failing while connecting to Windows using AD credentials

Archives Ansible Project
1

Hello all.

I am a ansible Rookie. I am trying to setup ansible to manage Windows machines. but i got some issues. here I will share some information about my system and my configuration.

I hope you can help me.

Thank you.

linux machine

Python 2.7.5
REDHAT_SUPPORT_PRODUCT_VERSION=“7.1”
Red Hat Enterprise Linux Server release 7.1 (Maipo)
kerberos 1.14.1
ansible 2.2.1.0

kerberos configuration

/etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false

default_realm = EXAMPLE.COM

default_ccache_name = KEYRING:persistent:%{uid}

[realms]
STT.COM = {
kdc = myserver.stt.com

}

[domain_realm]
.stt.com = STT.COM

when I run kinit the folloing error appeard

kinit -C myuser@STT.COM

kinit: Cannot contact any KDC for realm ‘STT.COM’ while getting initial credential

ansible files

group_vars/winndoes.yml
ansible_user: myuser@STT.COM
ansible_password: mypas
ansible_port: 5985
ansible_winrm_transport: kerberos
ansible_winrm_server_cert_validation: ignore

on my windows machine I executed the following command

@powershell -NoProfile -ExecutionPolicy Bypass -Command “iex ((new-object net.webclient).DownloadString(‘https://github.com/ansible/ansible/raw/devel/examples/scripts/ConfigureRemotingForAnsible.ps1’))”

when I run the following commnad ansible winnodes -i winhosts -m win_ping

I got this
ansible winnodes -i winhosts -m win_ping

2

I can’t see the output of your execution with Ansible but your main issue is around the error message you get when running kinit with your domain account. It is unable to get the Kerberos ticket for your user as it can’t connect to your domain/realm. You will need to solve this issue first if you want to use Kerberos auth with Ansible but that is outside the scope of Ansible.

Once you resolve that it would be highly recommended to change the ansible_port to 5986 so it is run over HTTPS and your messages are encrypted. If you don’t change this Ansible will probably fail as Windows by default doesn’t allow un-encrypted messages to be sent to it.