How does it work?
----------------
- uses
"winrm" module
- control machine can be Linux or Windows subsystem for Linux (WSL) bash shell
- available starting version 1.7
- control machine can be Linux or Windows subsystem for Linux (WSL) bash shell
- available starting version 1.7
Installing the Control Machine
------------------------------
- needs winrm: pip
install "pywinrm>=0.2.2"
- A linux control
machine is required to manage windows hosts (can be a WSL bash
shell)
- Ansible will not
move to Windows control machines
- Windows Subsystem for Linux (Beta) is not supported by Microsoft or Ansible
- Windows Subsystem for Linux (Beta) is not supported by Microsoft or Ansible
and should not be used for production systems
- Ansible may also
run on Cygwin but might have issues due to Cygwin's
implementation of fork()
|
Enabling WSL
|
1. Follow the
instruction on the link below to enable WSL in windows
2. Open bash terminal and execute the ff commands
sudo apt-get update
sudo apt-get install python-pip git libffi-dev libssl-dev -y
pip install ansible pywinrm
# this step is only necessary for Windows builds earlier than
16188, and must be repeated each time bash is launched,
# unless bash is launched as ``bash --login``
source ~/.profile
3. You can now start creating the inventories |
Authentication Options
----------------------
- can be set via
"ansible_winrm_transport" variable
|
Option
|
Local
Accounts
|
Active Directory
Accounts
|
Credential
Delegation
|
|
|
Basic
|
Yes
|
No
|
No
|
|
|
Certificate
|
Yes
|
No
|
No
|
Similar to SSH
where a certificate is assigned to a local user
instead of using a password to authenticate |
|
Kerberos
|
No
|
Yes
|
Yes
|
Preferred method
than NTLM. You need to install "python-kerberos"
module on control machine (also needs a computer account in Active directory) |
|
NTLM
|
Yes
|
Yes
|
No
|
|
|
CredSSP
|
Yes
|
Yes
|
Yes
|
|
Kerberos Authentication
-----------------------
|
Installing
python-kerberos dependencies
|
# Via Yum
yum -y install python-devel krb5-devel krb5-libs krb5-workstation
# Via Apt (Ubuntu)
sudo apt-get install python-dev libkrb5-dev krb5-user
# Via Portage
(Gentoo)
emerge -av app-crypt/mit-krb5
emerge -av dev-python/setuptools
# Via pkg (FreeBSD)
sudo pkg install security/krb5
# Via OpenCSW
(Solaris)
pkgadd -d http://get.opencsw.org/now
/opt/csw/bin/pkgutil -U
/opt/csw/bin/pkgutil -y -i libkrb5_3
# Via Pacman (Arch
Linux)
pacman -S krb5
|
|
Installing
python-kerberos
|
You
can install once you installed python-kerberos dependencies
pip install pywinrm[kerberos] Kerberos is installed and configured by default on OS X and many Linux distributions. |
|
Configuring
Kerberos
|
1. Specify in
krb5.conf the list of primary and secondary domain controllers
[realms]
MY.DOMAIN.COM = {
kdc =
domain-controller1.my.domain.com
kdc =
domain-controller2.my.domain.com
}
2. Specify the domain you want to access
[domain_realm]
.my.domain.com =
MY.DOMAIN.COM
|
|
Testing kerberos
connection
|
If
krb5-workstation (yum) or krb5-user (apt-get) is installed, you can check if
you are
authorised by your domain controller: kinit user@MY.DOMAIN.COM Then see if you have acquired a ticket: klist |
|
Automatic kerberos
ticket management
|
- by default,
Ansible 2.3 automatically manages kerberos tickets when both username
and
password are specified for a host that's configured for kerberos - |
No comments:
Post a Comment