I'm struggling like a week with that issue, read every internet post about that problem.
What we have
- Windows Server 2016 Datacenter with Hyper-V Role installed (netbios: hv)
- Virtual Machines (netbios: web, fs, dc) on Windows Server 2016 DataCenter
- Windows 10 Professional Laptop with Linux Subsystem installed (netbios: asuslin)
- Domain on dc.goodpeople.local and all the servers and clients (including hv) are joined Active Directory Domain
- AD CA installed with Intermediate Issuing CA on domain controller
- All servers got certificate with auto-enrollment policy to auth kerberos
I would like to configure all servers (including hv) with ansible from my windows 10 laptop with kerberos. For now, I just need a success win_ping to all of them.
Configuration
- winrm configured on all the servers: hv, web, fs, dc and clinet: asuslin the same way: kerberos auth is turned on, https listener with valid certificate, firewall ports 5986 is opened
- as all windows 2016/win10 – powershell is the latest with .NET at least 4.5
- ansible on client was installed on linux subsystem according the documentation with all the necessary libs and valid certificate for asuslin client is used
Actual Error
ansible hv -m win_ping -vvvv
ansible 2.5.0
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/home/alexsuslin/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/dist-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.12 (default, Dec 4 2017, 14:50:18) [GCC 5.4.0 20160609]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/dist-packages/ansible/plugins/callback/minimal.pyc
META: ran handlers
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/win_ping.ps1
<hv.goodpeople.local> ESTABLISH WINRM CONNECTION FOR USER: alexsuslin@GOODPEOPLE.LOCAL on PORT 5986 TO hv.goodpeople.local
checking if winrm_host hv.goodpeople.local is an IPv6 address
calling kinit with subprocess for principal alexsuslin@GOODPEOPLE.LOCAL
hv.goodpeople.local | UNREACHABLE! => {
"changed": false,
"msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))",
"unreachable": true
}
What is working
- I successfully can win_ping all the servers fs,dc,web and client asuslin
- I can
Enter-PSSession hv.goodpeople.local -UseSSL -Authentication Kerberos
- As I can win_ping others servers, I assume my krb5.conf is configured correctly as well as ansible inventory file. E.g. if I run win_ping withing the group, all except hv.goodpeople.local is ok
What I have already checked
- winrm from powershell to hv.goodpeople.local with kerberos and SSL — OK
- SPN for hv.goodpeople.local compared to other servers: dc, web, fs — ALMOST THE SAME (actually as hv is hyper-v role, there are some additional ones)
- my account credentials, tried with Domain Admin
- winrm SDDL on hv.goodpeople.local — SEEMS OK
- SPNs of hv.goodpeople.local and delegation — OK
- different types of ciphers of SSL cert between linux subsystem and hv.goodpeople.local — OK
- kinit — OK, ticket for 24h always valid
kvno HTTP/hv.goodpeople.local@GOODPEOPLE.LOCAL
–>HTTP/hv.goodpeople.local@GOODPEOPLE.LOCAL: kvno = 17
- every page on google about that issue (including [serverfault.com])
- dns is resolving for every machine, including hv
- krb5.conf realm configured correctly with UPPERCASE and FQDN as well as ansible inventory
What brothers me the most is why the same config is not working on a single server while it is working on others? I have applied the configuration with powershell to be sure everything is the same. If someone can point what should I check more?
Best Answer
That was such a silly thing I made
On Windows (host) machine there was an entry in C:\WINDOWS\System32\Drivers\etc\hosts file
192.168.88.20 srv-gp
and that is my hv server... I have removed that and everything is working fine...
P.S. I found https://github.com/bgamble/pykerberos/blob/master/test.py script to test my kerberos authentication and from errors of
sudo ./test.py -s HTTPS@hv.goodpeople.local -r GOODPEOPLE.LOCAL -p 5986 gssapi
I found out strange connection to gp-srv... Immediately check /etc/host and windows hosts file and found the issue.