All geek questions in one place

Using Ansible for Windows with a Domain User

I am starting to learn Ansible, but the documentation is not very useful.

I installed the host machine on RHEL and created the necessary hosts and windows.yml .

But when you try to connect to a remote Windows server to get the pong back, I get the following error:

[ root@myd666 ansible_test]# ansible windows -i hosts -m win_ping hostname | UNREACHABLE! => { "changed": false, "msg": "ssl: the specified credentials were rejected by the server", "unreachable": true }

After installing the dependencies of python-kerberos ,

Now I get this error:

 hostname | UNREACHABLE! => { "changed": false, "msg": "Kerberos auth failure: kinit: KDC reply did not match expectations while getting initial credentials", "unreachable": true }

My windows.yml file contains:

 # it is suggested that these be encrypted with ansible-vault: # ansible-vault edit group_vars/windows.yml ansible_ssh_user: user@MYDOMAIN.NET ansible_ssh_pass: password ansible_ssh_port: 5986 ansible_connection: winrm ansible_winrm_server_cert_validation: ignore

Am I doing something wrong with the Domain \ User syntax? Maybe I forgot to install something on a Windows computer? I just ran the ConfigureRemotingForAnible.ps1 script, and Python is not installed there.

This is my krb5.conf file:

 [libdefaults] default_realm = MYDOMAIN.NET #dns_lookup_realm = true #dns_lookup_kdc = true [realms] MYDOMAIN.NET = { kdc = dc1.mydomain.net default_domain = hpeswlab.net } [domain_realm] .mydomain.net = MYDOMAIN.NET mydomain.net = MYDOMAIN.NET

And I get the token using Kinit:

 kinit -C user@MYDOMAIN.NET klist

Klist Output:

 Valid starting Expires Service principal 01/31/2017 11:25:33 01/31/2017 21:25:33 krbtgt/ MYDOMAIN.NET@MYDOMAIN.NET renew until 02/01/2017 11:25:29
+5
source share
1 answer

In windows.yml , please double check and make sure that the line ansible_ssh_user: user@MYDOMAIN.NET really has the MYDOMAIN.NET scope in uppercase. Somewhere, a region request to KDC is sent in lower case, not upper case, as a result of which the KDC response error does not meet expectations ...

Case sensitivity is also important in krb5.conf . Firstly, I will notice that since the KDC name is the name of the IP host, it must therefore be specified as the fully qualified host name, as in the example shown below. It is assumed that your KDC is called "dc1.mydomain.net". Then the domain name should only be lowercase. Kerberos Realm names, on the other hand, must be uppercase - if the region name is incorrectly entered in lowercase in this file, this is another reason you might get this error message. Please modify your entire krb5.conf so that it looks like the one shown below (changing only "dc1" to the actual name) and it should work. Note: you do not need two dns_lookup_ lines in your krb5.conf, so please comment them below. These are redundant mechanisms only in accordance with the MIT Kerberos Documentation and can actually cause problems in your simple use case. After changing any configuration file, be sure to restart the Ansible engine before retesting.

 [libdefaults] default_realm = MYDOMAIN.NET #dns_lookup_realm = true #dns_lookup_kdc = true [realms] MYDOMAIN.NET = { kdc = dc1.mydomain.net default_domain = mydomain.net } [domain_realm] .mydomain.net = MYDOMAIN.NET mydomain.net = MYDOMAIN.NET

Please refer to this MIT link to configure krb5.conf correctly: Example file krb5.conf

In the Hosts file, verify that the IP addresses of the names are correct. For RFC, Kerberos requires a properly functioning DNS, and you run the risk of decreasing it if there are outdated entries in the Hosts file.

Finally, although I couldnโ€™t say which version of Ansible you used, I did some research and found that โ€œAnsible 2.0 deprecated ssh from ansible_ssh_user, ansible_ssh_host and ansible_ssh_port to become ansible_user, ansible_host, and ansible_port." This, of course, can be part of the problem. See: Unrelated to Windows documentation

+7
source

Source: https://habr.com/ru/post/1263539/

More articles:


All Articles