windows-ubuntu-bash + hypervisor winrm + ansible - Server not found in Kerberos database

Question

I'm struggling like a week with that issue, read every internet post about that problem.

What we have

Windows Server 2016 Datacenter with Hyper-V Role installed (netbios: hv)
Virtual Machines (netbios: web, fs, dc) on Windows Server 2016 DataCenter
Windows 10 Professional Laptop with Linux Subsystem installed (netbios: asuslin)
Domain on dc.goodpeople.local and all the servers and clients (including hv) are joined Active Directory Domain
AD CA installed with Intermediate Issuing CA on domain controller
All servers got certificate with auto-enrollment policy to auth kerberos

I would like to configure all servers (including hv) with ansible from my windows 10 laptop with kerberos. For now, I just need a success win_ping to all of them.

Configuration

winrm configured on all the servers: hv, web, fs, dc and clinet: asuslin the same way: kerberos auth is turned on, https listener with valid certificate, firewall ports 5986 is opened
as all windows 2016/win10 - powershell is the latest with .NET at least 4.5
ansible on client was installed on linux subsystem according the documentation with all the necessary libs and valid certificate for asuslin client is used

Actual Error

ansible hv -m win_ping -vvvv
ansible 2.5.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/alexsuslin/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.12 (default, Dec  4 2017, 14:50:18) [GCC 5.4.0 20160609]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/dist-packages/ansible/plugins/callback/minimal.pyc
META: ran handlers
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/win_ping.ps1
<hv.goodpeople.local> ESTABLISH WINRM CONNECTION FOR USER: alexsuslin@GOODPEOPLE.LOCAL on PORT 5986 TO hv.goodpeople.local
checking if winrm_host hv.goodpeople.local is an IPv6 address
calling kinit with subprocess for principal alexsuslin@GOODPEOPLE.LOCAL
hv.goodpeople.local | UNREACHABLE! => {
    "changed": false,
    "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))",
    "unreachable": true
}

What is working

I successfully can win_ping all the servers fs,dc,web and client asuslin
I can Enter-PSSession hv.goodpeople.local -UseSSL -Authentication Kerberos
As I can win_ping others servers, I assume my krb5.conf is configured correctly as well as ansible inventory file. E.g. if I run win_ping withing the group, all except hv.goodpeople.local is ok

What I have already checked

winrm from powershell to hv.goodpeople.local with kerberos and SSL --- OK
SPN for hv.goodpeople.local compared to other servers: dc, web, fs --- ALMOST THE SAME (actually as hv is hyper-v role, there are some additional ones)
my account credentials, tried with Domain Admin
winrm SDDL on hv.goodpeople.local --- SEEMS OK
SPNs of hv.goodpeople.local and delegation --- OK
different types of ciphers of SSL cert between linux subsystem and hv.goodpeople.local --- OK
kinit --- OK, ticket for 24h always valid
kvno HTTP/hv.goodpeople.local@GOODPEOPLE.LOCAL --> HTTP/hv.goodpeople.local@GOODPEOPLE.LOCAL: kvno = 17
every page on google about that issue (including [serverfault.com])
- dns is resolving for every machine, including hv
- krb5.conf realm configured correctly with UPPERCASE and FQDN as well as ansible inventory

What brothers me the most is why the same config is not working on a single server while it is working on others? I have applied the configuration with powershell to be sure everything is the same. If someone can point what should I check more?

If you look at the various hosts do you see any differences if you do a `gci WSMan:\localhost\Service\Auth\` or `gci WSMan:\localhost\Service\`? — Zoredache, Apr 13 '18 at 22:57
Chekcing HV vs asuslin, dc and web: 1) Auth: Kerberos is enabled on all of them 2) CbtHardeningLevel is Relaxed (however I have tried Strict several days ago as far as I remeber) 3) RootSDDL string a bit different however: ```O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;DA)(A;;GR;;;IU)S:P(AU;FA;GA;;;...``` vs ```O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GX...``` — alexsuslin, Apr 13 '18 at 23:13
Checking further SDDL and translating with ConvertFrom-SDDLString into readable format I found out that my hv server contains just a single additional permision for GOODPEOPLE\Domain Admins: AccessAllowed (GenericAll)} - and that is what I have added manually while trying to understand why I cannot connect to this server from bash and can do from the same machine powershell — alexsuslin, Apr 13 '18 at 23:32
I have updoated RootSDDL to be the same as on web and other servers... nothing — alexsuslin, Apr 15 '18 at 15:42

score 1 · Accepted Answer · answered Apr 15 '18 at 16:37

1

That was such a silly thing I made

On Windows (host) machine there was an entry in C:\WINDOWS\System32\Drivers\etc\hosts file

192.168.88.20 srv-gp

and that is my hv server... I have removed that and everything is working fine...

P.S. I found https://github.com/bgamble/pykerberos/blob/master/test.py script to test my kerberos authentication and from errors of

sudo ./test.py -s HTTPS@hv.goodpeople.local -r GOODPEOPLE.LOCAL -p 5986 gssapi

I found out strange connection to gp-srv... Immediately check /etc/host and windows hosts file and found the issue.

answered Apr 15 '18 at 16:37

alexsuslin

89
8

1

Wow, glad you found that. That sounds tricky to troubleshoot – Zoredache Apr 15 '18 at 19:53
yep, spent so many hours with such a silly thing... funny enough when I tested dns everything worked fine. – alexsuslin Apr 15 '18 at 20:20