I am having problems authenticating with AD on Windows machines from my powerful host. "Server not found in Kerberos database" on Ubuntu 16.10

Question

I am having problems authenticating with AD on Windows machines from my powerful host. "Server not found in Kerberos database" on Ubuntu 16.10

I am having problems authenticating with AD on Windows machines from my mobile site. I have a valid ticket in keberos -

klist Credentials cache: FILE:/tmp/krb5cc_1000 Principal: ansible@SOMEDOMAIN.LOCAL Issued Expires Principal Mar 10 09:15:27 2017 Mar 10 19:15:24 2017 krbtgt/ SOMEDOMAIN.LOCAL@SOMEDOMAIN.LOCAL

My kerberos configuration looks good to me -

 cat /etc/krb5.conf [libdefaults] default_realm = SOMEDOMAIN.LOCAL # dns_lookup_realm = true # dns_lookup_kdc = true # ticket_lifetime = 24h # renew_lifetime = 7d # forwardable = true # The following krb5.conf variables are only for MIT Kerberos. # kdc_timesync = 1 # forwardable = true # proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # Thie only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. # v4_instance_resolve = false # v4_name_convert = { # host = { # rcmd = host # ftp = ftp # } # plain = { # something = something-else # } # } # fcc-mit-ticketflags = true [realms] SOMEDOMAIN.LOCAL = { kdc = prosperitydc1.somedomain.local kdc = prosperitydc2.somedomain.local default_domain = somedomain.local admin_server = somedomain.local } [domain_realm] .somedomain.local = SOMEDOMAIN.LOCAL somedomain.local = SOMEDOMAIN.LOCAL

When I run the test command - ansible windows -m win_ping -vvvvv I get

 'Server not found in Kerberos database'. ansible windows -m win_ping -vvvvv Using /etc/ansible/ansible.cfg as config file Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/dist-packages/ansible/plugins/callback/__init__.pyc Using module file /usr/lib/python2.7/dist-packages/ansible/modules/core/windows/win_ping.ps1 <kerberostest.somedomain.local> ESTABLISH WINRM CONNECTION FOR USER: ansible@SOMEDOMAIN.LOCAL on PORT 5986 TO kerberostest.somedomain.local <kerberostest.somedomain.local> WINRM CONNECT: transport=kerberos endpoint=https://kerberostest.somedomain.local:5986/wsman <kerberostest.somedomain.local> WINRM CONNECTION ERROR: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377)) Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ansible/plugins/connection/winrm.py", line 154, in _winrm_connect self.shell_id = protocol.open_shell(codepage=65001) # UTF-8 File "/home/prosperity/.local/lib/python2.7/site-packages/winrm/protocol.py", line 132, in open_shell res = self.send_message(xmltodict.unparse(req)) File "/home/prosperity/.local/lib/python2.7/site-packages/winrm/protocol.py", line 207, in send_message return self.transport.send_message(message) File "/home/prosperity/.local/lib/python2.7/site-packages/winrm/transport.py", line 181, in send_message prepared_request = self.session.prepare_request(request) File "/home/prosperity/.local/lib/python2.7/site-packages/requests/sessions.py", line 407, in prepare_request hooks=merge_hooks(request.hooks, self.hooks), File "/home/prosperity/.local/lib/python2.7/site-packages/requests/models.py", line 306, in prepare self.prepare_auth(auth, url) File "/home/prosperity/.local/lib/python2.7/site-packages/requests/models.py", line 543, in prepare_auth r = auth(self) File "/home/prosperity/.local/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 308, in __call__ auth_header = self.generate_request_header(None, host, is_preemptive=True) File "/home/prosperity/.local/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 148, in generate_request_header raise KerberosExchangeError("%s failed: %s" % (kerb_stage, str(error.args))) KerberosExchangeError: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377)) kerberostest.somedomain.local | UNREACHABLE! => { "changed": false, "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))", "unreachable": true }

I can ssh to the target machine

  ssh -v1 kerberostest.somedomain.local -p 5986 OpenSSH_7.3p1 Ubuntu-1, OpenSSL 1.0.2g 1 Mar 2016 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to kerberostest.somedomain.local [10.10.20.84] port 5986. debug1: Connection established.

I can also ping all hosts with their hostname. I am at a loss: (

Here is the irreplaceable host file -

 sudo cat /etc/ansible/hosts # This is the default ansible 'hosts' file. # # It should live in /etc/ansible/hosts # # - Comments begin with the '#' character # - Blank lines are ignored # - Groups of hosts are delimited by [header] elements # - You can enter hostnames or ip addresses # - A hostname/ip can be a member of multiple groups # Ex 1: Ungrouped hosts, specify before any group headers. ## green.example.com ## blue.example.com ## 192.168.100.1 ## 192.168.100.10 # Ex 2: A collection of hosts belonging to the 'webservers' group ## [webservers] ## alpha.example.org ## beta.example.org ## 192.168.1.100 ## 192.168.1.110 # If you have multiple hosts following a pattern you can specify # them like this: ## www[001:006].example.com # Ex 3: A collection of database servers in the 'dbservers' group ## [dbservers] ## ## db01.intranet.mydomain.net ## db02.intranet.mydomain.net ## 10.25.1.56 ## 10.25.1.57 # Here another example of host ranges, this time there are no # leading 0s: ## db-[99:101]-node.example.com [monitoring-servers] #nagios 10.10.20.75 ansible_connection=ssh ansible_user=nagios [windows] #fileserver.somedomain.local#this machine isnt joined to the domain yet. kerberostest.SOMEDOMAIN.LOCAL [windows:vars] #the following works for windows local account authentication #ansible_ssh_user = prosperity #ansible_ssh_pass = ********* #ansible_connection = winrm #ansible_ssh_port = 5986 #ansible_winrm_server_cert_validation = ignore #vars needed to authenticate on the windows domain using kerberos ansible_user = ansible@SOMEDOMAIN.LOCAL ansible_connection = winrm ansible_winrm_scheme = https ansible_winrm_transport = kerberos ansible_winrm_server_cert_validation = ignore

I also tried connecting to the domain using realmd with success, but running the ansible command gave the same result.

+5

authentication active-directory kerberos spn ansible

Corey manshack Mar 10 '17 at 16:33

source share

2 answers

In my case, the Server not found in Kerberos database error was the result of the target name of the Windows DNS device not being displayed in the correct area, as outlined in this line from this Microsoft Technet article :

The error “Server not found in the Kerberos database” is a common occurrence and can be misleading because it often appears when the basic principle of service is missing. The error may be caused by problems with the display of the area / area, or it may be the result of a DNS problem, where the service principal name is not built correctly. Server logs and network traces can be used to determine which service request is being requested.

I had a playbook whoami.yaml :

 - hosts: windows-machine.mydomain.com tasks: - name: Run 'whoami' command win_command: whoami

Host File:

 [windows] windows-machine.mydomain.com [windows:vars] ansible_connection=winrm ansible_winrm_transport=kerberos ansible_user=user@FOO.BAR.MYDOMAIN.COM ansible_password=<password> ansible_port=5985

Since the DNS name was windows-machine.mydomain.com , but the AD scope was FOO.BAR.MYDOMAIN.COM , I had to fix the mapping in my /etc/krb5.conf file on my Ansible server:

WRONG

This will not work for our case, since this matching rule will not apply to windows-machine.mydomain.com :

 [domain_realm] foo.bar.mydomain.com = FOO.BAR.MYDOMAIN.COM

RIGHT

This will correctly display windows-machine.mydomain.com in the FOO.BAR.MYDOMAIN.COM area

 [domain_realm] .mydomain.com = FOO.BAR.MYDOMAIN.COM

0

user2510614 Apr 4 '18 at 21:02

source share

T-heroon · Accepted Answer · 2017-03-11T06:25:04+0000

This is similar to the case of lack of SPN.

Here is the corresponding error snippet:

 <kerberostest.prosperityerp.local> ESTABLISH WINRM CONNECTION FOR USER: ansible@PROSPERITYERP.LOCAL on PORT 5986 TO kerberostest.prosperityerp.local <kerberostest.prosperityerp.local> WINRM CONNECT: transport=kerberos endpoint=https://kerberostest.prosperityerp.local:5986/wsman <kerberostest.prosperityerp.local> WINRM CONNECTION ERROR: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))

And this is based on what I noticed in the Ansible configuration file:

 [windows] #fileserver.prosperityerp.local#this machine isnt joined to the domain yet. kerberostest.PROSPERITYERP.LOCAL

I think the line this machine isnt joined to the domain yet in this file is a good indicator that the HTTP / kerberostest.prosperityerp.local SPN does not exist in Active Directory, which causes the message " server not found ". You can use SSH for kerberostest.prosperityerp.local, possibly because it exists in the DNS or in the Hosts file of the client machine, but for now and until the SPN HTTP / kerberostest.prosperityerp.local is created in Active Directory, You will continue to receive an error message. Adding this SPN properly at this point will be a whole other topic of discussion.

You can use this command to check if this SPN is installed:
setspn -Q HTTP / kerberostest.prosperityerp.local

There are SPNs for presenting to the Kerberos client where you can find a service instance for this service on the network.

Also do:

nslookup kerberostest.prosperityerp.local

on at least two client machines, to ensure that the fully qualified domain name of the IP host running Kerberized is DNS. DNS is a requirement for Kerberos to run correctly on the network.

Finally, you can use Wireshark on the client for further analysis, use the kerberos filter to select only kerberos traffic.

I am having problems authenticating with AD on Windows machines from my powerful host. "Server not found in Kerberos database" on Ubuntu 16.10

More articles: