Reputation: 3104
In Ansible, Credentials were rejected for Computers Attached to Active Directory
I have three 3 Windows computers. One is Windows server 2012, Other two are Windows 7 Desktop. Through Ansible I can individually manage all 3 windows machine through their local login account. Ansible Work Perfectly.
Now I configure AD in windows server 2012 and I joined two desktop computer to AD. Through Active Directory's Administrator Account I can login through all 3 Windows Machines.
To Manage AD Account in ansible I installed keberos as mentioned in this documentaion.
My Configurations are as follow:
/etc/krb5.conf
[libdefaults]
default_realm = NAANAL.IN
[realms]
NAANAL.IN = {
kdc = WIN2012.naanal.in
default_domain = naanal.in
}
[domain_realm]
.naanal.in = NAANAL.IN
[login]
krb4_convert = true
krb4_get_tickets = false
Connection and Ticket Details:
kinit [email protected]
Password for [email protected]:
klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
2016-07-10T20:41:25 2016-07-11T06:41:25 krbtgt/[email protected]
renew until 2016-07-11T20:40:33
Now I just try to ping my all windows machines through
the account [email protected]
Here is my Configuration and output :
hosts
[windows]
192.168.1.13 -> Windows 7 Desktop Attached to AD
192.168.1.23 -> Windows 7 Desktop Attached to AD
172.30.64.77 -> Windows 2012 with AD
group_vars/windows.yaml
ansible_user: [email protected]
ansible_password: p@ssw0rd1
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
While I run ansible windows -i hosts -m win_ping
192.168.1.13 | UNREACHABLE! => {
"changed": false,
"msg": "ssl: the specified credentials were rejected by the server",
"unreachable": true
}
192.168.1.23 | UNREACHABLE! => {
"changed": false,
"msg": "ssl: the specified credentials were rejected by the server",
"unreachable": true
}
172.30.64.77 | SUCCESS => {
"changed": false,
"ping": "pong"
}
i.e In Ansible, I can't login into computers attached to AD through AD user account. Where I miss things ?
Note: I enabled Remote Connections in Desktops. Also tried with firewall disabled.
Upvotes: 1
Views: 3468
Answers (1)
Reputation: 5594
I noticed these two lines in your /etc/krb5.conf:
krb4_convert = true
krb4_get_tickets = false
They are in effect is telling the the Kerberos conversion daemon to get V4 tickets and then telling it not to accept v4 tickets. Apart from the contradiction in the code, Active Directory in all of its versions has only ever used Kerberos v5. Remove these lines from your krb5.ini.
Reference: https://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.1/doc/krb5-admin/login.html
Upvotes: 1
Related Questions
- Ansible Windows Kerberos Authentification Bad HTTP response returned from server Code 500
- Using Ansible on windows with domain user
- Ansible to Windows using Kerberos not working
- Ansible windows fails with "Server not found in Kerberos database"
- Ansible Kerberos Name or service not known
- I'm having trouble authenticating over AD to windows machines from my ansible host. 'Server not found in Kerberos Database' on Ubuntu 16.10
- Kerberos authentication over HTTP failing with Ansible playbook
- Ansible, windows - how to access network folder?
- Kerberos authorization to add another user
- How to run ansible from linux to deploy on windows machines