如何解决此 ansible kerberos 错误?
我在 WSL 中安装了 Ubuntu 20.04,并安装了 Ansible。我正在尝试在本地计算机上运行 Windows 更新。我尝试过使用我的帐户、服务帐户等。我运行了 kinit -C [email protected] 命令并拥有有效的票证。我的计算机已加入 AD/Azure 混合,本地域为“domain.local”,但我们使用 [电子邮件受保护] 到计算机。
我的 /etc/resolv.conf 中列出了内部域控制器,因此我可以 ping/访问域计算机。
我尝试过 [电子邮件受保护]、DOMAIN.COM、myuser、[email protected]
运行“ansible-playbook -i ports -vvvv win-update.yml”时不断收到错误:
TASK [Gathering Facts] ******************************************************************************************************************************************************************************************
task path: /home/gmeyer/ansible/win-update.yml:5
Using module file /usr/lib/python3/dist-packages/ansible/modules/windows/setup.ps1
Pipelining is enabled.
<10.20.30.174> ESTABLISH WINRM CONNECTION FOR USER: myuser on PORT 5986 TO 10.20.30.174
fatal: [10.20.30.174]: UNREACHABLE! => {
"changed": false,
"msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))",
"unreachable": true
}
PLAY RECAP ******************************************************************************************************************************************************************************************************`
10.20.30.174 : ok=0 changed=0 unreachable=1 failed=0 skipped=0 rescued=0 ignored=0
My /etc/krb5.conf:
[libdefaults]
default_realm = DOMAIN.LOCAL
[realms]
X-ISS.LOCAL = {
kdc = dc.domain.local
admin_server = dc.domain.local
default_domain = domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
我的主机:
[win]
10.20.30.174
[win:vars]
[email protected]
ansible_connection = winrm
ansible_winrm_server_cert_validation = ignore
ansible_password = [redacted]
ansible_winrm_transport = kerberos
ansible_winrm_kerberos_delegation = true
我的剧本:
---
# DESCRIPTION
# Apply windows updates
- name: Apply windows updates
hosts: win
gather_facts: yes
vars:
initial_reboot: |-
{{ 86400 <
(( ((ansible_date_time.date+" "+ansible_date_time.time)|to_datetime('%Y-%m-%d %H:%M:%S')) -
ansible_facts.lastboot|to_datetime('%Y-%m-%d %H:%M:%SZ')).total_seconds())|abs }}
tasks:
# Reboot systems with if up longer then day
# this way we know that the system was able to come back
# up before updates were applied
- name: Reboot if system has a large uptime
win_reboot:
when: initial_reboot and not ansible_check_mode
tags:
- never
- reboot
- block:
- name: >
{{ 'Install' if 'install' in ansible_run_tags else 'Search' }} updates
{{ 'will automatically reboot' if 'reboot' in ansible_run_tags else 'no reboot' }}
win_updates:
category_names:
- SecurityUpdates
- CriticalUpdates
- UpdateRollups
- DefinitionUpdates
- Updates
reboot: "{{ 'yes' if 'reboot' in ansible_run_tags else 'no' }}"
state: "{{ 'installed' if 'install' in ansible_run_tags else 'searched' }}"
become: yes
become_method: runas
become_user: SYSTEM
register: update_results
tags:
- never
- install
- check
rescue:
- name: Windows update failed?
debug:
msg: "error: {{ update_results.msg }}"
when: update_results is failed and update_results.msg is defined
tags:
- always
- name: Server had pending reboots?
win_reboot:
when: not ansible_check_mode and
update_results is failed and
update_results.msg is search('A reboot is required')
tags:
- never
- reboot
always:
- name: Report results
debug:
var: update_results
tags:
- never
- install
- check
我在运行 Ansible 时尝试了许多不同的格式化域名的选项乌班图。我希望脚本能够连接到 Windows 计算机以运行 Windows 更新,但不断收到 Kerberos 错误。
I have Ubuntu 20.04 in WSL and Ansible installed. I'm trying to simply run a Windows update on my local machine. I've tried using my account, a service account, etc. I've run the kinit -C [email protected] command and have a valid ticket. My computer is joined to an AD/Azure hybrid with the local domain being "domain.local", yet we login with [email protected] to the computer.
I have the internal domain controllers listed in my /etc/resolv.conf so I can ping/access domain computers.
I've tried with [email protected], DOMAIN.COM, myuser, [email protected]
I keep getting errors when running "ansible-playbook -i hosts -vvvv win-update.yml":
TASK [Gathering Facts] ******************************************************************************************************************************************************************************************
task path: /home/gmeyer/ansible/win-update.yml:5
Using module file /usr/lib/python3/dist-packages/ansible/modules/windows/setup.ps1
Pipelining is enabled.
<10.20.30.174> ESTABLISH WINRM CONNECTION FOR USER: myuser on PORT 5986 TO 10.20.30.174
fatal: [10.20.30.174]: UNREACHABLE! => {
"changed": false,
"msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))",
"unreachable": true
}
PLAY RECAP ******************************************************************************************************************************************************************************************************`
10.20.30.174 : ok=0 changed=0 unreachable=1 failed=0 skipped=0 rescued=0 ignored=0
My /etc/krb5.conf:
[libdefaults]
default_realm = DOMAIN.LOCAL
[realms]
X-ISS.LOCAL = {
kdc = dc.domain.local
admin_server = dc.domain.local
default_domain = domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
My hosts:
[win]
10.20.30.174
[win:vars]
[email protected]
ansible_connection = winrm
ansible_winrm_server_cert_validation = ignore
ansible_password = [redacted]
ansible_winrm_transport = kerberos
ansible_winrm_kerberos_delegation = true
My playbook:
---
# DESCRIPTION
# Apply windows updates
- name: Apply windows updates
hosts: win
gather_facts: yes
vars:
initial_reboot: |-
{{ 86400 <
(( ((ansible_date_time.date+" "+ansible_date_time.time)|to_datetime('%Y-%m-%d %H:%M:%S')) -
ansible_facts.lastboot|to_datetime('%Y-%m-%d %H:%M:%SZ')).total_seconds())|abs }}
tasks:
# Reboot systems with if up longer then day
# this way we know that the system was able to come back
# up before updates were applied
- name: Reboot if system has a large uptime
win_reboot:
when: initial_reboot and not ansible_check_mode
tags:
- never
- reboot
- block:
- name: >
{{ 'Install' if 'install' in ansible_run_tags else 'Search' }} updates
{{ 'will automatically reboot' if 'reboot' in ansible_run_tags else 'no reboot' }}
win_updates:
category_names:
- SecurityUpdates
- CriticalUpdates
- UpdateRollups
- DefinitionUpdates
- Updates
reboot: "{{ 'yes' if 'reboot' in ansible_run_tags else 'no' }}"
state: "{{ 'installed' if 'install' in ansible_run_tags else 'searched' }}"
become: yes
become_method: runas
become_user: SYSTEM
register: update_results
tags:
- never
- install
- check
rescue:
- name: Windows update failed?
debug:
msg: "error: {{ update_results.msg }}"
when: update_results is failed and update_results.msg is defined
tags:
- always
- name: Server had pending reboots?
win_reboot:
when: not ansible_check_mode and
update_results is failed and
update_results.msg is search('A reboot is required')
tags:
- never
- reboot
always:
- name: Report results
debug:
var: update_results
tags:
- never
- install
- check
I have tried many different options for formatting the domain name while running Ansible in Ubuntu. I am expecting to get the script to connect to the Windows machine to run the Windows Updates, but keep getting Kerberos errors.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我明白问题出在哪里了。它在我的主机文件中 - 我将行更改为 fqdn 并放入“ansible_host = IP ansible_connection = local”并且它起作用了!
I figured out what the problem was. It was in my hosts file - I changed the lines to the fqdn and put the "ansible_host=IP ansible_connection=local" and it worked!