Friday, June 4, 2021

To enable kerberos authentication for ansible.

for kerberos
yum install python3-devel
yum install krb5-workstation
yum install krb5-devel
yum install krb5-libs
pip install kerberos
pip3 install pywinrm[kerberos]


edit below info in /etc/krb5.conf file then run kinit Administrator@AREA51.COM and kinit -S HOST/WIN-DQTK4K8NQ55.AREA51.COM

# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_realm = AREA51.COM
    default_ccache_name = KEYRING:persistent:%{uid}
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
#kdc = AREA51.COM
 AREA51.COM = {
     kdc = area51.com:88
     admin_server = area51.com:749
 }

[domain_realm]
 .area51.com = AREA51.COM
 area51.com = AREA51.COM

https://docs.ansible.com/ansible-tower/3.1.3/html/administration/kerberos_auth.html
https://access.redhat.com/solutions/4911041
for domain controller relation issue
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/verify-srv-dns-records-have-been-created

No comments: