Group,
I did a writeup of getting Ansible and Kerberos working. This is mostly based on my own research as the documentation only mentions kerberos support in a line or two:
http://hindenes.com/trondsworking/2015/07/27/ansible-and-windows-configuring-kerberosactive-directory-authentication/
I would love it if someone from the group could validate my writeup.
Also, there are some things that are confusing to me:
- If kerberos is specified (via a username with the @ sign) and a ticket is not present, shouldn’t ansible run kinit to grab a ticket before its run? It seems cumbersome to me having to run kinit manually before kicking off the playboot (of course given that Ansible knows the passord for the given ad user account)
- I don’t see why there’s a hard requirement on using port 5986(ssl) when Kerberos is enabled. In my opinion we should allow 5985(plain http) as long as Kerberos is being used. This would simplify the target node configuration for many shops.
Any pointers/feedback appreciated!
Trond
Thanks for this, this is good stuff, we should make ‘unboxing’ the windows support for ansible as easy as possible.
A few things you might want to add.
1/ You can run ‘klist’ to see if you’ve got a ticket (rather than just trusting that
2/ synchronize your ansible controller clock with your domain controllers as kerberos is time sensitive.
Troubleshooting kerberos ansible connections
Occasional failures to get a ticket are often caused by the clock on the controller drifting from the time on the domain controllers.
Use actual domain name, not aliased domain names in your /etc/krb5.conf
If it won’t work try
kinit -c user@MY.DOMAIN
and if the ticket you get back is for a different domain, then you are trying to use a domain alias and need to switch to the domain name shown in klist.
That’s it for suggestions.
The running kinit beforehand thing is tricky… its perfectly possible to set things up so that your ansible controller is a domain member, in which case you will have a ticket because you have logged in as a domain user. Other places wouldn’t want that, in which case getting a ticket when you need it makes more sense, especially if you want to connect to several different windows domains from the same ansible controller.
I created a callback plugin to acquire tickets for any hosts in the current inventory before starting to run tasks, and then the plugin removes the tickets when the playbook run completes. However, its not perfect as you can only use it with bin/ansible-playbook - you can configure bin/ansible to trigger callbacks but unfortunately the events are different so (at least last time I checked) the plugin wouldn’t work with bin/ansible.
Hadn’t noticed about the 5986 only for kerberos as I set things up to run on 5986 long ago and prefer running over ssl connection. Does it actually not work via 5985 or is it just that it tries 5986 first?
Jon
Great stuff, thanks for the feedback Jon. I’ll update the post.
As for 5986/5985 as far as I have tested it simply does not work on 5985.