Does the current AWX Operator support the setup of Realms in Kerberos? I need to look into Windows host management through Ansible, but cannot see a method of injecting the realms data into the krb5.conf file.
What alternative (secure) methods does the operator currently support for WinRM host auth.
I am going to create a config map with the krb5.conf file in etc/krb5.conf. I will inject in awx task pod
I posted a way how to do this here on this issue
It deploys fine and kinit works, but I haven’t gotten the time to test playbooks yet
@Brandon Ellis i am trying to recreate what you are doing but I am lost. Which part of the spec do you put that? That’s the exact scenario I am wanting to do
At the custom resource specification “spec” field in the my-awx.yml file mentioned in the awx-operator git README. Basically the same block where the ingress_type is specified. It turns out that the devs left in some secret custom variables so you can add in custom volumes and volume mounts.
Here’s my current “my-awx.yml” deployment spec file I’m using. It’s got some weird ${} and %{} syntax because I preprocess the file using terraform to add in variable values – feel free to replace any ${} block with your desired value. (Note that if you were to use the krb5.conf file in here, you’d need to replace %%{uid} with %{uid}).
Thank you Brandon,
I followed your example and did a test. As you said kinit does work.
I just needed the volume. So following your example is much needed.
Thanks once again.
Glad I could be of help
Ran into similar issue, tried following in the AWX instance YAML but still getting following error. Would it make a difference ‘tower’ prefix for the variables?
I have these entries too under
[libdefaults]
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
“msg”: “Kerberos auth failure for principal windows_id@MYORG.COM with pexpect: KDC has no support for encryption type while getting initial credentials”,
extra_volumes: |
Contents of the krb5.conf file from the task container.
sh-4.4$ cat /etc/krb5.conf
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_realm = MYORG.COM
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
[realms]
MYORG.COM = {
kdc = dfgdfdc4344.myorg.com
admin_server = dfgdfdc4344.myorg.com
}
[domain_realm]
.myorg.com = MYORG.COM
myorg.com = MYORG.COM
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
Why have this
I had to add these entries for AWX 17.1.0 task container for making Windows connections to work, so I did the same for 19.2.2 as well. Apparently it’s not working.
Not sure if something has changed with this version or some other issue.
Thanks