I think its great ansible is leveraging powershell and avoids unnecessary agents, but using basic authentication which forces local admin accounts on Windows wont cut it. Local Admin accounts are generally viewed as a security risk and a nightmare to manage. We’ve got 50K+ hosts deployed. As we know, Microsoft’s WS-Man implementation, WinRM only supports domain credentials when using Negotiate, CredSSP and Kerberos. CredSSP enables ‘double hop’, but it will probably be the most work - pywinrm (already used by ansible) has working support for Kerberos (we’ve tested it)
Is anyone looking into plugging kerberos support into ansible for authenticating to Windows hosts?
We have tested kerberos authentication over SSL with pywinrm. The domain controllers (acting KDCs) in the test configuration were 2008r2 and 2012r2, at 2003 functional level. Clients were 2008r2 and 2012r2. All worked fine with the latest MIT krb5 and python kerberos and pywinrm modules.
It’s something we are starting to spike at the moment, but wanted to see if the feature is already being worked on/planned - don’t want to mess with the product strategy
At the moment the user passes in a Windows username through ‘ansible_ssh_user’. It would be possible to determine whether to use basic or kerberos by checking if this value is a UPN. This approach is used by the Win32 API’s, see LogonUser (http://msdn.microsoft.com/en-gb/library/windows/desktop/aa378184(v=vs.85).aspx)
As an example:
ansible_ssh_user: iclegg << implicitly uses basic auth since no kerberos realm is specified
ansible_ssh_pass: password123
ansible_ssh_port: 5986
ansible_connection: winrm
ansible_ssh_user: iclegg@realm << implicity uses Kerberos since this not a valid Windows username, but is a valid UPN ( ‘@’ is reserved)
ansible_ssh_pass: password123
ansible_ssh_port: 5986
ansible_connection: winrm
I have not looked into how kerb is done with SSH, so this suggestion may not be consistent with it
I just submitted a PR for this functionality “https://github.com/ansible/ansible/pull/8345” , maybe you can have a look and provide some feedbacks. or maybe you have a better way of implementation if so please feel free to replace it.
I’m totally not worried if it’s not consistent for Windows/Linux and this seems great to me.
Seems ok to be handled differently and this approach seems good.
Basically our Linux kerb support now is “get a ticket”, “don’t supply any passwords”, “should just work”.
No concerns about messing with our plans at all - in a great sense, our job is to rally everyone and then facilitate everyone working on everything together - i.e. run this thing like a real OSS project :). There’s a lot of filtering in that, and we do have to develop a lot of things, but this direction seems very good for everyone.
If you’re willing to fiddle with it and send us a PR (maybe also including the docsite/rst/*.rst notes about Windows Kerberos?), that would be absolutely fantastic!