Does anybody have this working in their environment? I'm struggling to get it to work.
Figured it out. Active Directory needs to the accounts that are used for the Ansible integration and used to run the playbooks to be the same. Has something to do with impersonation/delegation with AD accounts. AD guy was willing to take a look and helped point me in the right direction. So, the integration account, and the account used to connect to Windows needs to be the same, at least in my environment.
Some additional info. Initial answer turned out not being the actual fix. That for whatever reason was an anomaly. What actually resolved the issue was found in documentation for 8.9 Ansible setup. Can't definitively state it wasn't there before, but i don't ever remember seeing it when reading it the first 10 times... 🙂
Basically, by default, vRA adds ansible_host: ip_address to the host variables. Kerberos doesn't work with IP address. So, the fix was adding a host variable for ansible_host like this:
hostVariables: |
ansible_host: ${resource.WebApp_VM.resourceName}.domain.name
This replaces the IP address with the FQDN for ansible_host and allows kerberos authentication to work properly.
I had it running in the lab and it was pretty straight forward. Just stupid issues with fqdn and ip adresses for registering the vm's in Ansible.
Were you connecting to Windows or Linux? I'm trying to manage windows machines and i keep getting a Kerberos error:
Server not found in Kerberos database', -1765328377
Everything points to DNS, but i can ping the box and run the playbooks manually from the ACM.
If i remember correct it was the inventory in ansible was filled with an ip address and not with fqdn.
My inventory shows the hostname. I've tried FQDN as well, but get the same result.
Kerberos issues, sigh. 90% of our kerberos issues were firewall related. Ansible script configured to domain join would inevitably die here. if I remember correctly, there are a bunch of WinRM ports required.
We had the host name issue also after a change with VRA's ansible implementation. The machine wouldn't be registered with DNS for several minutes, so the playbook couldn't resolve the target machine. To fix, we changed the 'hostname' value passed to Ansible to use the IP address assigned to the first network adapter, using something like:
Cloud_Ansible_1:
type: Cloud.Ansible
properties:
host: ${resource.Cloud_Instance_1.*}
hostName: ${resource.Cloud_Instance_1.networks[0].address}
I'll give this a try, but i don't believe this will resolve our issue the way we do provisioning. We allow vRA to join to domain and then run ansible on the back end. I believe Kerberos requires hostname when joined to AD. I'll post results after my test.
yeah, even after the domain join I believe they continued to use the IP address as the hostname took too long to resolve.
So, i tried IP address, and still no dice. Still getting Kerberos error. Waiting to hear back from support (SDK). Maybe they can provide some insight.
Also check your certificate enrollment.
For certificate authentication?
Figured it out. Active Directory needs to the accounts that are used for the Ansible integration and used to run the playbooks to be the same. Has something to do with impersonation/delegation with AD accounts. AD guy was willing to take a look and helped point me in the right direction. So, the integration account, and the account used to connect to Windows needs to be the same, at least in my environment.
Some additional info. Initial answer turned out not being the actual fix. That for whatever reason was an anomaly. What actually resolved the issue was found in documentation for 8.9 Ansible setup. Can't definitively state it wasn't there before, but i don't ever remember seeing it when reading it the first 10 times... 🙂
Basically, by default, vRA adds ansible_host: ip_address to the host variables. Kerberos doesn't work with IP address. So, the fix was adding a host variable for ansible_host like this:
hostVariables: |
ansible_host: ${resource.WebApp_VM.resourceName}.domain.name
This replaces the IP address with the FQDN for ansible_host and allows kerberos authentication to work properly.