Have a Question?
< All Topics
Print

Ansible with Kerberos Authentication

Posted
Updated
ByYongKW

Tutorial on how to configure Ansible with Kerberos Authentication for Remote Windows Server

Install pywinrm with kerberos

Install Phyton pywinrm with kerberos on Ansible Control Node

# Upgrade PIP to latest version
$ sudo pip3 install --upgrade pip

# Install Kerberos
$ sudo dnf install gcc python3-devel krb5-devel krb5-libs krb5-workstation

# Install pywinrm with kerberos with pip3
$ pip3 install pywinrm
$ pip3 install pywinrm[kerberos]

Kerberos Configuration File (krb5.conf)

Modify the following parameters in /etc/krb5.conf (Keberos Configuration File)

  • [realms] – Enter the AD Domain in CAPITAL LETTER and defined the FQDN of AD Domain Server
  • [domain_realm] – Map AD Domain
$ sudo nano /etc/krb5.conf

# Final working version of krb5.conf for reference
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_realm = AVENTIS.LOCAL
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 AVENTIS.LOCAL = {
    kdc = aventis-ad01.aventis.local
    admin_server = aventis-ad01.aventis.local
 }

[domain_realm]
 .aventis.local = AVENTIS.LOCAL
 aventis.local = AVENTIS.LOCAL

Verify Kerberos Connection to Remote Windows Server

Verify Ansible Host is able to get Kerberos Ticket with kinit, klist & kdestroy

# Get a Keberos Ticket - AD Domain is in CAPITAL LETTER
$ kinit [email protected]
Password for [email protected]:

# List Kerberos Session
$ klist
Ticket cache: KCM:1000
Default principal: [email protected]

Valid starting       Expires              Service principal
11/01/2020 01:54:20  11/01/2020 11:54:20  krbtgt/[email protected]
        renew until 11/08/2020 01:54:15

# Destroy all Keberos connection 
$ kdestroy

Ansible Inventory File

Add the Remote Windows Host to the default ansible inventory file in /etc/ansible/hosts

$ sudo nano /etc/ansible/hosts

[winhost]
aventis-ad01.aventis.local

[winhost:vars]
ansible_user = [email protected]
ansible_password = P@ssw0rd!@#$
ansible_connection = winrm
#ansible_port = 5985
ansible_winrm_transport = kerberos
ansible_winrm_server_cert_validation = ignore

uncomment the ansible_port = 5985 if WinRM HTTPS is NOT enable

Enable PowerShell Remote for HTTPS

Configure PowerShell Remote for HTTPS by following PowerShell Remoting for Non-Domain Workstation

Ad-Hoc Commands to veirify Ansible with Kerberos Authentication

Run some Ad-Hoc command, like win_ping to verify Ansible can connect to Remote Windows Server successfully

$ ansible winhost -m win_ping -vvvv
ansible 2.9.14
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.6.8 (default, Apr 16 2020, 01:36:27) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python3.6/site-packages/ansible/plugins/callback/minimal.py
META: ran handlers
Using module file /usr/lib/python3.6/site-packages/ansible/modules/windows/win_ping.ps1
Pipelining is enabled.
<aventis-ad01.aventis.local> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5986 TO aventis-ad01.aventis.local
calling kinit with subprocess for principal [email protected]
EXEC (via pipeline wrapper)
aventis-ad01.aventis.local | SUCCESS => {
    "changed": false,
    "invocation": {
        "module_args": {
            "data": "pong"
        }
    },
    "ping": "pong"
}

Run Windows Command using win_command on Remote Server

$ ansible winhost -m win_command -a "whoami" -vvvv

aventis-ad01.aventis.local | CHANGED | rc=0 >>
aventis\administrator

Table of Contents
Scroll to Top