Posted on

Ansible – My Journey – Part 2

My Setup – Basic Install with Kerberos

For this posting I will be using Centos 7 and no other additional packages installed other than basic Minimal install with no GUI. For the premise I am going to show you how to setup a control station to run commands against Windows clients joined to a domain.
In order for this to work, you will need a domain account. You have two options. One could be a regular user that is a member of the local administrators group on the PC or two make the account with domain admin rights. I will describe what it will take to install and configure Ansible with Kerberos authentication.

Once you get your OS up and going,

Update your OS

yum -y update

enable EPEL Respository

yum -y install epel-release

Below are a list of commands that I used to get Ansible running and working against a Windows device. If you you are only doing Linux based devices only a few items need to be installed

yum -y install gcc python-devel krb5-devel krb5-workstation python-pip git svn

pip install --upgrade pip

pip install pywinrm

pip install pywinrm[kerberos]

sudo pip install pyvmomi

yum -y install ansible

Now we need to configure /etc/krb5.conf File
To configure Kerberos, in the section that starts with: [realms]
Add full domain name and the fully qualified domain names.
Both primary and secondary DNS\DC can be added.
Your file will look something like this

[realms]
    MY.DOMAIN.COM = {
        kdc = domain-controller1.my.domain.com
        kdc = domain-controller2.my.domain.com
    }

In the section that start with [domain_realm]
Add a line for each domain that Ansible needs access to.

[domain_realm]
    .my.domain.com = MY.DOMAIN.COM

To check if authentication is functional issues the following command using the account that is setup in AD to be the AnsibleAdmin account.
You will then be prompted for account password
(NOTE:Domain must be in all Capital Letters)

kinit username@MY.DOMAIN.COM

Issue the following command to check if it worked.

klist

To destroy the ticket issue this command

kdestroy

At this point everything required is ready to administrator a Windows device except for the playbooks. My next post I will go over creating a playbook.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s