Configure CentOS 7 Kerberos Authentication for Ansible

I have long maintained that Ansible’s documentation is some of the best, if not best out there. However it is impossible to cover every single corner case in documentation which brings me to setting up Ansible to manage Windows, and authenticate via WinRM using Kerberos.

I wanted to work more with the Ansible Windows modules, so set out to build a new clean Ansible control machine. I set this up on CentOS 7 following the official documentation.

For CentOS 7, which I was using for my control machine, I needed an additinal python dependency in order to support Kerberos. When following the documentation, and told to run:

yum -y install python-devel krb5-devel krb5-libs krb5-workstation

You need to also add python-requests-kerberos, so your yum command would be:

yum -y install python-devel krb5-devel krb5-libs krb5-workstation python-requests-kerberos

This should allow you to authenticate to Windows machines with domain accounts, as opposed to local user accounts by following the remaining Ansible docs.

If you are unfamiliar with how to join Linux to Active Directory, check out this blog post, specifically the Joining Active Directory portion since you aren’t looking to create shares in Linux.

Here you can see the win_ping module successfully running

One quick additional note, the documentation also states you need to add

ansible_winrm_server_cert_validation: ignore

In your group_vars file if you have Python 2.7.9+ - but I have confirmed on my test machine that this is also required for 2.7.5, so be sure to include that. I have a pull request in to make that change.

Related Posts