Looks like you have some parent/subdomain relationship going on. In my experience you must use whatever domain name is returned by kinit -C. So kinit -C returns CORP.MYDOMAIN.COM in your case - so that is what you need to put in your kinit command line and ansible_ssh_user - if not the domains don't match up and maybe that is why you are getting the 'the username/password specified for this server is incorrect' message.
Hope this helps, Jon On Monday, 7 March 2016 16:14:55 UTC, Akash John wrote: > > Hi Hawkesworth, > > Thanks for your quick response. > > Please find the responses below, > > What is the exact error message you are seeing? > > *ansible hostname.mydomain.com <http://hostname.mydomain.com> -m win_ping > -vvvvvv* > *<hostname.mydomain.com <http://hostname.mydomain.com> > ESTABLISH WINRM > CONNECTION FOR USER: on PORT 5986 TO hostname.mydomain.com > <http://hostname.mydomain.com> * > *<hostname.mydomain.com <http://hostname.mydomain.com> > WINRM CONNECT: > transport=kerberos endpoint=https://hostname.mydomain.com > <https://hostname.mydomain.com> :5986/wsman* > *hostname.mydomain.com <http://hostname.mydomain.com> | FAILED => the > username/password specified for this server was incorrect* > > > 1/ In Powershell, running as Administrator, run winrm get winrm/config > > *Both working and not working hosts are giving same out put* > > > > 2/ Check the machines you cannot connect to have a current trust > relationship with your domain controller (ensure you can log in with the > same domain username and password as ansible is using). > > *It is working, and the user name is already in the format as you > suggested * > *ansible_ssh_user: [email protected] <javascript:>* > > > 3/ use kinit -C [email protected] <javascript:> to acquire a kerberos > ticket, and then use klist to examine the ticket. > > *I was able to acquire kerberos ticket and the klist is showing necessary > data. * > > > > *Ticket cache: KEYRING:persistent:0:0* > *Default principal: [email protected] <javascript:>* > *Valid starting Expires Service principal* > *03/07/2016 11:05:32 03/07/2016 21:05:32 > krbtgt/[email protected] <javascript:>* > * renew until 03/07/2016 21:05:32 * > > > 4/ ensure the hosts you cannot connect to have clocks synchronized with > your AD Domain controllers > > *Yes, It is since the machine in which i am able to connect to having the > same time as in the machine i am not able to connect. * > > > 5/ ensure the hosts you cannot connect to can be found using both hostname > and ip address > > *Yes, we can found the machines with IP and host names. This was tested > using RDP.* > > > Please let me know if you want to have any other details. > > Thanks, > Akash John > > > > > > On Monday, March 7, 2016 at 8:25:43 PM UTC+5:30, J Hawkesworth wrote: >> >> What is the exact error message you are seeing? >> >> Also try running ansible with -v or -vvvvvv to see connection debugging >> information. >> >> Here are some more suggestions: >> >> 1/ In Powershell, running as Administrator, run >> >> winrm get winrm/config >> >> on a machine that can't be connected to, and compare the same from a >> machine that can be connected to. >> >> 2/ Check the machines you cannot connect to have a current trust >> relationship with your domain controller (ensure you can log in with the >> same domain username and password as ansible is using). >> >> Ensure the ansible_ssh_user has fully qualified domain name, and the >> domain part is in UPPER CASE LETTERS >> >> ansible_ssh_user: [email protected] >> >> Not >> >> ansible_ssh_user: testuser@MY >> >> or >> ansible_ssh_user: [email protected] >> >> 3/ use kinit -C [email protected] to acquire a kerberos ticket, and >> then use klist to examine the ticket. >> >> 4/ ensure the hosts you cannot connect to have clocks synchronized with >> your AD Domain controllers >> >> 5/ ensure the hosts you cannot connect to can be found using both >> hostname and ip address >> >> That is: if you ping hostname, the response gives you an ip address. If >> you then use that ip address with nslookup, it must return the same >> hostname, or kerberos will not be able to connect. >> >> For example >> >> C:\> ping windows-t1 >> >> Pinging windows-t1.my.domain.com [192.168.1.100] with 32 bytes of data: >> Reply from 192.168.1.100:...... >> Control-C >> ^C >> >> C:\> nslookup 192.168.1.100 >> Server: dc01.my.domain.com >> Address: 192.168.1.50 >> >> Name: windows-t1.my.domain.com >> Address: 192.168.1.100 >> >> C:\> >> >> Hope this helps, >> >> Jon >> >> On Monday, 7 March 2016 13:52:50 UTC, Akash John wrote: >>> >>> Hi Hawkesworth, >>> >>> What version of windows and service pack is on the hosts that won't >>> respond to ping? >>> >>> *Windows server 2012 R2 Standard, *but all other responding hosts are >>> having same operating system version. >>> >>> >>> Are you using the win_ping module? win_ping will connect using the >>> wirnm port, rather than the normal ping port. You might have firewall >>> configured not to respond to the normal ping port on the machines which are >>> not responding. >>> >>> *Yes, we are using win_ping module and the port which we are using is >>> 5986. The firewall is configured to enable all port access from ansible >>> server to remote host.* >>> >>> >>> Please ensure >>> https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 >>> has >>> been run on the machines that won't respond. >>> >>> We ran the script, even after that we are getting the same response. >>> >>> >>> Please let us know if you need to have any other details about the >>> infra. >>> >>> >>> On Saturday, March 5, 2016 at 7:53:51 PM UTC+5:30, J Hawkesworth wrote: >>>> >>>> What version of windows and service pack is on the hosts that won't >>>> respond to ping? >>>> >>>> Are you using the win_ping module? win_ping will connect using the >>>> wirnm port, rather than the normal ping port. You might have firewall >>>> configured not to respond to the normal ping port on the machines which >>>> are >>>> not responding. >>>> >>>> Please ensure >>>> https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 >>>> >>>> has been run on the machines that won't respond. >>>> >>>> Hope this helps, >>>> >>>> Jon >>>> >>>> >>>> >>>> On Friday, 4 March 2016 15:20:58 UTC, Akash John wrote: >>>>> >>>>> Hi Team, >>>>> >>>>> We have configured ansible to perform activities on windows hosts and >>>>> all are under the same AD. But some how some of the hosts are not >>>>> providing >>>>> positive ping response. Please find the response which we are getting >>>>> below, >>>>> >>>>> *myserver.data.log.doman.com <http://myserver.data.log.doman.com> | >>>>> FAILED => the username/password specified for this server was incorrect* >>>>> >>>>> *Configurations on Ansible* >>>>> >>>>> - Host file containing FQDN for each hosts >>>>> - /etc/ansible/group_vars/windows.yaml containing >>>>> - >>>>> - *ansible_ssh_user: [email protected]* >>>>> - *ansible_ssh_pass: MYPassword* >>>>> - *ansible_connection: winrm* >>>>> - *ansible_ssh_port: 5986* >>>>> - Authentication: AD Authentication >>>>> >>>>> I have seen >>>>> https://groups.google.com/forum/#!msg/ansible-project/Vzrr-s4iuss/WEn4Gv1iLQAJ >>>>> >>>>> on this place and cannot find the proper solution for the issue. >>>>> >>>>> Could you please help us to resolve this issue? >>>>> >>>>> Please let us know if you need to have any other details about the >>>>> configuration. >>>>> >>>>> Thanks, >>>>> Akash John >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/91e900c1-b0ed-40c4-ae96-f11c7029c048%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
