Ansible - Kerberos message encryption to enable WinRM

Kerberos message encryption was just released for pywinrm, and it’s a great time to be alive.
https://github.com/diyan/pywinrm/releases/tag/v0.3.0

With this, if you don’t have a fully deployed certificate architecture, you can still have encrypted messages flying around while using the WinRM easy-mode of http over tcp/5985. If you’re not using windows 10, just skip the WSL install portion.

If you have any problems, feel free to email me: hortonew@gmail.com

Current environment looks like the following:
Windows 10
Windows Subsystem for Linux (WSL) - upgraded to ubuntu 16.04
Python 3.5 / pip3
Virtualenv
Ansible 2.4.2.0
Domain joined computer, configured krb5.conf

Let’s get started.

Install WSL #

Open Powershell, and run:
lxrun /install

Run:
bash

Make sure you’re on ubuntu 16.04:
lsb_release -a

If you’re still on 14.04, be aware of the following:
https://stackoverflow.com/questions/40046786/windows-bash-wsl-sudo-no-tty-present-and-no-askpass-program-specified

then upgrade:
sudo do-release-upgrade

FYI: I went the route of the upgrade, and actually had to uninstall “screen” before doing the release-upgrade:
sudo apt-get remove screen && sudo do-release-upgrade

Install packages #

Run the following:
sudo apt-get -y install gcc python-dev python3-dev libffi-dev libssl-dev libkrb5-dev krb5-user python-kerberos python3-kerberos virtualenv python3-venv

Set up virtual environment #

Run the following:
virtualenv -p python3 py3-ansible
cd py3-ansible
source bin/activate
pip3 install ansible
pip3 install pywinrm --upgrade
pip3 install kerberos requests_kerberos
pip3 install pywinrm[kerberos]

Kerberos Configuration - /etc/krb5.conf #

Every configuration is going to be different per environment.

Assume I have multiple domains in my environment:
coporate.company.com
utility.companyhosting.net
development.company.com

Assume I have KDCs or primary domain controllers for each:
my-dc-corporate.corporate.company.com
my-dc-utility.utility.companyhosting.net
my-dc-development.development.company.com

My config would look something like the following:

[libdefaults]
  default_realm = CORPORATE.COMPANY.COM
  krb4_config = /etc/krb.conf
  krb4_realms = /etc/krb.realms
  kdc_timesync = 1
  ccache_type = 4
  forwardable = true
  proxiable = true
  v4_instance_resolve = false
  v4_name_convert = {
    host = {
      rcmd = host
      ftp = ftp
    }
    plain = {
      something = something-else
    }
  }
  fcc-mit-ticketflags = true

[realms]
  CORPORATE.COMPANY.COM = {
    kdc = my-dc-corporate.corporate.company.com
    default_domain = coporate.company.com
    kpasswd_server = my-dc-corporate.corporate.company.com
  }
  UTILITY.COMPANYHOSTING.NET = {
    kdc = my-dc-utility.utility.companyhosting.net
    default_domain = utility.companyhosting.net
    kpasswd_server = my-dc-utility.utility.companyhosting.net
  }
  DEVELOPMENT.COMPANY.COM = {
    kdc = my-dc-development.development.company.com
    default_domain = development.company.com
    kpasswd_server = my-dc-development.development.company.com
  }

[domain_realm]
  .corporate.company.com = CORPORATE.COMPANY.COM
  .utility.companyhosting.net = UTILITY.COMPANYHOSTING.NET
  .development.company.com = DEVELOPMENT.COMPANY.COM

[login]
  krb4_convert = true
  krb4_get_tickets = false

Generate kerberos ticket to authenticate with #

If I wanted to log into a server in corporate.company.com, I would use:
kinit username@CORPORATE.COMPANY.COM

If I wanted to log into a server in utility.companyhosting.net, I would use:
kinit username@UTILITY.COMPANYHOSTING.NET

You can use the klist command to view current kerberos tickets, or kdestroy to get rid of all active tickets:
klist
kdestroy

Configure ansible inventories / groups to utilize winrm with kerberos #

Build out a directory structure:
mkdir -p ansible/inventories/group_vars

Create hosts file:
vim ansible/inventories/hosts

[win-corporate]
h1.corporate.company.com

Assign the win-corporate group some variables:
vim ansible/inventories/group_vars/win-corporate.yml

ansible_user: username@CORPORATE.COMPANY.COM
ansible_password: 
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
ansible_winrm_scheme: http
ansible_winrm_transport: kerberos

Test Ansible’s connectivity via WinRM #

ansible h1.corporate.company.com -i inventories/ -m win_ping

Grab a beer because hopefully, you did it!

 
15
Kudos
 
15
Kudos

Now read this

Splunk Deployment Server: Grab all deployment clients

There are times when you need to know what’s out there. If you’re like me, you have thousands of deployment clients in the environment, and browsing to the GUI interface to see your forwarders just doesn’t cut it. The following can be... Continue →