If you use Active Directory users to run job templates against Windows hosts that are domain members, Kerberos authentication is usually required for WinRM.
There is an official documentation to use Kerberos authentication in Ansible Automation Controller, but it is not suitable for AWX.
This page shows you how to use Kerberos authentication for running job templates in AWX.
- Example environment for this guide
- Procedure
- Testing
- Troubleshooting
- Alternative solution (not recommended)
This is my example environment for this guide. Replace these values in this guide as appropriate for your environment.
Key | Value |
---|---|
Domain | kurokobo.internal |
Domain Controller | kuro-ad01.kurokobo.internal |
KDC Server | kuro-ad01.kurokobo.internal |
Ansible Target Host | kuro-win01.kurokobo.internal |
Ansible User | [email protected] |
To use Kerberos authentication in your AWX, following tasks are required.
- Setting up your Windows host
- Enable WinRM that uses Kerberos authentication
- Allow specific domain user to connect via WinRM
- Setting up your Kubernetes
- Create
krb5.conf
as ConfigMap on your Kubernetes cluster
- Create
- Setting up your AWX
- Create Container Group with custom pod spec that mounts
krb5.conf
to make Kerberos authentication to be used in your EE - Create Credential for the domain user
- Create Inventory for the Windows hosts
- Configure your Job Template
- Create Container Group with custom pod spec that mounts
Enable WinRM on your Windows host and allow specific domain user to connect to your host via WinRM.
Refer the Ansible documentation and enable WinRM on your Windows host. Running winrm quickconfig
on your Windows host is the simplest way, but GPO can also be used to enable WinRM.
Ensure that your WinRM Listener is enabled for HTTP. Note that HTTP is safe to use with Kerberos authentication since Kerberos has its own encryption method and all messages will be encrypted over HTTP. Therefore WinRM Listener for HTTPS is not mandatory.
> winrm enumerate winrm/config/Listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 127.0.0.1, ...
Then ensure Kerberos authentication is enabled for WinRM.
> winrm get winrm/config/Service
Service
RootSDDL = ...
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = false
Auth
Basic = true
Kerberos = true 👈👈👈
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Additionally, you have to care about the group or permissions of the domain user that used for WinRM.
WinRM is configured by default to only allow connections by users in the local Administrators
group. In this guide, a domain user [email protected]
will be used to connect to Windows hosts via WinRM.
Therefore this user have to be joined local Administrators
, or have permissions for Read
and Execute
for WinRM. Default permissions for WinRM can be changed by winrm configSDDL default
. Refer the Ansible documentation for more detail.
Create krb5.conf
and add it as ConfigMap to your Kubernetes cluster.
Create new file krb5.conf
on the host that kubectl
for your Kubernetes cluster can be used. This file will be added as ConfigMap in your Kubernetes cluster in the later step.
There are some official documentation about krb5.conf
:
- Ansible documentation
- Ansible Automation Controller documentation
This is my minimal example. Note that some domain names under [realms]
and [domain_realm]
are capitalized.
[realms]
KUROKOBO.INTERNAL = {
kdc = kuro-ad01.kurokobo.internal
admin_server = kuro-ad01.kurokobo.internal
}
[domain_realm]
.kurokobo.internal = KUROKOBO.INTERNAL
kurokobo.internal = KUROKOBO.INTERNAL
Create new ConfigMap on your Kubernetes cluster using krb5.conf
that you have created.
kubectl -n awx create configmap awx-kerberos-config --from-file=krb5.conf
This command creates new ConfigMap called awx-kerberos-config
in the namespace awx
. Specify the path to your krb5.conf
as --from-file
.
Note that the namespace has to be the name of the namespace that your EE will be launched on. If you've deployed your AWX using to my guide, the namespace is awx
.
Ensure new ConfigMap is created on your Kubernetes cluster.
$ kubectl -n awx get configmap awx-kerberos-config -o yaml
apiVersion: v1
data:
krb5.conf: |-
[realms]
KUROKOBO.INTERNAL = {
kdc = kuro-ad01.kurokobo.internal
admin_server = kuro-ad01.kurokobo.internal
}
[domain_realm]
.kurokobo.internal = KUROKOBO.INTERNAL
kurokobo.internal = KUROKOBO.INTERNAL
kind: ConfigMap
metadata:
...
name: awx-kerberos-config
namespace: awx
...
Create new Container Group, Credential, and Inventory in your AWX.
Create Container Group with custom pod spec that mounts krb5.conf
to make Kerberos authentication to be used in your EE.
-
Open AWX UI and open
Instance Groups
underAdministration
, then pressAdd
. -
Enter
Name
as you like (e.g.kerberos
) and toggleCustomize pod specification
. -
Put following YAML string to
Custom pod spec
and pressSave
apiVersion: v1 kind: Pod metadata: namespace: awx spec: serviceAccountName: default automountServiceAccountToken: false containers: - image: 'quay.io/ansible/awx-ee:latest' name: worker args: - ansible-runner - worker - '--private-data-dir=/runner' resources: requests: cpu: 250m memory: 100Mi volumeMounts: - name: awx-kerberos-volume mountPath: /etc/krb5.conf subPath: krb5.conf volumes: - name: awx-kerberos-volume configMap: name: awx-kerberos-config
This pod spec means that your ConfigMap including your krb5.conf
will be mounted as /etc/krb5.conf
in the EE based on this Container Group. Of course this pod spec is just a working example and you can modify this to suit your requirements. Refer my guide for Container Group for detail.
Create new Credential for your domain user. In this guide, the domain user [email protected]
will be used to connect to Windows hosts via WinRM, so the Credential for [email protected]
have to be created.
- Open AWX UI and open
Credentials
underResources
, then pressAdd
. - Enter
Name
as you like (e.g.Domain User
) and selectMachine
asCredential Type
. - Enter
Username
andPassword
for your domain user in<username>@<DOMAINNAME>
format. Note that the domain name have to be capitalized like[email protected]
.
It's very important that the domain name in the Username
have to be capitalized, since this username will be passed as-is to kinit
. If you specify your domain name in lower-case, kinit
will fail because kinit
cannot find KDC for realm in lower-case.
Alternatively the name of the realm can be passed through ansible_winrm_realm
variable, but my recommendation is specify realm in Credential as the part of Username
in upper-case.
Create Inventory in the standard way. The important points are as follows.
-
The name of the
Host
in your Inventory have to be specified as FQDN, likekuro-win01.kurokobo.internal
, instead of IP address. This is mandatory requirement. -
You should add following variables in the Inventory as host variables or group variables.
--- ansible_connection: winrm ansible_winrm_transport: kerberos ansible_port: 5985
Create or configure your Job Template. The important points are as follows.
- Specify Inventory that includes your Windows hosts in FQDN.
- Specify Credential that includes the username in
<username>@<DOMAINNAME>
format. The domain name in the username have to be capitalized. - Specify Instance Group that has custom pod spec that mounts your ConfigMap as
/etc/krb5.conf
.
You can test connectivity via WinRM using Kerberos by using ansible.windows.win_ping
module. This is an example playbook.
---
- name: Test Kerberos Authentication
hosts: kuro-win01.kurokobo.internal
gather_facts: false
tasks:
- name: Ensure windows host is reachable
ansible.windows.win_ping:
If the Verbosity
for the Job Template is configured 4 (Connection Debug)
and if your Kerberos authentication is successfully established, the job ends with success and the log shows that kinit
is called to connect to Windows hosts.
TASK [Ensure windows host is reachable] ****************************************
...
<kuro-win01.kurokobo.internal> ESTABLISH WINRM CONNECTION FOR USER: [email protected] on PORT 5985 TO kuro-win01.kurokobo.internal
calling kinit with pexpect for principal [email protected] 👈👈👈
...
ok: [kuro-win01.kurokobo.internal] => {
"changed": false,
"invocation": {
"module_args": {
"data": "pong"
}
},
"ping": "pong"
}
The Kerberos authentication including kinit
will be invoked on every Job Template running. This means that kinit
will be invoked in EE, so if we want to investigate Kerberos related issues, we have to dig into the EE.
Run this playbook as a Job on the Container Group.
---
- name: Debug Kerberos Authentication
hosts: localhost
gather_facts: false
tasks:
- name: Ensure /etc/krb5.conf is mounted
ansible.builtin.debug:
msg: "{{ lookup( 'file', '/etc/krb5.conf' ) }}"
- name: Pause for specified minutes for debugging
ansible.builtin.pause:
minutes: 10
You can dig into the EE during ansible.builtin.pause
is working by following commands.
- Launch the Job with the playbook above.
- If your Job exits with
Failed
immediately, your custom pod spec for your Container Group or ConfigMap for yourkrb5.conf
might be wrong.
- If your Job exits with
- Invoke
kubectl -n <namespace> get pod
on your Kubernetes cluster - Gather the pod name that starts with
automation-job-*
$ kubectl -n awx get pod
NAME READY STATUS RESTARTS AGE
awx-postgres-0 1/1 Running 0 41h
awx-76445c946f-btfzz 4/4 Running 0 41h
awx-operator-controller-manager-7594795b6b-565wm 2/2 Running 0 41h
automation-job-42-tdvs5 1/1 Running 0 4s 👈👈👈
Now you can access bash
inside the EE by kubectl -n <namespace> exec -it <pod name> -- bash
:
$ kubectl -n awx exec -it automation-job-42-tdvs5 -- bash
bash-4.4$ 👈👈👈
Then proceed investigation.
If your Container Group and ConfigMap are configured correctly, you can get your krb5.conf
as /etc/krb5.conf
inside the EE.
bash-4.4$ cat /etc/krb5.conf
[realms]
KUROKOBO.INTERNAL = {
kdc = kuro-ad01.kurokobo.internal
admin_server = kuro-ad01.kurokobo.internal
}
[domain_realm]
.kurokobo.internal = KUROKOBO.INTERNAL
kurokobo.internal = KUROKOBO.INTERNAL
If your krb5.conf
is missing, ensure your custom pod spec for Container Group and ConfigMap for your krb5.conf
are correct.
Ensure your KDC server can be reachable. There is no command such as ping
or nslookup
, downloading and using Busybox is helpful.
# Download busybox and make it executable
bash-4.4$ curl -o busybox https://busybox.net/downloads/binaries/1.35.0-x86_64-linux-musl/busybox
bash-4.4$ chmod +x busybox
Then test name resolution and network reachability.
# Ensure your domain name can be resolved
bash-4.4$ ./busybox nslookup kurokobo.internal
Server: 10.43.0.10
Address: 10.43.0.10:53
Name: kurokobo.internal
Address: ...
# Ensure hostname of your KDC can be resolved
bash-4.4$ ./busybox nslookup kuro-ad01.kurokobo.internal
Server: 10.43.0.10
Address: 10.43.0.10:53
Name: kuro-ad01.kurokobo.internal
Address: ...
# Ensure the port 88 on your KDC can be opened
bash-4.4$ ./busybox nc -v -w 1 kuro-ad01.kurokobo.internal 88
kuro-ad01.kurokobo.internal (...:88) open
You can test Kerberos authentication by using kinit
manually inside the EE.
# Ensure that there is no error while passing <username>@<DOMAINNAME> and password
# Note that the domain name for kinit have to be capitalized
bash-4.4$ kinit [email protected]
Password for [email protected]:
# Ensure new ticket has been issued after kinit
bash-4.4$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
07/02/22 12:32:28 07/02/22 22:32:28 krbtgt/[email protected]
renew until 07/03/22 12:32:21
Some common issues during this guide and workaround for those errors.
The "Troubleshooting Kerberos" section in Ansible documentation can also be helpful.
The job had been failed immediately after running the job. The log shows following.
Error creating pod: container failed with exit code 128: failed to create containerd task: ...
This is usually caused by misconfigured custom pod spec of your Container Group or ConfigMap for your krb5.conf
.
kinit
inside the EE or job failed with following error.
bash-4.4$ kinit <username>@<DOMAINNAME>
kinit: Cannot find KDC for realm "<DOMAINNAME>" while getting initial credentials
TASK [Ensure windows host is reachable] ****************************************
fatal: [...]: UNREACHABLE! => {
"changed": false,
"msg": "Kerberos auth failure for principal [email protected] with pexpect: Cannot find KDC for realm \"<DOMAINNAME>\" while getting initial credentials",
"unreachable": true
}
If this occurred, ensure:
/etc/krb5.conf
is correctly configured- Your KDC hostname can be resolved
- Your KDC can be accessed from EE
- The username for
kinit
is correct. Especially, note that the domain name in the username have to be capitalized like[email protected]
- If manually invoked
kinit
is succeeded butkinit
inside the job failed, ensure the username in your Credential in AWX is correct. Note that the domain name in the username have to be capitalized like[email protected]
The job failed with following error.
TASK [Ensure windows host is reachable] ****************************************
fatal: [...]: UNREACHABLE! => {
"changed": false,
"msg": "kerberos: the specified credentials were rejected by the server",
"unreachable": true
}
Ensure your domain user that used to connect to WinRM on the target host is the member of local Administrators
group on the target host, or has permissions for Read
and Execute
for WinRM.
The job failed with following error.
TASK [Ensure windows host is reachable] ****************************************
fatal: [...]: UNREACHABLE! => {
"changed": false,
"msg": "kerberos: Access is denied. (extended fault data: {'transport_message': 'Bad HTTP response returned from server. Code 500', 'http_status_code': 500, 'wsmanfault_code': '5', 'fault_code': 's:Sender', 'fault_subcode': 'w:AccessDenied'})",
"unreachable": true
}
Ensure your domain user that used to connect to WinRM on the target host is the member of local Administrators
group on the target host, or has permissions for Read
and Execute
for WinRM. In this case, Execute
might be missing.
To replace /etc/krb5.conf
in EE with your customized krb5.conf
, you can also use AWX_ISOLATION_SHOW_PATHS
settings in AWX. This is a setting to expose any path on the host to EE. If this setting is activated, it's no longer required to create a Container Group on AWX or ConfigMap on Kubernetes, that described in this guide.
However, this feature will internally mount krb5.conf
via hostPath
, so a customized krb5.conf
must be placed on all Kubernetes nodes where the EE will run.
Also, side-effects and security concerns must be taken into consideration, as all EE jobs running on AWX will mount krb5.conf
via hostPath
, weather the job is for Windows hosts or not.
Therefore, I don't recommend this method in this guide.
If you want to use this feature, you can do so by following these steps.
- Place your
krb5.conf
on any path on your Kubernetes node, e.g./data/kerberos/krb5.conf
, instead of creating a Container Group on AWX or ConfigMap on Kubernetes - Enable
Expose host paths for Container Groups
in AWX underSettings
>Job settings
.- This equals to set
AWX_MOUNT_ISOLATED_PATHS_ON_K8S
totrue
.
- This equals to set
- Add
/data/kerberos/krb5.conf:/etc/krb5.conf:O
toPaths to expose to isolated jobs
in AWX underSettings
>Job settings
.- This equals to append string to
AWX_ISOLATION_SHOW_PATHS
.
- This equals to append string to
- Run your Job Template that without any Container Group.