Ansible – Setting up a CENTOS / Redhat 8 linux ansible server to talk to a windows machine.

 

Ansible is a great platform that really pushes itself as an agent-less type of automation tool. One of the attractions to Ansible is that it can also talk to windows machines (without having an agent).

Magical PXE dust? Some weird Linux Powershell module? Rest API? …. Nope just using winrm calls.

Now I will say that its not as developed as I would like it, but it works. There are essentially 2 components needed to allow this.

  1. Ensure that your Linux Ansible Machine is setup to make winrm calls
  2. Ensure that your windows client machine is able to receive calls via winrm.
  3. I highly recommend a bastian windows host to process any complex Powershell scripts to carry out advanced operations.

We will be focusing on Part 1 today. Which will be setting up your Ansible server. I am doing this on an actual Cloudforms worker be, but really it should be the same process.

PART I. Setting up your Linux Ansible Machine

Login to your Ansible host and Install Pywinrm. Since Ansible really is Python under the hood it makes sense that you would install pywinrm. For this example I am installing on a CENTOS/RHEL 8 server. We are using the latest with Python3 and pip3 so we are going do the following…

First ensure that you first have your dependencies installed:

# Yum install dependency packages
yum -y install python3-pip gcc python3-devel krb5-devel krb5-libs krb5-workstation

#Upgrade PIP
pip3 install --upgrade pip
# Install the packages you need
pip install pywinrm
pip install kerberos requests_kerberos

Next step is Configuring your domain authentication. Open a txt editor to

/etc/krb5.conf

 
# Other applications require this directory to perform krb5 configuration.
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = YOURFQDN.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 YOURFQDN.COM = {
  kdc = YOURFQDN.COM
 }

[domain_realm]
 yourfqdn.com = YOURFQDN.COM
 .yourfqdn.com = YOURFQDN.COM

Next initialize your Kerberos Ticket.
Note: The domain must match the configured Kerberos realm exactly, and must be in upper case.

kinit some_service_acct@YOURFQDN.COM