Configuration Management Tool

What to note when settings up Ansible to work with Kerberos

Kerberos is reliant on a properly-configured environment to work. To troubleshoot Kerberos issues, ensure that the hostname set for the Windows host is the FQDN and not an IP address.

– The forward and reverse DNS lookups are working properly in the domain. To test this, ping the windows host by name and then use the ip address returned with nslookup. The same name should be returned when using nslookup on the IP address.

– The Ansible host’s clock is synchronized with the domain controller. Kerberos is time-sensitive, and a little clock drift can cause the ticket generation process to fail.

– Ensure that the fully qualified domain name for the domain is configured in the krb5.conf file. To check this, run:

kinit -C username@MY.DOMAIN.COM

And then klist to view the list all your active Kerberos tickets and their expiration dates.

klist

– If the domain name returned by klist is different from the one requested, an alias is being used. The krb5.conf file needs to be updated so that the fully qualified domain name is used and not an alias.

Ensure the Realms are written in CAPS because Kerberos is case sensitive, see the link below for more details.
https://techdirectarchive.com/2020/03/14/configuring-kerberos-for-ansible-authentication/

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x