Ansible Node -> Multiple Windows domains

Ansible: 2.0.0.2
OS: CentOS 7.2

Is it possible to use a single Ansible controller for multiple Windows domains? The scenario requires the use of domain accounts for authentication on 3 separate domains.
I have configured the krb5.conf accordingly but as yet cannot get the Ansible controller to authenticate with all Windows servers (Server 2012 R2). I receive the following error messages:

“msg”: “ERROR! kerberos: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘Server not found in Kerberos database’, -1765328377)), ssl: 401 Unauthorized. basic auth failed”

“msg”: “ERROR! kerberos: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘Server not found in Kerberos database’, -1765328377)), ssl: 500 WinRMTransport. [Errno 113] No route to host”

I have run the ConfigureRemotingForAnsible.ps1 and can successfully get Kerberos tickets using kinit user@DOMAIN.NET across all the domains.

The new pywinrm stuff I’ve been working on (0.2.0rc3) supports on-the-fly kerberos principal switching across N domains if you have valid tickets for them all on a system that defaults to collection-typed credential caching (I’ve only tested on OSX so far- not sure what the default ccache type is on Cent7). Unfortunately, there’s a one-line bug in pykerberos that prevents it from working “out of the box”, but if you uncomment https://github.com/02strich/pykerberos/blob/master/src/kerberosgss.c#L234 and rebuild pykerberos, it should work if your system is configured for collection-typed kerberos ccaches.

Once all the relevant bits are shipped, I’m planning to do a full doc writeup on if/how this works for various OSs.

Meantime, jhawkesworth has another way to do this that you might be interested in: https://github.com/ansible/ansible/pull/14972/files

Just to say my stuff mentioned above only lets you point at multiple domains from one ansible controller, it doesn’t let you hit > 1 windows domain from a single playbook run.
It would probably be possible to modify it but right now once it has cached a kerberos ticket for a windows host it returns control to ansible.

So it sounds like your time would be best spent trying out Matt’s suggestion.

Jon (jhawkesworth)

Hi,

Just to say my stuff mentioned above only lets you point at multiple domains from one ansible controller, it doesn't let you hit > 1 windows domain from a single playbook run.
It would probably be possible to modify it but right now once it has cached a kerberos ticket for a windows host it returns control to ansible.

I do something similar, but in a shell script I use that calls
ansible-playbook - not quite as neat as doing it via a callback, but
it's in place anyway to set up other bits of the environment.

Roughly, that's -

KRB5CCNAME=`mktemp`
export KRB5CCNAME
kinit -l 2h -k -t /path/to/keytab "$ADPRINC"
ansible-playbook <options>
kdestroy

Where $ADPRINC is the kerberos principal name (eg user@DOMAIN) passed
into the script. You can add keys for the various principals to the
keytab using ktutil. Using a keytab avoids passing passwords around
(and risking them being echoed or logged) and means you don't have to
deal with piping them into kinit.

Barney.