Configure Ansible to work with Windows Servers

Configure Ansible to access Windows Servers:

After installing Ansible, let us configure it to access Windows servers. Hoping that Windows server is already configured with WinRM. 1. Install PIP if not installed already.
sudo apt install python-pip
2. Install WinRM module on Ansible server
sudo pip install "pywinrm>=0.3.0"
.
.
.
.
  Running setup.py install for pywinrm ... done
Successfully installed ntlm-auth-1.4.0 pywinrm-0.4.1 requests-ntlm-1.1.0
3. Now edit hosts file with Windows hosts and Variables
sudo nano /etc/ansible/hosts

    [windows]
    172.168.20.10

    [windows:vars]
    ansible_user=test\wintel
    ansible_password=P@ssw0rd
    ansible_connection=winrm
    ansible_winrm_transport=ntlm
    ansible_port=5985
*** Please do not give password in Production environment. You can use ansible-vault to encrypt the inventory file. 4. Now check a simple module to check windows host connectivity
winadmin@ansible01:~$ ansible windows -i inventory -m win_ping
172.168.1.10 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
5. If you configured WinRM with a certificate, add the following line to inventory file.
ansible_winrm_cert_validation=ignore
This is not recommended in production environment. Instead, you configure certificate from a certificate server. 6. The above will work for NTLM authentication. Let us configure with Kerberos authentication.

 Install and Setup Kerberos

sudo apt install python-dev libkrb5-dev krb5-user 

sudo pip install pywinrm[kerberos]
7. Check kerberos configuration file if the required values are set correctly
sudo nano /etc/krb5.conf

[libdefaults]
        default_realm = TEST.ORG

[realms]
        TEST.ORG = {
                kdc = 172.168.1.10
                admin_server = 172.168.1.10
        }
8. Check if the kerberos is working.
winadmin@ansible01:~$ kinit wintel@TEST.ORG
Password for wintel@TEST.ORG:
winadmin@ansible01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: wintel@TEST.ORG

Valid starting       Expires              Service principal
01/19/2020 08:25:47  01/19/2020 18:25:47  krbtgt/TEST.ORG@TEST.ORG
        renew until 01/20/2020 08:25:43
winadmin@ansible01:~$
We can see that kerberos ticket is generated. 9. You can destroy using command kdestroy.
winadmin@ansible01:~$ kdestroy
venu@ansible01:~$ klist
klist: No credentials cache found (filename: /tmp/krb5cc_1000)
winadmin@ansible01:~$
10. Modify inventory file to use kerberos authentication.
ansible_winrm_transport=kerberos
Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on reddit
Share on skype
Share on telegram
Share on whatsapp
Share on email
Share on print

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment