Awx: Kerberos Password on delegate_to is not used

Created on 29 Jul 2020  路  11Comments  路  Source: ansible/awx
ISSUE TYPE
  • Bug Report
SUMMARY

We are running windows hosts on AWX with winrm and kerberos. When they are used as regular host the kerberos is just working fine.
But when the windows hosts is part of delegate_to its not working in the current version 13.0.0.

In the previous version 11.2.0 everything worked well.

This is the output of a normal playbook from a dedicated server, with the host win1368 as delegate_to host. 

Using module file /usr/lib/python2.7/site-packages/ansible/modules/windows/win_service.ps1
Pipelining is enabled.
<win1368.int.xxx.com> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5986 TO win1368.int.xxx.com
creating Kerberos CC at /tmp/tmpJIGbsA
calling kinit with subprocess for principal [email protected]
kinit succeeded for principal [email protected]
<win1368.int.xxx.com> WINRM CONNECT: transport=kerberos endpoint=https://win1368.int.xxx.com:5986/wsman
<win1368.int.xxx.com> WINRM OPEN SHELL: 3C5996BE-8A1C-4F32-8AF1-D820ECEBBXXX
EXEC (via pipeline wrapper)
<win1368.int.xxx.com> WINRM EXEC 'PowerShell' ['-NoProfile', '-NonInteractive', '-Executio

If I use it in AWX and there the host is used as delegate_to, with the same configuration and such. 

Pipelining is enabled.
<win1368.int.xxx.com> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5986 TO win1368.int.xxx.com
creating Kerberos CC at /tmp/tmpaas_mphm
calling kinit with subprocess for principal [email protected]
fatal: [win298]: UNREACHABLE! => {
    "changed": false,
    "msg": "Kerberos auth failure for principal [email protected] with subprocess: <redacted>k<redacted>i<redacted>n<redacted>i<redacted>t<redacted>:<redacted> <redacted>P<redacted>a<redacted>s<redacted>s<redacted>w<redacted>o<redacted>r<redacted>d<redacted> <redacted>i<redacted>n<redacted>c<redacted>o<redacted>r<redacted>r<redacted>e<redacted>c<redacted>t<redacted> <redacted>w<redacted>h<redacted>i<redacted>l<redacted>e<redacted> <redacted>g<redacted>e<redacted>t<redacted>t<redacted>i<redacted>n<redacted>g<redacted> <redacted>i<redacted>n<redacted>i<redacted>t<redacted>i<redacted>a<redacted>l<redacted> <redacted>c<redacted>r<redacted>e<redacted>d<redacted>e<redacted>n<redacted>t<redacted>i<redacted>a<redacted>l<redacted>s<redacted>",
    "unreachable": true

When I remove the hostvar ansible_password for the delegate_to host on the local installation, I get the same error as in AWX.

ENVIRONMENT
  • AWX version: 13.0.0
  • AWX install method: docker on linux
  • Ansible version: 2.9.10
  • Operating System: Rhel 7.6
  • Web Browser: Chrome
STEPS TO REPRODUCE

Use a windows host with kerberos and winrm in delegate_to

needs_info bug
Source
picture mkayontour
👍2

Most helpful comment

Ansible 2.9.12 was just released which contains that fix, upgrading the Ansible there is one way of testing it.

picture jborean93 on 11 Aug 2020
👍2

All 11 comments

Today I downgraded the container of the test instance and checked if the delegate_to works on the version 12.0.0.

it works without any problem ;)

mkayontour picture mkayontour on 30 Jul 2020

What version of ansible is included in both cases?

wenottingham picture wenottingham on 31 Jul 2020

In both cases we use version 2.9.10, I made sure the problem is not an Ansible problem.

mkayontour picture mkayontour on 3 Aug 2020

@ryanpetrello any ideas on this one?

blomquisg picture blomquisg on 7 Aug 2020

Nope.

ryanpetrello picture ryanpetrello on 7 Aug 2020

This is likely https://github.com/ansible/ansible/issues/71103?

wenottingham picture wenottingham on 11 Aug 2020

cc @jborean93

wenottingham picture wenottingham on 11 Aug 2020

It does seem similar, not the exact same issue but it could be related. 71103 was caused by ansible_password not being set when it was passed through -k and you were delegated the host. The error here is saying

kinit: Password incorrect while getting initial credentials

This would indicate that a password was present it just wasn't the correct one. Maybe it's a precedence variable where ansible_password was set globally but you were relying on the value from -k. In any case I would test against stable-2.9 and see if the problem is fixed for you.

jborean93 picture jborean93 on 11 Aug 2020

How do I test in AWX against stable-2.9? I guess stable is v 2.9.10 - thats what I tested against.
I tested on my Ansible host (without AWX) with 2.9.10 installed and I tested in AWX with the same version.

mkayontour picture mkayontour on 11 Aug 2020

Ansible 2.9.12 was just released which contains that fix, upgrading the Ansible there is one way of testing it.

jborean93 picture jborean93 on 11 Aug 2020
👍2

thanks, I upgraded the ansible version on the AWX hosts and it works. I still wonder why the same ansible version worked on the dedicated management host. But as long as it works - I really don't care so much.

Thanks for the help. I'll close the issue.

mkayontour picture mkayontour on 19 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

FloThinksPi picture FloThinksPi  路  3Comments
marshmalien picture marshmalien  路  3Comments
Gui13 picture Gui13  路  3Comments
augabet picture augabet  路  3Comments
agaffney picture agaffney  路  3Comments