hey,
Does the ansible port requirement for Windows change from 5985/5986 to corresponding ntml/kerberos depending on ansible_winrm_transport selection of ntlm/kerberos/credssp etc.
Thanks in advance
No, port 5985 is the default port for http and 5986 is for https. The auth selection does not change this, and your Windows host could be configured with another port instead so you will have to check your configuration with ‘winrm e winrm/config/listener’.
Are you saying none of the standard kerberos ports 88,389,445, 3268 etc are required for ansible to use kerberos as ansible_winrm_transport, if we configure either 5985/5986 as default.
Thanks in advance
You will still need Kerberos to talk to the domain controller in whatever fashion it uses but the traffic between the Ansible controller and the Windows host will only need the WinRM port.
In regards to the ports you have stated
* 88 - I believe this is what the Kerberos TGS process uses, the traffic will be between the Ansible controller and the domain controller not the Windows host.
* 389 - This is the standard LDAP port, LDAP can use Kerberos auth like WinRM but Ansible does not use this to talk to Windows hosts
* 445 - This is the standard SMB port, like LDAP and WinRM this is a separate protocol to Kerberos and not used by Ansible to talk to Windows host
* 3268 - I believe this is another LDAP port so same thing applies
You may be using other modules in Ansible that use some of the ports above but for the WinRM connection plugin it only requires port 5985/5986 if using the default configuration to talk to your Windows host.