Upgrading to 2.10.32 has broken Kerberos auth for my Windows Machines with Semaphore

[jengstrom440]

It appears that without making any changes except upgrading to 2.10.32 and all of my Kerberos authentication based jobs no longer work, where my NTLM based jobs still work. Do I roll back by just re-installing the previous version then? I have a backup from this morning which is good enough if need be.

PS- Love the light blue messages instead of the dark blue messages with -vvvv :)

[jengstrom440]

Update for anyone who may have this issue:

I attempted to roll back to 2.10.22 and restarted my Ubuntu server. Semaphore no longer worked afterwards; the web UI would load but none of the templates, inventory, etc were just blank pages. I decided not to roll the database back, and reinstalled 2.10.32. That went without issue but Kerberos authentication was still broken. I tested kinit just to double check to make sure that was fine, entered my [email protected] and password and I was able to get a ticket, as shown with klist, so the problem isn't with kinit. I also noticed I am getting this error with the vault ID that says it's optional, yet it acts mandatory if I don't change it from default. I think whatever this new behavior is may be the issue with getting my credentials correctly from the vault, but that is just a guess. This new behavior appears in 2.10.30 it appears according to the release notes.

If you have semaphore and are running it to manage a Windows Active Directory environment with Kerberos, you may want to test first in a disposable test environment or skip this build until this is addressed. If you do run this build, be prepared to create a different environment that uses NTLM instead of Kerberos. If you use Semaphore to manage Windows environments, I would love to hear if you have had problems with 2.10.30 or newer with Kerberos.

[fiftin]

Hi @jengstrom440

Could you please provide more info: How Semaphore installed, Which version used before?

[jengstrom440]

I used wget to download semaphore, and i used sudo apt install ./semaphore_2.10.32_linux_amd64.deb to install it. I was using 2.10.22 before.

EDIT: I followed this video, which I think is most excellent, to install Semaphore. I used Ubuntu 24.04 instead of Debian.
https://www.learnlinux.tv/complete-ansible-semaphore-tutorial-from-installation-to-automation/

This is what I used for the initial install. All I do for upgrades are download with wget, backup the DB, and install with the sudo apt install command.

[fiftin]

Kerberos is LDAP?

[jengstrom440]

Active Directory is LDAP based. Kerberos is an authentication protocol used for Active Directory. It is preferred over NTLM as it is more secure than NTLM.

[fiftin]

It is very important to understand where is the problem because we didn't change any auth functionality.

[fiftin]

Hi @jengstrom440 I can't reproduce the issue. I installed v2.10.22, upgraded to v2.10.32. Vault password works. Can you try to run Ansible playbook without Semaphore from terminal for test?

Also you can try v2.10.32. It contains fix for environment variables.

[jengstrom440]

Did you configure them with Kerberos or NTLM? I am not having issues with NTLM.

Also you can try v2.10.32. It contains fix for environment variables.

I already am running 2.10.32. That is the issue I am having problems with.

I can test this early next week as I am out of time for this weekend.

I also sent you an email regarding other subjects. Thanks!

[fiftin]

@jengstrom440 sorry, v2.10.33.

[jengstrom440]

Can you try to run Ansible playbook without Semaphore from terminal for test?

Yes, I just tested now from the terminal on the ansible server itself, and I was able to run the same ansible playbook both under NTLM and Kerberos, so the issue is definitely isolated to semaphore.

[jengstrom440]

Got it, thank you! This is probably true, because in the latest releases we changed the algorithm for working with vault password. I will try to reproduce and let you know.

Right now you can check your Template. Perhaps it is database migration issue and template doesn't have associated Vault.

@fiftin have you had any luck with checking out the vault algorithm to see why Kerberos authentication no longer works correctly? Has anything changed since 2.10.32 regarding the vault? I did not see anything on the changelog, so I assume this is still a work in progress?

When you tested with kerberos, did you set up your test AD environment to use Kerberos and winrm: 5986? I use this to print out is it's kerberos/ntlm or 5985/5986:

---
- name: print connection information type
  debug:
    msg: "Ansible WinRM is using {{ ansible_winrm_transport }} on port {{ ansible_port}}"

Hope that helps, let me know if I can help in any way.