how to enable MS AD in AWX so that winrm transport kerberos works

for testing and poc playing around with AWX i have deployed it using the Docker method, which quickly spins up 5 new containers.

But since 75% of my inventories are windows AD domain joined machines I would like to use my working (local) ansible playbooks that make use of winrm transport kerberos from inside AWX.

If I understand this setup right, then I would have to add MS AD domain join (using samba 4.x ?), python winrm, kerberos 5 etc etc. Is that correct?

What is the ‘best/easiest’ way to integrate/enable AWX and MS AD? What are some of the alternatives?

Should I install a ‘local’ AWX, install of awx_web, awx_task, postgres, memcached, and rabbitmq and all of it’s requirements that are spun up in the docker delay into 5 separate containers on my already AD domain joined centos 7 ansible controller that has a working winrm setup with functioning kerberos transport? Or will the ‘awx_task’ and ‘awx_web’ local install be isolated form the local kerberos setup anyway?

Thanks for ay pointers and help.

It is actually ‘almost’ working as is.

turns out that the awx_task container simply needs to be run in privileged mode (at least under local docker install) and then it can use kerberos transport for ms ad integration just fine.

there is a PR already queued up here:

https://github.com/ansible/awx/issues/735 “Kerberos Setup on Task Container needs to be privileged”

That’s really good to know - without doing this at the container level at all ??

From github , people seem to have ran into other issues .

Another issue , we use sssd (ldap/kerberos) + Microsoft Active Directory on separate AD forest for both Linux and Windows . How do we go about configuring AWX to connect to both forest ? sssd should allow AD authentication to both providers ?