Ansible - Configure and Manage Windows Servers

    Ansible - Configure and Manage Windows Servers

    • If you have not yet installed Ansible, check Install and configure ansible on Ubuntu server
    • After installing Ansible, let us configure it to access Windows servers. Hoping that Windows server is already configured with WinRM.
    • WinRM is a management protocol used by Windows to remotely communicate with another server. It is a SOAP-based protocol that communicates over HTTP/HTTPS, and is included in all recent Windows operating systems. Since Windows Server 2012, WinRM has been enabled by default, but in most cases extra configuration is required to use WinRM with Ansible.

      Ansible uses the pywinrm package to communicate with Windows servers over WinRM. It is not installed by default with the Ansible package, but can be installed by running the following:
      if pip is not installed, install using following command:

      sudo apt install python3-pip
      pip3 install "pywinrm>=0.3.0"

      NTLM

      NTLM is an older authentication mechanism used by Microsoft that can support both local and domain accounts. NTLM is enabled by default on the WinRM service, so no setup is required before using it.

      NTLM is the easiest authentication protocol to use and is more secure than Basic authentication. If running in a domain environment, Kerberos should be used instead of NTLM.

      Kerberos has several advantages over using NTLM:

      • NTLM is an older protocol and does not support newer encryption protocols.

      • NTLM is slower to authenticate because it requires more round trips to the host in the authentication stage.

      • Unlike Kerberos, NTLM does not allow credential delegation.

      This example shows host variables configured to use NTLM authentication. I have created the following file in my current directory.

      [windows]
      dc01.winadmin.me
      
      [windows:vars]
      ansible_user=winadmin\wintel
      ansible_password=P@ssw0rd
      ansible_connection=winrm
      ansible_winrm_transport=ntlm
      ansible_port=5985
    • Let us check if the settings are correct. Try to ping windows servers in inventory file.
      winadmin@ansible01:~$ ansible windows -m win_ping -i inventory
      dc01.winadmin.me | SUCCESS => {
          "changed": false,
          "ping": "pong"
      }
    • We have successfully configured and connected to the windows server.

    Kerberos

    Kerberos is the recommended authentication option to use when running in a domain environment. Kerberos supports features like credential delegation and message encryption over HTTP and is one of the more secure options that is available through WinRM.

    Kerberos requires some additional setup work on the Ansible host before it can be used properly.

    Installing the Kerberos Library

    sudo apt install libkrb5-dev krb5-user

    Enter Default Lerberos version 5 realm:

    Once the above dependencies have been installed, the python-kerberos wrapper can be install using pip:

    winadmin@ansible01:~$ pip install pywinrm[kerberos]
    Defaulting to user installation because normal site-packages is not writeable
    Requirement already satisfied: pywinrm[kerberos] in /usr/lib/python3/dist-packages (0.3.0)
    Requirement already satisfied: requests-kerberos>=0.10.0 in /usr/lib/python3/dist-packages (from pywinrm[kerberos]) (0.12.0)
    Requirement already satisfied: cryptography>=1.3 in /usr/lib/python3/dist-packages (from requests-kerberos>=0.10.0->pywinrm[kerberos]) (3.4.8)
    Requirement already satisfied: pykerberos<2.0.0,>=1.1.8 in /usr/lib/python3/dist-packages (from requests-kerberos>=0.10.0->pywinrm[Kerberos]) (1.1.14)

    Configuring Host Kerberos

    Once the dependencies have been installed, Kerberos needs to be configured so that it can communicate with a domain. This configuration is done through the /etc/krb5.conf file, which is installed with the packages in the script above.

    [realms]
      WINADMIN.ME = {
        kdc = dc01.winadmin.me
      }
    [domain_realm]
      .winadmin.me = WINADMIN.ME

     

    Check if you are able to get Kerberos ticket from domain.

    winadmin@ansible01:~$ kinit This email address is being protected from spambots. You need JavaScript enabled to view it.
    Password for This email address is being protected from spambots. You need JavaScript enabled to view it.:
    winadmin@ansible01:~$ klist
    Ticket cache: FILE:/tmp/krb5cc_1000
    Default principal: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    Valid starting       Expires              Service principal
    04/08/2023 19:01:40  04/09/2023 05:01:40  krbtgt/This email address is being protected from spambots. You need JavaScript enabled to view it.
            renew until 04/09/2023 19:01:34

    If you can see ticket details in klist command, then your configuration is correct.

    Congratulations.😺

     

    Now, let us check the ping command to windows server using Kerberos as authentication method.

    Modify inventory file as below:

    [windows]
    dc01.winadmin.me
    
    [windows:vars]
    ansible_user=This email address is being protected from spambots. You need JavaScript enabled to view it.
    ansible_password=P@ssw0rd
    ansible_connection=winrm
    ansible_winrm_transport=kerberos
    ansible_port=5985

    Check if you are changing user as This email address is being protected from spambots. You need JavaScript enabled to view it. and change ansible_winrm_transport to kerberos.

    Ping windows servers:

    wintel@ansible01:~$ ansible windows -m win_ping -i inventory
    dc01.winadmin.me | SUCCESS => {
        "changed": false,
        "ping": "pong"
    }