Kerberos Support
400 views
Skip to first unread message
Christopher Billett
Apr 13, 2021, 9:17:14 AM4/13/21
to AWX Project
Does the current AWX Operator support the setup of Realms in Kerberos? I need to look into Windows host management through Ansible, but cannot see a method of injecting the realms data into the krb5.conf file.
What alternative (secure) methods does the operator currently support for WinRM host auth.
What alternative (secure) methods does the operator currently support for WinRM host auth.
Wei-Yen Tan
Apr 13, 2021, 9:19:20 AM4/13/21
to Christopher Billett, AWX Project
I am going to create a config map with the krb5.conf file in etc/krb5.conf. I will inject in awx task pod
Get Outlook for iOS
From: awx-p...@googlegroups.com <awx-p...@googlegroups.com> on behalf of Christopher Billett <cbill...@gmail.com>
Sent: Wednesday, April 14, 2021 1:17:14 AM
To: AWX Project <awx-p...@googlegroups.com>
Subject: [awx-project] Kerberos Support
Sent: Wednesday, April 14, 2021 1:17:14 AM
To: AWX Project <awx-p...@googlegroups.com>
Subject: [awx-project] Kerberos Support
Does the current AWX Operator support the setup of Realms in Kerberos? I need to look into Windows host management through Ansible, but cannot see a method of injecting the realms data into the krb5.conf file.
What alternative (secure) methods does the operator currently support for WinRM host auth.
What alternative (secure) methods does the operator currently support for WinRM host auth.
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/6584a54f-dd6c-4728-955d-549f2abebf3cn%40googlegroups.com.
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/6584a54f-dd6c-4728-955d-549f2abebf3cn%40googlegroups.com.
Brandon Ellis
Apr 13, 2021, 4:02:29 PM4/13/21
to AWX Project
I posted a way how to do this here on this issue
It deploys fine and kinit works, but I haven't gotten the time to test playbooks yet
Wei-Yen Tan
Apr 14, 2021, 12:55:30 AM4/14/21
to Brandon Ellis, AWX Project
@Brandon Ellis i am trying to recreate what you are doing but I am lost. Which part of the spec do you put that? That's the exact scenario I am wanting to do
Get Outlook for iOS
From: awx-p...@googlegroups.com <awx-p...@googlegroups.com> on behalf of Brandon Ellis <bel...@umbc.edu>
Sent: Wednesday, April 14, 2021 8:02:29 AM
To: AWX Project <awx-p...@googlegroups.com>
Subject: Re: [awx-project] Kerberos Support
Sent: Wednesday, April 14, 2021 8:02:29 AM
To: AWX Project <awx-p...@googlegroups.com>
Subject: Re: [awx-project] Kerberos Support
To view this discussion on the web visit
https://groups.google.com/d/msgid/awx-project/443950fe-512f-4ece-9a31-34b884957915n%40googlegroups.com.
Brandon Ellis
Apr 14, 2021, 7:42:30 AM4/14/21
to AWX Project
At the custom resource specification "spec" field in the my-awx.yml file mentioned in the awx-operator git README. Basically the same block where the ingress_type is specified. It turns out that the devs left in some secret custom variables so you can add in custom volumes and volume mounts.
Here's my current "my-awx.yml" deployment spec file I'm using. It's got some weird ${} and %{} syntax because I preprocess the file using terraform to add in variable values -- feel free to replace any ${} block with your desired value. (Note that if you were to use the krb5.conf file in here, you'd need to replace %%{uid} with %{uid}).
---
apiVersion: v1
kind: ConfigMap
metadata:
name: ${DeploymentName}-extra-files
namespace: ${ClusterNamespace}
data:
krb5.conf: |
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_realm = ${upper(RealmName)}
default_ccache_name = KEYRING:persistent:%%{uid}
[realms]
${upper(RealmName)} = {
kdc = ${DC1}
kdc = ${DC2}
}
[domain_realm]
.${lower(RealmName)} = ${upper(RealmName)}
${lower(RealmName)} = ${upper(RealmName)}
---
apiVersion: v1
kind: Secret
metadata:
name: ${DeploymentName}-admin-password
namespace: ${ClusterNamespace}
stringData:
password: "${AWXAdminPassword}"
---
apiVersion: v1
kind: Secret
metadata:
name: ${DeploymentName}-postgres-configuration
namespace: ${ClusterNamespace}
stringData:
host: "${PostgresDNS}"
port: "5432"
database: "${PostresDBName}"
username: "${PostgresUsername}"
password: "${PostgresPassword}"
type: Opaque
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: ${DeploymentName}
namespace: ${ClusterNamespace}
spec:
tower_ingress_type: LoadBalancer
tower_loadbalancer_annotations: |
tower_loadbalancer_protocol: https
tower_loadbalancer_port: 443
tower_postgres_configuration_secret: ${DeploymentName}-postgres-configuration
tower_admin_password_secret: ${DeploymentName}-admin-password
tower_task_extra_volume_mounts: |
- name: krb5
mountPath: /etc/krb5.conf
subPath: krb5.conf
tower_extra_volumes: |
- name: krb5
configMap:
defaultMode: 420
items:
- key: krb5.conf
path: krb5.conf
name: ${DeploymentName}-extra-files
Wei-Yen Tan
Apr 14, 2021, 1:44:17 PM4/14/21
to Brandon Ellis, AWX Project
Thank you Brandon,
I followed your example and did a test. As you said kinit does work.
I just needed the volume. So following your example is much needed.
Thanks once again.
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/82a76267-3c08-4a9f-93ce-3941592ddd09n%40googlegroups.com.
Brandon Ellis
Apr 15, 2021, 12:15:53 PM4/15/21
to AWX Project
Glad I could be of help
Cnu k
Sep 24, 2021, 3:58:41 PM9/24/21
to AWX Project
Ran into similar issue, tried following in the AWX instance YAML but still getting following error. Would it make a difference 'tower' prefix for the variables?
I have these entries too under
[libdefaults]
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
"msg": "Kerberos auth failure for principal windo...@MYORG.COM with pexpect: KDC has no support for encryption type while getting initial credentials",
extra_volumes: |
- name: krb5
configMap:
defaultMode: 420
items:
- key: krb5.conf
path: krb5.conf
name: krb5-conf
task_extra_volume_mounts: |
task_extra_volume_mounts: |
- name: krb5
mountPath: /etc/krb5.conf
subPath: krb5.conf
ee_extra_volume_mounts: |
- name: krb5
mountPath: /etc/krb5.conf
subPath: krb5.conf
Cnu k
Sep 24, 2021, 5:30:18 PM9/24/21
to AWX Project
Contents of the krb5.conf file from the task container.
sh-4.4$ cat /etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_realm = MYORG.COM
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
[realms]
MYORG.COM = {
kdc = dfgdfdc4344.myorg.com
admin_server = dfgdfdc4344.myorg.com
}
[domain_realm]
.myorg.com = MYORG.COM
myorg.com = MYORG.COM
MYORG.COM = {
kdc = dfgdfdc4344.myorg.com
admin_server = dfgdfdc4344.myorg.com
}
[domain_realm]
.myorg.com = MYORG.COM
myorg.com = MYORG.COM
Wei-Yen Tan
Sep 24, 2021, 5:32:06 PM9/24/21
to Cnu k, AWX Project
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
Why have this
From: awx-p...@googlegroups.com <awx-p...@googlegroups.com> on behalf of Cnu k <cnuk...@gmail.com>
Sent: Saturday, September 25, 2021 9:30:17 AM
Sent: Saturday, September 25, 2021 9:30:17 AM
To view this discussion on the web visit
https://groups.google.com/d/msgid/awx-project/a0b0fa27-6d82-4042-8c07-4df1db5a4d69n%40googlegroups.com.
Cnu k
Sep 25, 2021, 9:52:44 AM9/25/21
to AWX Project
I had to add these entries for AWX 17.1.0 task container for making Windows connections to work, so I did the same for 19.2.2 as well. Apparently it's not working.
Not sure if something has changed with this version or some other issue.
Thanks
Reply all
Reply to author
Forward
0 new messages