Ansible – Setting up a CENTOS / Redhat 8 linux ansible server to talk to a windows machine.
Ansible is a great platform that really pushes itself as an agent-less type of automation tool. One of the attractions to Ansible is that it can also talk to windows machines (without having an agent).
Magical PXE dust? Some weird Linux Powershell module? Rest API? …. Nope just using winrm calls.
Now I will say that its not as developed as I would like it, but it works. There are essentially 2 components needed to allow this.
- Ensure that your Linux Ansible Machine is setup to make winrm calls
- Ensure that your windows client machine is able to receive calls via winrm.
- I highly recommend a bastian windows host to process any complex Powershell scripts to carry out advanced operations.
We will be focusing on Part 1 today. Which will be setting up your Ansible server. I am doing this on an actual Cloudforms worker be, but really it should be the same process.
PART I. Setting up your Linux Ansible Machine
Login to your Ansible host and Install Pywinrm. Since Ansible really is Python under the hood it makes sense that you would install pywinrm. For this example I am installing on a CENTOS/RHEL 8 server. We are using the latest with Python3 and pip3 so we are going do the following…
First ensure that you first have your dependencies installed:
# Yum install dependency packages
yum -y install python3-pip gcc python3-devel krb5-devel krb5-libs krb5-workstation
#Upgrade PIP
pip3 install --upgrade pip
# Install the packages you need
pip install pywinrm
pip install kerberos requests_kerberosNext step is Configuring your domain authentication. Open a txt editor to
/etc/krb5.conf
# Other applications require this directory to perform krb5 configuration.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = YOURFQDN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
YOURFQDN.COM = {
kdc = YOURFQDN.COM
}
[domain_realm]
yourfqdn.com = YOURFQDN.COM
.yourfqdn.com = YOURFQDN.COM
Next initialize your Kerberos Ticket.
Note: The domain must match the configured Kerberos realm exactly, and must be in upper case.
kinit some_service_acct@YOURFQDN.COM
Ben Tuma
Over 20 years of experience in the Information Technology field. I love technology and seeing how it changes and impacts peoples lives for the better. I have healthy appetite for innovation and problem solving.
I am sharing my knowledge and challenges in hopes to help others as we constantly face ever changes problems in IT and technology.