Ansible - Kerberos message encryption to enable WinRM

Kerberos message encryption was just released for pywinrm, and it’s a great time to be alive.
https://github.com/diyan/pywinrm/releases/tag/v0.3.0

With this, if you don’t have a fully deployed certificate architecture, you can still have encrypted messages flying around while using the WinRM easy-mode of http over tcp/5985. If you’re not using windows 10, just skip the WSL install portion.

If you have any problems, feel free to email me: hortonew@gmail.com

Current environment looks like the following:
Windows 10
Windows Subsystem for Linux (WSL) - upgraded to ubuntu 16.04
Python 3.5 / pip3
Virtualenv
Ansible 2.4.2.0
Domain joined computer, configured krb5.conf

Let’s get started.

 Install WSL

Open Powershell, and run:
lxrun /install

Run:
bash

Make sure you’re on ubuntu 16.04:
lsb_release -a

If you’re still on 14.04, be aware of the following:
https://stackoverflow.com/questions/40046786/windows-bash-wsl-sudo-no-tty-present-and-no-askpass-program-specified

then upgrade:
sudo do-release-upgrade

FYI: I went the route of the upgrade, and actually had to uninstall “screen” before doing the release-upgrade:
sudo apt-get remove screen && sudo do-release-upgrade

 Install packages

Run the following:
sudo apt-get -y install gcc python-dev python3-dev libffi-dev libssl-dev libkrb5-dev krb5-user python-kerberos python3-kerberos virtualenv python3-venv

 Set up virtual environment

Run the following:
virtualenv -p python3 py3-ansible
cd py3-ansible
source bin/activate
pip3 install ansible
pip3 install pywinrm --upgrade
pip3 install kerberos requests_kerberos
pip3 install pywinrm[kerberos]

 Kerberos Configuration - /etc/krb5.conf

Every configuration is going to be different per environment.

Assume I have multiple domains in my environment:
coporate.company.com
utility.companyhosting.net
development.company.com

Assume I have KDCs or primary domain controllers for each:
my-dc-corporate.corporate.company.com
my-dc-utility.utility.companyhosting.net
my-dc-development.development.company.com

My config would look something like the following:

[libdefaults]
  default_realm = CORPORATE.COMPANY.COM
  krb4_config = /etc/krb.conf
  krb4_realms = /etc/krb.realms
  kdc_timesync = 1
  ccache_type = 4
  forwardable = true
  proxiable = true
  v4_instance_resolve = false
  v4_name_convert = {
    host = {
      rcmd = host
      ftp = ftp
    }
    plain = {
      something = something-else
    }
  }
  fcc-mit-ticketflags = true

[realms]
  CORPORATE.COMPANY.COM = {
    kdc = my-dc-corporate.corporate.company.com
    default_domain = coporate.company.com
    kpasswd_server = my-dc-corporate.corporate.company.com
  }
  UTILITY.COMPANYHOSTING.NET = {
    kdc = my-dc-utility.utility.companyhosting.net
    default_domain = utility.companyhosting.net
    kpasswd_server = my-dc-utility.utility.companyhosting.net
  }
  DEVELOPMENT.COMPANY.COM = {
    kdc = my-dc-development.development.company.com
    default_domain = development.company.com
    kpasswd_server = my-dc-development.development.company.com
  }

[domain_realm]
  .corporate.company.com = CORPORATE.COMPANY.COM
  .utility.companyhosting.net = UTILITY.COMPANYHOSTING.NET
  .development.company.com = DEVELOPMENT.COMPANY.COM

[login]
  krb4_convert = true
  krb4_get_tickets = false

 Generate kerberos ticket to authenticate with

If I wanted to log into a server in corporate.company.com, I would use:
kinit username@CORPORATE.COMPANY.COM

If I wanted to log into a server in utility.companyhosting.net, I would use:
kinit username@UTILITY.COMPANYHOSTING.NET

You can use the klist command to view current kerberos tickets, or kdestroy to get rid of all active tickets:
klist
kdestroy

 Configure ansible inventories / groups to utilize winrm with kerberos

Build out a directory structure:
mkdir -p ansible/inventories/group_vars

Create hosts file:
vim ansible/inventories/hosts

[win-corporate]
h1.corporate.company.com

Assign the win-corporate group some variables:
vim ansible/inventories/group_vars/win-corporate.yml

ansible_user: username@CORPORATE.COMPANY.COM
ansible_password: 
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
ansible_winrm_scheme: http
ansible_winrm_transport: kerberos

 Test Ansible’s connectivity via WinRM

ansible h1.corporate.company.com -i inventories/ -m win_ping

Grab a beer because hopefully, you did it!

 
9
Kudos
 
9
Kudos

Now read this

How to use Regex in Splunk searches

Regex to extract fields | rex field=_raw "port (?<port>.+)\." _raw The source to apply the regular expression to. This is a Splunk extracted field. left side of () The left side of what you want stored as a variable. Anything here... Continue →