Configuring Ansible to Manage Windows Hosts using Kerberos Authentication – Step by Step

In this tutorial I will explain how to configure Ansible for domain joined servers and workstations

First install fresh core centos 7 machine.

After you finish install it, lets disable the network manager by using this command.

[root@cetnos /]#systemctl disable NetworkManager

lets check our network interfaces by using the command:

[root@cetnos /]# ip addr

We can see that we get IP address 192.168.10.6 on interface ens33

So lets change this from DHCP to static IP and add the DNS servers, we do it by changing the interface config file.

[root@cetnos /]# vi /etc/sysconfig/network-scripts/ifcfg-ens33

Please add the Marked lines to your network interface config file.

Now save it by using this command :qw!

Please reboot the server for changes will take effect.

After the system has finish to reboot we need to change one last thing before we join this machine to the domain, please open resolve.conf file by using this command:

[root@cetnos /]# vi /etc/resolv.conf

Make sure that you add your Domain name here and you have the IP address of your DNS servers, don’t forget to save it by using this command :qw!

Test your network. Make sure you can resolve DNS correctly,to do that we need to Install BIND utilities for nslookup.

[root@ansible ~]# yum -y install bind-utils

Type: nslookup (your windows server ip)

This command will query the AD server for without a fully qualified name and also  reverse lookup on the IP address.

Configure the Ansible Environment

Install Prerequisite Packages

Use Yum to install the following packages.

  1. Install GCC required for Kerberos
[root@ansible ~]# sudo yum group install "Development Tools"
  • Install requests_kerberos
[root@ansible ~]#  pip install kerberos requests_kerberos
  • Install Kerberos
[root@ansible ~]#  pip install kerberos
  • Install the Kerberos wrapper
[root@ansible ~]# pip install pywinrm[Kerberos]
  • Install EPEL
[root@ansible ~]#yum -y install epel-release
  • Install Ansible
[root@ansible ~]#yum -y install ansible
  • Install Kerberos
[root@ansible ~]#yum -y install python-devel krb5-devel krb5-libs krb5-workstation
  • Install Python PIP
[root@ansible ~]#yum -y install python-pip
  • Bring all packages up to the latest version
[root@ansible ~]#yum -y update

Check that Ansible and Python is Installed

[root@ansible ~]#ansible --version
[root@ansible ~]#python --version

Kerberos packages were installed previously which will have created /etc/krb5.conf

  1. Edit /etc/krb5.conf

Test Kerberos

Enter this command and put your password if you don’t have any error it mean that we good to go.

[root@ansible ~]#kinit admin@devops.com

You will be prompted for the administrator password 
You should see a Kerberos KEYRING record by enter the command klist

Configure Ansible

The core configuration of Ansible resides at /etc/ansible

Update the Ansible Inventory file

Edit /etc/ansible/hosts file and add:

Update the Ansible Group Variables for Windows

Ansible Group Variables are variable settings for a specific inventory group. In this case, we will create the group variables for the “windows” servers created in the /etc/ansible/hosts file.

  1. Create /etc/ansible/group_vars/windows and add:

Make sure that your domain user is domain admin!

Configure Windows Servers to Manage

To configure the Windows 10 for remote management by Ansible requires a bit of work. Luckily the Ansible team has created a PowerShell script for this. Download this script from [here] to each Windows Machine to manage and run this script as Administrator.

Log into Win10 as Administrator, download ConfigureRemotingForAnsible.ps1 and run this PowerShell script without any parameters.

Once this command has been run on the Win10, return to the Ansible1 Controller host.

Test Connectivity to the Windows Server

If all has gone well, we should be able to perform an Ansible PING test command. This command will simply connect to the remote Win10 workstation and report success or failure.

  1. Type: ansible windows -m win_ping

Now you can create some playbooks and test Ansible for real on Windows systems.

One thought on “Configuring Ansible to Manage Windows Hosts using Kerberos Authentication – Step by Step

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.