Hi, I'm struggling with 401 authentication error. I've got Windows Server 2012 R2 and Ubuntu 14.04 machine (with Ansible v2.0.0.2). I'm trying to authenticate as test user (who belongs to Domain Admins group). This is my inventory_windows.yml file:
[windows] 10.91.96.60 [email protected] ansible_port=5986 ansible_connection=winrm And the way I execute Ansible: ansible windows -i inventory_windows.yml -m win_ping -vvvvvv Using /etc/ansible/ansible.cfg as config file Loaded callback minimal of type stdout, v2.0 <10.91.96.60> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5986 TO 10.91.96.60 <10.91.96.60> WINRM CONNECT: transport=kerberos endpoint=https://10.91.96.60:5986/wsman <10.91.96.60> WINRM CONNECTION ERROR: the username/password specified for this server was incorrect Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/ansible/plugins/connection/winrm.py", line 138, in _winrm_connect protocol.send_message('') File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 193, in send_message return self.transport.send_message(message) File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line 301, in send_message raise WinRMTransportError('kerberos', error_message) WinRMTransportError: 500 WinRMTransport. Kerberos-based authentication was failed. Code 401 I know that I should acquire a ticket first. Here's how I do this: kinit [email protected] Password for [email protected]: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 03/04/2016 16:29:19 03/05/2016 02:29:19 krbtgt/[email protected] renew until 03/05/2016 16:29:20 I thought that if I acquired a ticket, than there should be no authentication errors, but apparently I'm wrong. Note that I've already (as described here: troubleshooting-kerberos-connections <http://docs.ansible.com/ansible/intro_windows.html#troubleshooting-kerberos-connections> ): 1. Synchronized the time between Linux and Windows machine. 2. Verified that my forward and reverse DNS lookups are working fine. nslookup 10.91.96.60 returns the correct FQDN: nslookup 10.91.96.60 Server: 10.91.97.101 Address: 10.91.97.101#53 60.96.91.10.in-addr.arpa name = winhost.mycloud.local. 3. Enabled `AllowUnencrypted` option on Windows machine and tried with ansible_winrm_scheme=http. One of the things I'm not sure is this: "Ensure that the Ansible controller has a properly configured computer account in the domain." Could someone explain this? I've created 'azure' computer account in AD ('azure' is the hostname of my Ubuntu machine). Is this enough? Any help would be much appreciated! -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/85c795f1-7cd3-4f53-9d1b-8c891af731ec%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
