Meant to say also need to match the domain names in your /etc/krb5.conf No harm in checking the event logs on the windows hosts, but if the domain of your kerberos ticket doesn't exactly match the domain that the windows host is on, that might explain why it thinks the username/password is incorrect.
Hope this helps, Jon On Tuesday, 8 March 2016 13:29:56 UTC, Akash John wrote: > > Hi Hawkesworth, > > kinit -C giving an output as [email protected] <javascript:> and > is prompting for inputting password. I have used the same as you suggested > (ansible_ssh_user: [email protected] <javascript:>) and I cannot > find any change while executing win_ping. > > But, if it is the case how other servers are providing proper response to > win_ping.. > > Do we need to check anything from Windows Server side? > > Thanks, > Akash John > > On Tuesday, March 8, 2016 at 6:05:46 PM UTC+5:30, J Hawkesworth wrote: >> >> Looks like you have some parent/subdomain relationship going on. In my >> experience you must use whatever domain name is returned by kinit -C. So >> kinit -C returns CORP.MYDOMAIN.COM in your case - so that is what you >> need to put in your kinit command line and ansible_ssh_user - if not the >> domains don't match up and maybe that is why you are getting the 'the >> username/password specified for this server is incorrect' message. >> >> Hope this helps, >> >> Jon >> >> >> >> >> On Monday, 7 March 2016 16:14:55 UTC, Akash John wrote: >>> >>> Hi Hawkesworth, >>> >>> Thanks for your quick response. >>> >>> Please find the responses below, >>> >>> What is the exact error message you are seeing? >>> >>> *ansible hostname.mydomain.com <http://hostname.mydomain.com> -m >>> win_ping -vvvvvv* >>> *<hostname.mydomain.com <http://hostname.mydomain.com> > ESTABLISH WINRM >>> CONNECTION FOR USER: on PORT 5986 TO hostname.mydomain.com >>> <http://hostname.mydomain.com> * >>> *<hostname.mydomain.com <http://hostname.mydomain.com> > WINRM CONNECT: >>> transport=kerberos endpoint=https://hostname.mydomain.com >>> <https://hostname.mydomain.com> :5986/wsman* >>> *hostname.mydomain.com <http://hostname.mydomain.com> | FAILED => the >>> username/password specified for this server was incorrect* >>> >>> >>> 1/ In Powershell, running as Administrator, run winrm get winrm/config >>> >>> *Both working and not working hosts are giving same out put* >>> >>> >>> >>> 2/ Check the machines you cannot connect to have a current trust >>> relationship with your domain controller (ensure you can log in with the >>> same domain username and password as ansible is using). >>> >>> *It is working, and the user name is already in the format as you >>> suggested * >>> *ansible_ssh_user: [email protected]* >>> >>> >>> 3/ use kinit -C [email protected] to acquire a kerberos ticket, and >>> then use klist to examine the ticket. >>> >>> *I was able to acquire kerberos ticket and the klist is showing >>> necessary data. * >>> >>> >>> >>> *Ticket cache: KEYRING:persistent:0:0* >>> *Default principal: [email protected]* >>> *Valid starting Expires Service principal* >>> *03/07/2016 11:05:32 03/07/2016 21:05:32 >>> krbtgt/[email protected]* >>> * renew until 03/07/2016 21:05:32 * >>> >>> >>> 4/ ensure the hosts you cannot connect to have clocks synchronized with >>> your AD Domain controllers >>> >>> *Yes, It is since the machine in which i am able to connect to having >>> the same time as in the machine i am not able to connect. * >>> >>> >>> 5/ ensure the hosts you cannot connect to can be found using both >>> hostname and ip address >>> >>> *Yes, we can found the machines with IP and host names. This was tested >>> using RDP.* >>> >>> >>> Please let me know if you want to have any other details. >>> >>> Thanks, >>> Akash John >>> >>> >>> >>> >>> >>> On Monday, March 7, 2016 at 8:25:43 PM UTC+5:30, J Hawkesworth wrote: >>>> >>>> What is the exact error message you are seeing? >>>> >>>> Also try running ansible with -v or -vvvvvv to see connection debugging >>>> information. >>>> >>>> Here are some more suggestions: >>>> >>>> 1/ In Powershell, running as Administrator, run >>>> >>>> winrm get winrm/config >>>> >>>> on a machine that can't be connected to, and compare the same from a >>>> machine that can be connected to. >>>> >>>> 2/ Check the machines you cannot connect to have a current trust >>>> relationship with your domain controller (ensure you can log in with the >>>> same domain username and password as ansible is using). >>>> >>>> Ensure the ansible_ssh_user has fully qualified domain name, and the >>>> domain part is in UPPER CASE LETTERS >>>> >>>> ansible_ssh_user: [email protected] >>>> >>>> Not >>>> >>>> ansible_ssh_user: testuser@MY >>>> >>>> or >>>> ansible_ssh_user: [email protected] >>>> >>>> 3/ use kinit -C [email protected] to acquire a kerberos ticket, and >>>> then use klist to examine the ticket. >>>> >>>> 4/ ensure the hosts you cannot connect to have clocks synchronized >>>> with your AD Domain controllers >>>> >>>> 5/ ensure the hosts you cannot connect to can be found using both >>>> hostname and ip address >>>> >>>> That is: if you ping hostname, the response gives you an ip address. >>>> If you then use that ip address with nslookup, it must return the same >>>> hostname, or kerberos will not be able to connect. >>>> >>>> For example >>>> >>>> C:\> ping windows-t1 >>>> >>>> Pinging windows-t1.my.domain.com [192.168.1.100] with 32 bytes of data: >>>> Reply from 192.168.1.100:...... >>>> Control-C >>>> ^C >>>> >>>> C:\> nslookup 192.168.1.100 >>>> Server: dc01.my.domain.com >>>> Address: 192.168.1.50 >>>> >>>> Name: windows-t1.my.domain.com >>>> Address: 192.168.1.100 >>>> >>>> C:\> >>>> >>>> Hope this helps, >>>> >>>> Jon >>>> >>>> On Monday, 7 March 2016 13:52:50 UTC, Akash John wrote: >>>>> >>>>> Hi Hawkesworth, >>>>> >>>>> What version of windows and service pack is on the hosts that won't >>>>> respond to ping? >>>>> >>>>> *Windows server 2012 R2 Standard, *but all other responding hosts are >>>>> having same operating system version. >>>>> >>>>> >>>>> Are you using the win_ping module? win_ping will connect using the >>>>> wirnm port, rather than the normal ping port. You might have firewall >>>>> configured not to respond to the normal ping port on the machines which >>>>> are >>>>> not responding. >>>>> >>>>> *Yes, we are using win_ping module and the port which we are using is >>>>> 5986. The firewall is configured to enable all port access from ansible >>>>> server to remote host.* >>>>> >>>>> >>>>> Please ensure >>>>> https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 >>>>> has >>>>> been run on the machines that won't respond. >>>>> >>>>> We ran the script, even after that we are getting the same response. >>>>> >>>>> >>>>> Please let us know if you need to have any other details about the >>>>> infra. >>>>> >>>>> >>>>> On Saturday, March 5, 2016 at 7:53:51 PM UTC+5:30, J Hawkesworth wrote: >>>>>> >>>>>> What version of windows and service pack is on the hosts that won't >>>>>> respond to ping? >>>>>> >>>>>> Are you using the win_ping module? win_ping will connect using the >>>>>> wirnm port, rather than the normal ping port. You might have firewall >>>>>> configured not to respond to the normal ping port on the machines which >>>>>> are >>>>>> not responding. >>>>>> >>>>>> Please ensure >>>>>> https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 >>>>>> >>>>>> has been run on the machines that won't respond. >>>>>> >>>>>> Hope this helps, >>>>>> >>>>>> Jon >>>>>> >>>>>> >>>>>> >>>>>> On Friday, 4 March 2016 15:20:58 UTC, Akash John wrote: >>>>>>> >>>>>>> Hi Team, >>>>>>> >>>>>>> We have configured ansible to perform activities on windows hosts >>>>>>> and all are under the same AD. But some how some of the hosts are not >>>>>>> providing positive ping response. Please find the response which we are >>>>>>> getting below, >>>>>>> >>>>>>> *myserver.data.log.doman.com <http://myserver.data.log.doman.com> | >>>>>>> FAILED => the username/password specified for this server was incorrect* >>>>>>> >>>>>>> *Configurations on Ansible* >>>>>>> >>>>>>> - Host file containing FQDN for each hosts >>>>>>> - /etc/ansible/group_vars/windows.yaml containing >>>>>>> - >>>>>>> - *ansible_ssh_user: [email protected]* >>>>>>> - *ansible_ssh_pass: MYPassword* >>>>>>> - *ansible_connection: winrm* >>>>>>> - *ansible_ssh_port: 5986* >>>>>>> - Authentication: AD Authentication >>>>>>> >>>>>>> I have seen >>>>>>> https://groups.google.com/forum/#!msg/ansible-project/Vzrr-s4iuss/WEn4Gv1iLQAJ >>>>>>> >>>>>>> on this place and cannot find the proper solution for the issue. >>>>>>> >>>>>>> Could you please help us to resolve this issue? >>>>>>> >>>>>>> Please let us know if you need to have any other details about the >>>>>>> configuration. >>>>>>> >>>>>>> Thanks, >>>>>>> Akash John >>>>>>> >>>>>> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8de4a756-32e6-40c5-9297-97c5c924c01c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
