Posted on 1 Comment

Authenticate windows servers with Ansible domain user – kerberos configuration

If you try to connect with Ansible on a Windows machine with your active directory account you will get the error -> the specified credentials were rejected by the server

In order to connect through a domain account you should add some inventory variables and also install some additional components.

If you do not have the appropriate libraries installed, you should get the error shown on the below screenshot.

By trying to install kerberos and requests-kerberos through pip3 I got the error that is listed below.

sudo pip3 install requests-kerberos
Command "/usr/bin/python3.6 -u -c "import setuptools, tokenize;file='/tmp/pip-build-2v_1srr8/pykerberos/setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" install --record /tmp/pip-nkj0fa0v-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-2v_1srr8/pykerberos/

In order to resolve, first upgrade your pip3 setup tools

pip3 install --upgrade setuptools

Install python3-devel package and other required packages

yum -y install gcc python-devel krb5-devel krb5-libs krb5-workstation

Run setup with pip3 once again. The result should be successful.

Your inventory file should contain the below variables:

ansible_user = admin@DOMAIN.COM (capital letters)
ansible_connection = winrm
ansible_winrm_server_cert_validation = ignore
ansible_password = 
ansible_become_user= admin@DOMAIN.COM
ansible_become_method= runas
ansible_winrm_transport = kerberos

You should also edit Kerberos config file:

vi /etc/krb5.conf

Adjust

[logging]
                 // nothing to edit here
 [libdefaults]
     default_realm = DOMAIN.COM (capital letters)
 [realms]
  DOMAIN.COM (capital letters) = {
      kdc = dc1.domain.com
      kdc = dc2.domain.com
      admin_server = dc1.domain.com
  }
 [domain_realm]
  .domain.com = DOMAIN.COM

Grap a session for your user:

kinit -C admin@EXAMPLE.COM

And you finally can communicate with your Windows machines through an Active Directory account.

https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html