on RHEL and created the necessary hosts file and windows.yml .

But when trying to connect to the remote Windows server to get a pong back I get the following error:

[root@myd666 ansible_test]# ansible windows -i hosts -m win_ping
hostname | UNREACHABLE! => {
    "changed": false,
    "msg": "ssl: the specified credentials were rejected by the server",
    "unreachable": true
}

After Installing python-kerberos dependencies ,

I now get this Error:

hostname | UNREACHABLE! => {
    "changed": false,
    "msg": "Kerberos auth failure: kinit: KDC reply did not match expectations while getting initial credentials",
    "unreachable": true
}

My windows.yml file contains:

# it is suggested that these be encrypted with ansible-vault:
# ansible-vault edit group_vars/windows.yml
ansible_ssh_user: user@MYDOMAIN.NET
ansible_ssh_pass: password
ansible_ssh_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore

Am I doing anything wrong with the syntax of Domain\\user\u003c/strong> ? Maybe I forgot to install something on the Windows machine? I only ran the ConfigureRemotingForAnsible.ps1 script, and Python is not installed there.

This is my krb5.conf file:

[libdefaults]
default_realm = MYDOMAIN.NET
#dns_lookup_realm = true
#dns_lookup_kdc = true

[realms]
MYDOMAIN.NET = {
kdc = dc1.mydomain.net
default_domain = hpeswlab.net
}

[domain_realm]
.mydomain.net = MYDOMAIN.NET
 mydomain.net = MYDOMAIN.NET

And I do get a token using Kinit:

kinit -C user@MYDOMAIN.NET

klist

Klist output:

Valid starting       Expires              Service principal
01/31/2017 11:25:33  01/31/2017 21:25:33  krbtgt/MYDOMAIN.NET@MYDOMAIN.NET
        renew until 02/01/2017 11:25:29

Answer 1

In windows.yml , please double-check and ensure that the ansible_ssh_user: user@MYDOMAIN.NET line does indeed have the realm MYDOMAIN.NET in upper case. Somewhere, the realm request to the KDC is being sent in lower case instead of upper case causing the 'KDC reply did not match expectations..' error.

In krb5.conf , case-sensitivity is also important. First I'll note that since the KDC name is the name of an IP host, so it needs to be specified as a fully-qualified host name, like in the example shown below. It assumes your KDC is named "dc1.mydomain.net". Next, the domain name should only be in lower case. On the other hand, Kerberos Realm names need be in upper case - if the realm name is incorrectly specified in lower case in this file that is another reason you may get this error message. Please modify your entire krb5.conf to look like that shown below (changing only "dc1" to the actual name) and it should work. Side note: You do not necessarily need the two dns_lookup_ lines in your krb5.conf, so please comment them out per the below. Those are fallback mechanisms only as per the MIT Kerberos Documentation and may actually cause issues in your simple use case. After modifying either configuration file, make sure to restart the Ansible engine before testing again.

[libdefaults]
default_realm = MYDOMAIN.NET
#dns_lookup_realm = true
#dns_lookup_kdc = true

[realms]
MYDOMAIN.NET = {
kdc = dc1.mydomain.net
default_domain = mydomain.net
        }

[domain_realm]
.mydomain.net = MYDOMAIN.NET 
mydomain.net = MYDOMAIN.NET

Please refer to this MIT reference for how to properly set up the krb5.conf: Sample krb5.conf File

In the Hosts file, check to ensure your IP to name mappings are correct. Per the RFCs, Kerberos requires a properly functioning DNS, and you are at risk of shortchanging that if your Hosts file has outdated entries in it.

Finally, though I wasn't able to tell which version of Ansible you were using, I did some research and found that "Ansible 2.0 has deprecated the “ssh” from ansible_ssh_user, ansible_ssh_host, and ansible_ssh_port to become ansible_user, ansible_host, and ansible_port." This could certainly be part of the problem. See: Ansible on Windows Documentation