Ansible - Configure and Manage Windows Servers
- If you have not yet installed Ansible, check Install and configure ansible on Ubuntu server
- After installing Ansible, let us configure it to access Windows servers. Hoping that Windows server is already configured with WinRM.
-
WinRM is a management protocol used by Windows to remotely communicate with another server. It is a SOAP-based protocol that communicates over HTTP/HTTPS, and is included in all recent Windows operating systems. Since Windows Server 2012, WinRM has been enabled by default, but in most cases extra configuration is required to use WinRM with Ansible.
Ansible uses the pywinrm package to communicate with Windows servers over WinRM. It is not installed by default with the Ansible package, but can be installed by running the following:
if pip is not installed, install using following command:sudo apt install python3-pip
pip3 install "pywinrm>=0.3.0"
NTLM
NTLM is an older authentication mechanism used by Microsoft that can support both local and domain accounts. NTLM is enabled by default on the WinRM service, so no setup is required before using it.
NTLM is the easiest authentication protocol to use and is more secure than Basic authentication. If running in a domain environment, Kerberos should be used instead of NTLM.
Kerberos has several advantages over using NTLM:
-
NTLM is an older protocol and does not support newer encryption protocols.
-
NTLM is slower to authenticate because it requires more round trips to the host in the authentication stage.
-
Unlike Kerberos, NTLM does not allow credential delegation.
This example shows host variables configured to use NTLM authentication. I have created the following file in my current directory.
[windows] dc01.winadmin.me [windows:vars] ansible_user=winadmin\wintel ansible_password=P@ssw0rd ansible_connection=winrm ansible_winrm_transport=ntlm ansible_port=5985
-
- Let us check if the settings are correct. Try to ping windows servers in inventory file.
winadmin@ansible01:~$ ansible windows -m win_ping -i inventory dc01.winadmin.me | SUCCESS => { "changed": false, "ping": "pong" }
- We have successfully configured and connected to the windows server.
Kerberos
Kerberos is the recommended authentication option to use when running in a domain environment. Kerberos supports features like credential delegation and message encryption over HTTP and is one of the more secure options that is available through WinRM.
Kerberos requires some additional setup work on the Ansible host before it can be used properly.
Installing the Kerberos Library
sudo apt install libkrb5-dev krb5-user
Enter Default Lerberos version 5 realm:
Once the above dependencies have been installed, the python-kerberos wrapper can be install using pip:
winadmin@ansible01:~$ pip install pywinrm[kerberos]
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: pywinrm[kerberos] in /usr/lib/python3/dist-packages (0.3.0)
Requirement already satisfied: requests-kerberos>=0.10.0 in /usr/lib/python3/dist-packages (from pywinrm[kerberos]) (0.12.0)
Requirement already satisfied: cryptography>=1.3 in /usr/lib/python3/dist-packages (from requests-kerberos>=0.10.0->pywinrm[kerberos]) (3.4.8)
Requirement already satisfied: pykerberos<2.0.0,>=1.1.8 in /usr/lib/python3/dist-packages (from requests-kerberos>=0.10.0->pywinrm[Kerberos]) (1.1.14)
Configuring Host Kerberos
Once the dependencies have been installed, Kerberos needs to be configured so that it can communicate with a domain. This configuration is done through the /etc/krb5.conf file, which is installed with the packages in the script above.
[realms]
WINADMIN.ME = {
kdc = dc01.winadmin.me
}
[domain_realm]
.winadmin.me = WINADMIN.ME
Check if you are able to get Kerberos ticket from domain.
winadmin@ansible01:~$ kinit This email address is being protected from spambots. You need JavaScript enabled to view it.
Password for This email address is being protected from spambots. You need JavaScript enabled to view it. :
winadmin@ansible01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: This email address is being protected from spambots. You need JavaScript enabled to view it.
Valid starting Expires Service principal
04/08/2023 19:01:40 04/09/2023 05:01:40 krbtgt/This email address is being protected from spambots. You need JavaScript enabled to view it.
renew until 04/09/2023 19:01:34
If you can see ticket details in klist command, then your configuration is correct.
Congratulations.😺
Now, let us check the ping command to windows server using Kerberos as authentication method.
Modify inventory file as below:
[windows]
dc01.winadmin.me
[windows:vars]
ansible_user=This email address is being protected from spambots. You need JavaScript enabled to view it.
ansible_password=P@ssw0rd
ansible_connection=winrm
ansible_winrm_transport=kerberos
ansible_port=5985
Check if you are changing user as
Ping windows servers:
wintel@ansible01:~$ ansible windows -m win_ping -i inventory
dc01.winadmin.me | SUCCESS => {
"changed": false,
"ping": "pong"
}