Configuration Management Tool

How to configure Kerberos for Ansible Authentication

A Key Distribution Center (abbreviated KDC) is also known as the Trust Center in the Kerberos system, Kerberos server, issues an on-demand ID file(TGT) for logged-in users on request, which the user can use as an ID to protect their traffic.

The Ticket Granting Ticket (TGT) is a small file that provides access to a data exchange, similar to a password but more secure.

The TGT is considered more secure because it contains, in encrypted form, the client’s IP address, the lifetime of the TGT, and the previously generated session key, preventing a man-in-the-middle attack. The TGT is an essential part of the Kerberos system for data path backup.

The TGT is issued by the Key Distribution Center (KDC) for registered and designated (authenticated) users

This step is required for Kerberos to communicate with the domain effectively and this is achieved via the following path in my environment as shown below.

  • Modify the configuration files, krb5.conf to reflect the correct information, (such as domain-realm mappings to Kerberos servers’ names) for your realm.

Edit the file using any of your desired editors and populate it as follow C:\cygwin64\etc\crypto-policies\back-ends\krb5.config

Note: We will populate the file later, but for the initial test, this is absolutely ok.

Before making your first connection in any Cygwin session, you need to authenticate to the Kerberos service. In a Cygwin bash shell, type.

kinit <yourusername>

Here, you will be prompted to enter your password. After you must have successfully authenticated, you will have acquired a Kerberos ticket-granting ticket

Now, we have tested and it works, let’s configure the Host Kerberos in details as shown below. This is necessary because Kerberos is reliant on a properly-configured environment to work.

Note:
– Ensure to enter the realm name in capital letters and pay specific attention to how the file is written here https://docs.ansible.com/ansible-tower/latest/html/administration/kerberos_auth.html       

– The [realm] should include the FQDNs of your DCs’.
– The [domain_realm] Help map server hostname to Kerberos realm (This should include each domain that Ansible needs access to).
– The [libdefaults] should contain various settings used by Kerberos V5 library

Also see this link for more information https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html

Ensure to save before quitting, by hitting the Esc key on your keyboard, followed by “:wq” in the test editor and then hit enter on your keyboard.

Below is how the file on the screenshot is layout (written).

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = TECHDIRECT.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 TECHDIRECT.LOCAL = {
  kdc = techdarchive.techdirect.local
  admin_server = techdarchive.techdirect.local
 }

[domain_realm]
 .techdirect.com = TECHDIRECT.LOCAL
 techdirect.com = TECHDIRECT.LOCAL 

Note (Information Only):  Most setup has it in this location /etc/krb5.conf.
– For seamless operation, both Kerberos and SSH can be configured. For me there was no need to configure Ansible to work with SSH, so this was ignored.

See the following links and the image above if you would like to perform SSH too
http://computing.help.inf.ed.ac.uk/kerberos-cygwin
http://nynim.org/blog/2012/08/25/using-kerberos-gssapi-auth-with-openssh-in-cygwin-on-windows/

Note: There are two types of Kerberos ticket management for Ansible. We will be using the manual Kerberos ticket management
– Automatic Kerberos Ticket management and
– Manual Kerberos Ticket Management.

Testing: Before making your first connection to a remote device in any Cygwin session, you need to authenticate to the Kerberos service by using your Kerberized credentials In a Cygwin bash shell, type: simply run kinit binary to acquire a new Kerberos ticket as shown below.

– kinit <yourusername@DOMAIN.COM>

Test using kinit, it will work correctly.
$ kinit user@TECHDIRECT.LOCAL
Password for user@TECHDIRECT.LOCAL:
$
- You can run “klist” to list all your active Kerberos tickets and their expiration dates.)

Note: To destroy all the tickets that have been acquired, use the following command:

$ kdestroy

For how to set up Kerberos in Windows (Cygwin), see https://techdirectarchive.com/2020/03/14/kerberos-setup-in-windows-cygwin/. For a similar Kerberos errors, see https://techdirectarchive.com/2020/03/21/cannot-find-kdc-for-realm-while-getting-initial-credentials-kinit-configuration-file-does-not-specify-default-realm/

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest
1 Comment
Inline Feedbacks
View all comments
Josh
Josh
19 days ago

Amazing!

1
0
Would love your thoughts, please comment.x
()
x