Here are some errors i ran into while trying to setup Ansible for the second time in my test laboratory
Solution: These two errors here are based on a lot of factors
- My domain setup was not resolving correctly, when this is done, - Ensure to include the realm with the principal you are logging in as And remember to set the default realm also in the krb5.config file.
Concept: Authentication Services relies on DNS (Domain Naming Service) to locate the Key Distributions Center (KDC) which in AD is a domain controller, so if your DNS is not properly configured for your domain it will fail. To test the name resolution for your domain controller, simply use nslookup commands, see https://techdirectarchive.com/2020/03/21/cant-find-domain-non-existent-domain/
– Ensure the Ansible server is pointing to the DNS server Address or else this will not work correctly
Create an A record to ensure the domain name is resolvable via DNS.
Note: Alternatively, the name resolution requires the Ansible server to locate the domain controllers and can be manually added to the host file by including an entry in the /etc/hosts file for each domain controller, e.g
Next, After the krb5 configuration file has been updated correctly, you should be able to successfully authenticate and get a valid token. The following steps show how to authenticate and get a token:
– You may get the error “kinit: configuration file does not specify default realm” if you try to use the “kinit” command only, use the command below
As you can see above, the kinit command did not work correctly initially.
default_realm Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when invoking programs such as kinit.
Other Possible tips to note.
– Ensure that the “krb5.conf” is correctly configured.
– The kinit command is fail for user authentication because kerberos is case sensitive.Here is the right syntax “kinit username@TECHDIRECT.LOCAL“. Ensure the domain name is in all CAPS, or else you will get an error.