Ansible Node -> Multiple Windows domains

[Mike Fennemore]

Ansible: 2.0.0.2

OS: CentOS 7.2

Is it possible to use a single Ansible controller for multiple Windows domains? The scenario requires the use of domain accounts for authentication on 3 separate domains.

I have configured the krb5.conf accordingly but as yet cannot get the Ansible controller to authenticate with all Windows servers (Server 2012 R2). I receive the following error messages:

"msg": "ERROR! kerberos: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377)), ssl: 401 Unauthorized. basic auth failed"

 "msg": "ERROR! kerberos: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377)), ssl: 500 WinRMTransport. [Errno 113] No route to host"

I have run the ConfigureRemotingForAnsible.ps1 and can successfully get Kerberos tickets using kinit us...@DOMAIN.NET across all the domains.

[Matt Davis]

The new pywinrm stuff I've been working on (0.2.0rc3) supports on-the-fly kerberos principal switching across N domains if you have valid tickets for them all on a system that defaults to collection-typed credential caching (I've only tested on OSX so far- not sure what the default ccache type is on Cent7). Unfortunately, there's a one-line bug in pykerberos that prevents it from working "out of the box", but if you uncomment https://github.com/02strich/pykerberos/blob/master/src/kerberosgss.c#L234 and rebuild pykerberos, it should work if your system is configured for collection-typed kerberos ccaches. 

Once all the relevant bits are shipped, I'm planning to do a full doc writeup on if/how this works for various OSs.

Meantime, jhawkesworth has another way to do this that you might be interested in:  https://github.com/ansible/ansible/pull/14972/files

[J Hawkesworth]

Just to say my stuff mentioned above only lets you point at multiple domains from one ansible controller, it doesn't let you hit > 1 windows domain from a single playbook run.

It would probably be possible to modify it but right now once it has cached a kerberos ticket for a windows host it returns control to ansible.

So it sounds like your time would be best spent trying out Matt's suggestion.

Jon (jhawkesworth)

[Barney Sowood]

Hi,

On Thu, 19 May 2016, at 04:24 PM, 'J Hawkesworth' via Ansible Project
wrote:

> Just to say my stuff mentioned above only lets you point at multiple domains from one ansible controller, it doesn't let you hit > 1 windows domain from a single playbook run.
> It would probably be possible to modify it but right now once it has cached a kerberos ticket for a windows host it returns control to ansible.

I do something similar, but in a shell script I use that calls
ansible-playbook - not quite as neat as doing it via a callback, but
it's in place anyway to set up other bits of the environment.

Roughly, that's -

KRB5CCNAME=`mktemp`
export KRB5CCNAME
kinit -l 2h -k -t /path/to/keytab "$ADPRINC"
ansible-playbook <options>
kdestroy


Where $ADPRINC is the kerberos principal name (eg user@DOMAIN) passed
into the script. You can add keys for the various principals to the
keytab using ktutil. Using a keytab avoids passing passwords around
(and risking them being echoed or logged) and means you don't have to
deal with piping them into kinit.


Barney.

--
  Barney Sowood
  bar...@sowood.co.uk