Coming Soon: Ansible for SQL Server DBAs. Learn More.
Blog Free Guide DBA Challenges
Courses
Automated Sandbox Fundamentals

How to use Kerberos Authentication with Ansible on Red Hat Enterprise Linux

ansible automation kerberos Nov 26, 2023

I use Ansible in my virtual sandbox to configure and maintain Linux and Windows servers. I aim to set up my sandbox to match most of the production environments I've previously worked with.  Most require using Kerberos over NTLM or strongly encourage its use.  The sandbox I'm configuring already has a Windows domain.  I wanted to configure the Ansible controller to use Kerberos.  The following steps are how I did it.  FYI, if you don't have a sandbox environment to use, check out my free guide on how to get started.

 The 6-Step Virtual Sandbox Jumpstart Guide

 

In this post, I'll cover the following;

  • Install Ansible using the Python3.12 pip package manager.
  • Install all required packages to support Kerberos authentication when connecting from the Ansible controller to Windows Server 2022 using WinRM.

We'll end the post by configuring the Windows Server 2022 server as an ISCSI target by installing the FS-iSCSITarget-Server feature.

Installing Ansible

First, make sure you've installed the latest updates.  Then, install the remaining packages.  At the end of step 6, you'll have ansible, ansible-lint, and pywinrm installed.

  1. sudo yum update
  2. sudo yum -y install python3.12
  3. sudo yum -y install python3.12-pip
  4. python3.12 -m pip install --user ansible
  5. python3.12 -m pip install --user ansible-lint
  6. python3.12 -m pip install --user pywinrm

 

Authenticating using Kerberos

If you attempt to use Kerberos authentication with Ansible without the following packages installed, you'll receive an error: kerberos: the python kerberos library is not installed

Install the following packages to support Kerberos authentication;

  1. sudo yum -y install gcc python3.12-devel krb5-devel krb5-libs krb5-workstation
  2. python3.12 -m pip install pywinrm[kerberos]

Enabling Kerberos authentication

With Ansible and the Kerberos packages installed, you can now modify the Ansible inventory file to use Kerberos by setting the ansible_winrm_transport variable.  The example below is from my inventory file.  

[storageservers]
SRV1.homelab.local

[storageservers:vars]
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
ansible_port=5986
ansible_winrm_transport=kerberos
ansible_winrm_operation_timeout_sec=60
ansible_winrm_read_timeout_sec=90
ansible_winrm_kinit_mode=managed
ansible_winrm_kinit_cmd=kinit

Next, we'll modify the krb5.conf file.  In my environment, I have a domain named HOMELAB.LOCAL.  We'll set the realms section to the settings below.  Modify this to match your domain name.  DC1 is the name of my domain controller.  If you have multiple domain controllers, add another line below "kdc = DC1.homelab.local" and enter your second domain controller name (i.e. "kdc = DC2.homelab.local").

Configure host kerberos

  1. Edit /etc/krb5.conf and set the realms section to match below.  You can use "sudo vi /etc/krb5.conf" to edit the file.  See here for a vi cheat sheet.
    [realms]
    HOMELAB.LOCAL = {
    kdc = DC1.homelab.local
    }

  2. Set the domain_realm section to match the following.  Replace homelab.local with the name of your domain.

    [domain_realm]
    .homelab.local = HOMELAB.LOCAL

Save and exit.

Install the ISCSI target server feature

In this example, SRV1 has already been added to the domain. 

I've created the following playbook, which will install the iSCSITarget-Server feature and reboot if needed.  I plan to use this server to host shared storage for a few other Windows servers in my sandbox.  

playbook_winISCSITarget.yml

---
- name: Setup server as ISCSI target
hosts: storageservers

tasks:
- name: Install ISCSI feature
ansible.windows.win_feature:
name: FS-iSCSITarget-Server
include_management_tools: yes
state: present
register: iscsi

- name: reboot server
ansible.windows.win_reboot:
msg: "Installing ISCSI target. Rebooting..."
pre_reboot_delay: 2
when: iscsi.changed

Next, I'll use the ansible-playbook command to run the playbook above.  I'll use the Administrator domain account to authenticate using Kerberos.

ansible-playbook -i hosts.ini playbook_winISCSITarget.yml -u [email protected] --ask-pass

Demo

 

Conclusion

Kerberos authentication support is pretty painless to set up on Red Hat Enterprise Linux.  Check out the video for a demo of the steps listed.  Are you using Ansible today to manage and configure your Windows environments?  If so, leave a comment below.  Thanks for stopping by!

Additional resources

Windows Remote Management — Ansible Documentation

Kerberos Authentication Overview | Microsoft Learn

NTLM vs KERBEROS - Microsoft Community

iSCSI Target Server Overview | Microsoft Learn

Categories