How to configure Kerberos for Ansible Authentication

Posted on Christian By Christian 2 Comments on How to configure Kerberos for Ansible Authentication
configure Kerberos

A Key Distribution Center (abbreviated KDC) is also known as the Trust Center in the Kerberos system, Kerberos server, issues an on-demand ID file(TGT) for logged-in users on request, which the user can use as an ID to protect their traffic. In this article, we shall learn how to configure Kerberos for Ansible Authentication. Please see What to note when settings up Ansible to work with Kerberos, and how to Fix cannot find KDC for realm while getting initial credentials and kinit configuration file does not specify default realm.

Ticket Granting Ticket (TGT)

The Ticket Granting Ticket (TGT) is a small file that provides access to a data exchange, similar to a password but more secure.

The TGT is considered more secure because it contains, in encrypted form, the client’s IP address, the lifetime of the TGT, and the previously generated session key, preventing a man-in-the-middle attack. Furthermore, The TGT is an essential part of the Kerberos system for data path backup.

The TGT is issued by the Key Distribution Center (KDC) for registered and designated (authenticated) users. This step is required for Kerberos to communicate with the domain effectively and this is achieved via the following path in my environment as shown below.

Modify the configuration files, krb5.conf to reflect the correct information, (such as domain-realm mappings to Kerberos servers’ names) for your realm. Edit the file using any of your desired editors and populate it as follow 

C:\cygwin64\etc\crypto-policies\back-ends\krb5.config

Note: We will populate the file later, but for the initial test, this is absolutely ok.

Ansible Authentication

Authenticate to Kerberos Service

Before making your first connection in any Cygwin session. You need to authenticate to the Kerberos service. In a Cygwin bash shell, type.

kinit <yourusername>
Kerberos setup

Here, you will be prompted to enter your password. After you must have successfully authenticated, you will have acquired a Kerberos ticket-granting ticket

Now, we have tested and it works, let’s configure the Host Kerberos in details as shown below. This is necessary because Kerberos is reliant on a properly-configured environment to work.

Note: Ensure to enter the realm name in capital letters and pay specific attention to how the file is written here. Also see this lAnsible-ink for more information.

  • The [realm] should include the FQDNs of your DCs’.
  • The [domain_realm] Help map server hostname to Kerberos realm (This should include each domain that Ansible needs access to).
  • The [libdefaults] should contain various settings used by Kerberos V5 library

Ensure to save before quitting by hitting the Esc key on your keyboard, followed by “:wq” in the test editor and then hit enter on your keyboard. Below is how the file on the screenshot is layout (written).

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = TECHDIRECT.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 TECHDIRECT.LOCAL = {
  kdc = techdarchive.techdirect.local
  admin_server = techdarchive.techdirect.local
 }

[domain_realm]
 .techdirect.com = TECHDIRECT.LOCAL
 techdirect.com = TECHDIRECT.LOCAL

Note (Information Only)

Most setup has it in this location /etc/krb5.conf. For seamless operation, both Kerberos and SSH can be configured. For me there was no need to configure Ansible to work with SSH, so this was ignored.

Note: There are two types of Kerberos ticket management for Ansible. We will be using the manual Kerberos ticket management

  • Automatic Kerberos Ticket management and
  • Manual Kerberos Ticket Management.

Testing: Before making your first connection to a remote device in any Cygwin session, you need to authenticate to the Kerberos service by using your Kerberized credentials In a Cygwin bash shell, type: simply run kinit binary to acquire a new Kerberos ticket as shown below.

kinit <yourusername@DOMAIN.COM>

Test using kinit, it will work correctly.
$ kinit user@TECHDIRECT.LOCAL
Password for user@TECHDIRECT.LOCAL:
$
- You can run “klist” to list all your active Kerberos tickets and their expiration dates.)

Note: To destroy all the tickets that have been acquired, use the following command:

$ kdestroy

I hope you found this blog post on how to configure Kerberos for Ansible Authentication helpful. If you have any questions, please let me know in the comment session.

5/5 - (1 vote)
Configuration Management Tool Tags:,

Related Posts

More Related Articles

1 ifg3ir3l 8ejus3pueqt0a Fix cannot find KDC for realm while getting initial credentials and kinit configuration file does not specify default realm Configuration Management Tool
images 5 IP Address UNREACHABLE: HTTP connection pool Max exceeded Configuration Management Tool
ansible logo600 591x296 1 Ansible_user=UNREACHABLE {Failed to connect to the host via SSH: SSH: Could not resolve hostname (Name or service not known, unreachable true) Configuration Management Tool
Screenshot 2020 05 14 at 19.43.13 Repo: How to setup Chef Repository Configuration Management Tool
image 117 Deploy MVC Application to AWS EC2 Using RDP and Web Deploy Configuration Management Tool
ansible KDC reply did not match expectations while getting initial credential Configuration Management Tool

Comments (2) on “How to configure Kerberos for Ansible Authentication”

Leave a Reply