Ansible - Setting up kerberos authentication

Рет қаралды 9,906

R3ap3rPy

Күн бұрын

Пікірлер: 35

@frankguan1111 3 жыл бұрын

Thanks much, this is what i am seeking for. It works in my lab !!

@Arun-vq8bs 2 жыл бұрын

Thanks for the video. I have a doubt. What is the domain controller actually ? Is the windows server we try to connect to?? Any documents or videos on it will be helpful.

@karthika393 Жыл бұрын

Thanks for the explanation, I tried everything just like you did, but I am getting this error msg": "kerberos: requested auth method is kerberos, but requests_kerberos is not installed" verified everything as suggested by other stackoverflow pages.

@r3ap3rpy Жыл бұрын

You have to install the "requests_kerberos" package.

@karthika393 Жыл бұрын

@R3ap3rPy I did But it worked when I used another Linux host as master and followed your steps. It worked I am able to ping and run some win-packages on windows

@ValhallenExile 3 жыл бұрын

Of note for anyone trying to get Kerberos and HTTP 5985 winrm going with ansible on a debian based platform: The group variable called "ansible_winrm_message_encryption" needs to be set to "always" otherwise winrm requests will be denied with error 500 because they will be sent unencrypted. This is now apart of the ansible documentation aswell. Figured I would share as I spent nearly a day trying to figure this out lol. If after setting this variable you get an error message saying "ansible_winrm_message_encryption is set to always and isnt supported" then you are on the right track and just need to update pywinrm[kerberos] to the latest version.

@kevinserafin1466 5 жыл бұрын

Nice guide. Although I cant seem to get this working. Do we need to make changes in winrm config of target machines for kerberos as outlined in previous video for basic auth?

@r3ap3rpy 5 жыл бұрын

Well this is a more complex question. is xour machine domain joined? Did you edit your krb5.config file? Did you setup configuration in either the inventory or groupvara to make this work?

@suryagunisetti 4 жыл бұрын

Many thanks for the video, I have a doubt that cant we create a single inventory file in /etc/ansible/hosts by mentioning both Windows VMs FQDNs in a host group called Win VMs and variables such as username,pwd,connection etc in Win VMs:vars instead of creating 2 host inventories ?

@r3ap3rpy 4 жыл бұрын

Surya Gunisetti inwould have only one inventory.

@cloudmalayaz7923 3 жыл бұрын

Hi thanks for the tutor. I'm facing HTTPS Tunnel error. Can you help me with this?

@r3ap3rpy 3 жыл бұрын

Whats the exact error message?

@cloudmalayaz7923 3 жыл бұрын

@@r3ap3rpy the tunnel error already gone but new error prompt out which is Kerberos Unable to authenticate response

@ronp8319 4 жыл бұрын

Great demo! Got it working all the way. But is there a way we can do this without adding the domain user to local admin group? Please suggest the solution or do a video.

@r3ap3rpy 4 жыл бұрын

Hi, you dont have to add the user to the admins. However certain commands will fail due to the lack of privilege.

@ronp8319 4 жыл бұрын

R3ap3rPy i tried removing the user from local admin group but creds are getting rejecting that time

@venkateshd1480 4 жыл бұрын

Do we need to generate keytab using ktpass command from windows machine as a first step?? ktpass princ host/fully_qualified_Vector_host_name@DOMAIN.COM mapuser user -pass password out krb5-1.keytab

@r3ap3rpy 4 жыл бұрын

Nope

@venkateshd1480 4 жыл бұрын

@@r3ap3rpy Why i asked this question is my windows machine is not the domain controller and i don't have access to active directory to create a user in that .. If i use the login credentials as the ansible user/password it doesn't work. I am getting 'kinit: KDC reply did not match expectations while getting initial credentials'

@r3ap3rpy 4 жыл бұрын

Well you need to distinguish between domain and local users and ubderstand the difference.

@venkateshd1480 4 жыл бұрын

@@r3ap3rpy I have a local user added to the administration group. Can i use that as ansible_user/password for kerberos? P.S: I am able to connect to manage windows using that user via basic authentication.

@r3ap3rpy 4 жыл бұрын

As I said you need to clear things up regarding topics of ansible authentication... you cannot use local users for kerberos authentication...