Manage Windows with Ansible with Kerberos Active Directory authentication

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

manage windows with ansible ansible is a configuration management platform that can be used to manage windows operating systems easily so we're going to take a quick look a technical overview of how to configure ansible for windows management now why ansible for windows management well there are several reasons but first and foremost ansible is one of the easiest configuration management platforms available it's quick to get up to speed and gain value from the framework of ansible very quickly it's also agentless now this is a big one when it comes to the life cycle management of windows server and other endpoints agents provide a layer of complexity so the fewer agents you have to manage and configure and continue to update the better ansible also can manage windows and linux in fact it cut its teeth on linux management but its windows management capabilities have vastly matured it can manage both on-premises and cloud technologies so if you are looking for a platform to provide configuration management not only in on-premises environments but your your cloud environments ansible provides that hybrid cloud functionality businesses need so let's dive in and take up take a look at how to set up ansible for windows management okay so we are ready to get started to see how we can build out our linux box for managing windows and yes that sounds very contradictory we're using a windows server as the target however we are going to install ansible on an ubuntu 2104 insulation that i just happen to have in the lab so ansible is at home on both linux and windows platforms as far as the control node uh the node that you're going to use to actually perform the configuration management of your windows hosts however you can also load ansible on windows as the management platform as well so what i've done i've got just a bare bones uh ubuntu 2104 installation i've installed the updates and what i wanted to show you guys is uh or i guess just by way of overview what are we going to do what's what are we trying to accomplish here well we're going to in this quick technical overview of standing up ansible to manage windows we are going to install the prerequisites as well as ansible and then i'm also going to quickly show you how to get your ansible control server ready to integrate with kerberos because most that are going to use this for windows environments are going to have active directory running so one of the first things i'm going to do is i'm going to just show you guys i can ping uh the domain controller that i have running in the lab so that's good now by way of prerequisites what i have done is i have a simple notepad document that i'm going to just briefly overview with you guys as to the the requirements that i am going to install so we have a lot of what is listed here are python related as well as uh kerberos related to have ansible in a place on our linux server where we can actually integrate with active directory so if you were simply going to just install ansible a lot of these prereqs are not needed however in my opinion if you're going to want to configure your ansible environment to be valid for controlling windows and configuration management these are the components that that i am standing up in my lab so as you can see here we've got some kerberos related um uh prereqs we've got python3 pip we have uh of course pip3 installed um we've got pi winrm which is a one of the requirements for managing windows with ansible because if you understand or have seen ansible work in the past with linux it uses port 22 so it sshs into linux boxes for management so with windows servers it actually uses winrm which makes sense so we install uh prereqs related to winrm kerberos and of course more kerberos related prereqs and then finally we have our ansible installation so what i am going to do i want to show you guys so what i have is that same grouping of prereqs and i have those in just a simple sh file so just a shell script file in fact if we go back here and i'm going to look at install and we can see this just a little bit better here in this window so the same requirements the same file basically as i brought up in that notepad document so just wanted to show you guys that um first of all so what i'm going to do i'm going to launch that script and it's going to go through and it's going to install those prerequisites and what i will do is i'm going to post those prerequisites in just a simple list of what you need to install to get up and running managing your windows servers in the description for the video and also i'll link it out to my github page as well so what i'm going to do here is uh get the script run and actually uh let's see let's do change mod on that to um where we can execute and then we will install our prerex here okay and you're going to see just everything starting to install and what i'm going to do is i'm going to of course pause the video on my side and then come back to you guys once the prereqs as well as ansible are installed one quick screen i wanted to grab as the prereqs were installed or are being installed is the default kerberos version 5 realm configuration so as you can see it will populate with just the generic that comes out of the insulation for kerberos and i am typing in in all uppercase the kerberos domain realm uh for my environment so i'm gonna do that and i believe we get another kerberos message here shortly getting some kernel messages i've got a reboot so and that may be the only one so i just wanted to show you guys that that screen will pop up as you are installing some of the kerberos dependencies so i'll be back here shortly okay guys uh i came back from installing the prereqs as well as ansible we can see the ansible is indeed installed uh get a return on the commands and everything so we're all good there one thing i wanted to now go into now that we have the prerequisites installed for managing windows with ansible for configuration management is configuring kerberos now this is a bit intimidating sometimes to people with trying to configure ansible for kerberos but actually it's not too bad and i'm going to walk you guys through how to get this up and running fairly quickly so what i'm going to do is swap over to when scp i'm gonna go to etsy and down to there is a file that is called krb five so let's edit that and straighten this up here so you guys can see what you see in this default krb5 config file is the default uh just kind of example data for configuring your realm as well as your domain information as well as server information so what i have that i'm going to paste in for you guys is i'm going to um paste in the configuration file that i have for the my lab domain so what i'm going to do here close that out i want to paste that in so you guys can see it nice and neat on one screen and just kind of walk through this so we we've got just simple sections we've got a logging section we have a lib defaults which defines the default realm crypto configuration information and then we've got a realms section so what you have to do is just with this syntax in the krb5 file is define your domain your realm and define the servers that are responsible for authentication and as you note here i am using all uppercase for the domain i know early on i ran into issues when i was working with ansible trying to get kerberos working correctly using lowercase so as you know noted in this installation screen when i showed you guys how i just backed over the test.local the example file was all uppercase so i'll put that in as all uppercase so we want to mimic that in this krb5 file and that's what i've done so basically this is the information for my lab domain that i have running so hopefully we'll be good there and and as i showed i think i showed this uh earlier in the video oh let me save that i think i showed this i want to make sure that we can ping that server which we can so this is the domain controller that is hosting that realm that we need to use for kerberos so what we need to do now is issue a command called k init and we pass in the administrator account or whatever account you want to use to bind with so that's what i'm going to do again uppercase typing in the password and if you don't get an error that means that it's successful and we can list the command or use the command k list to actually see that kerberos ticket that we received if you want to get rid of a ticket you can if you want to get rid of all tickets kerberos tickets you can say k destroy and now if we go to k list whoops k list we don't have anything so again let me go back to administrator account list and we have our kerberos ticket now as you can see it gives you an expiration time for this ticket so you know you want to make sure that your ansible operations that you are actively authenticated so because this just like in the real world with domain authentication in other areas those tickets do expire and have to be renewed for security reasons so that is that now i want to uh now that we see that we have a kerberos ticket i'm going to go through the structure of the files that we need to work with ansible so i have just in the root account my home directory i have just a simple folder called cloud local and as you can see i've got just simple structure here i've got a group vars folder and i have a vms folder and then i also have an inventory.yaml file so in this inventory.yaml file that i have on the server i'm going to edit that and just show you guys the contents of this file very simple but basically in ansible what we're going to do is we've we can have groups of servers and then for those groups of servers we can have different connection mechanisms whether we're using winrm ssh we can have different tasks so to speak that we want to run against those groups of servers so if you think about this this is uh like roles of servers if you will lists of servers that we want to group together to run certain commands certain configuration management as opposed to other servers so i have a couple of different lists of servers in these blocks and notice they're in brackets with a server name all caps domain so i've got those listed in the inventory file so with ansible it uses this inventory file to work from so we can when we start working with the commands we can pass in various roles that are contained within that inventory file and then also i have a group vars folder now this group vars folder also has a yaml file and notice how it's named according to the role that is defined in inventory once again so we got vms enclosed in brackets and then we've got a vms excuse me we've got group vars and then we've got vms.yaml so it knows to match those up based on the naming convention so here is where ansible actually knows how to connect to your group of servers windows servers because here i'm specifying i'm wanting to use the same username that we listed out and got the kerbros ticket for using the k init command so i have the domain user i'm telling it i want to connect via winrm the ansible port which is when our import here i'm using kerberos i want to ignore certificate validation and we've got ansible become set to false so that is our group vars so it knows based on that information how it's going to make the connection to the particular server that's listed or servers that are listed then inside of the vms folder i have tasks and templates we're not going to worry about templates for this tutorial but i have the tasks folder krb5 is not supposed to be in here i'm going to delete that and i'm going to show you guys the main dot yaml file so under tasks main.yaml and what i have here and to do edit not open what i have here is a simple playbook that is going to use chocolaty to install google chrome so simple we're going to basically use an ansible uh it the ansible command win underscore chocolaty and we're going to tell ansible to use that module to install google chrome so again simple and we're going to show how simple and easily this playbook results in success for uh automated installation of that software so again main.yaml these are tons of other files that i've i've copied and tested various things so just ignore those for now i'm going to go back up again to the directory structure so you can see those so now let's go into actually testing connectivity to the servers in question that we want to control with ansible now to test connectivity to servers we want to control there's a very simple command and we're going to use a certain syntax here so we're going to say ansible we're going to use the uh inventory name so we're going to say ansible vms tell it the inventory file and then dash m when underscore ping and we're going to do just verbosity 1v now with ansible you can do the more v's that you add the the more logging detail that you get so i'm just going to do a single v here so what this is going to do it's going to go out and hit every server that i have listed under vms which at this point is just one server telling it the inventory file and then the special ansible command win underscore ping and what when underscore ping does is it goes out and uses winrm to ping the server in other words see if it can successfully connect via winrm which is you know a prerequisite if if this fails then we can't really move on until we resolve that connectivity to the servers so really handy command so i'm going to hit enter and i've got to be in the directory where i have my inventory we're in the command again hopefully different results here and as you can see scoot this up a little bit here as you can see we have a success so the ansible control node that i am currently on tell you what i'm gonna go up here and let this run again so we can have it in screen so the ansible control node it goes out when rm and it has successfully hit a server that is running i have listed in the inventory and when you see a green response that is good so i mean obviously it says success so we know we're good to proceed with actually running ansible commands and configuration management on this server so again this tells us we also are good from an active directory standpoint because we're using that user with that kerberos ticket that we created earlier to connect to win22 ansible which is a windows server 22 box that i have running in the lab environment so now we know we're we're good to move forward so what i'm going to do is show you guys as well um i'm going to look at let me grab this file real quick and we're going to so now that we know we have good connectivity we're going to run the task that has been assigned for this particular set of vms or single vm in this case so if you go back in we pulled this up earlier we're going to run this main.yaml file so i'm going to look at it and show you guys what we're dealing with again we're using chocolaty the ansible module wind underscore chocolatey and we're going to install google chrome so that is the the simple automation that we're going to perform at this point so here is when uh 22 ansible server and i have it up and running no issues clean box does not have chrome installed should be able to see the chrome icon eventually show up on the desktop so that's how we know it's successful along with the obviously the successful message that we're going to get using ansible so to actually run the ansible playbook we're going to use a different command we're going to use the ansible playbook command we're going to pass in the inventory file and we're also going to pass in the playbook file now let me back up real quick i'm going to show you guys i have copied in the install chrome.yaml file which is the file that we had in the group vars folder under the task folder but i want to show you guys the simplest way to run this playbook just directly from the ansible playbook command line so what we're going to do once again we're going to say ansible playbook inventory.yaml and we're going to simply pass in the install chrome.yaml file actually i don't need the saw chrome yaml file i'll do 1v here and we will let this run now what ansible's doing it is uh looking at the the playbook it's looking at the inventory machines that are contained under the uh vms role that we have and the reason for that is if you remember in the install chrome yemel and i'll show this after completion the host entry points to the vm's inventory group so we'll look at that and i'm going to pause the video just for a second while this finishes up and we'll take a look okay guys so we are back the playbook just finished it only took maybe 15-20 seconds and as you can see we got some uh feedback here output from running the ansible playbook command we get an okay we see what directives were changing or how many things i guess if you will items in the playbook were changed which is helpful and we don't see any that were failed skipped unreachable and we see this designated in yellow and that's one thing about ansible output is it normally does a good job of color coding everything by default so you can kind of easily spot errors or things that need attention so if i flip over to the windows server 2022 box we can see that i now have google chrome so pretty cool what ansible can do and this is just managing windows from the command line using ansible super easy lots of really great playbooks that are already out there you know i've used ansible to kick off windows updates to configure windows servers like in lab environments if you need certain bg info settings if you need certain software installed if you need utilities whatever the case is any type of configuration really handy to be able to quickly and easily just with a little simple command line be able to manage your windows configuration management from such a powerful tool so i hope this video has been extremely helpful to you guys if you're looking to get your feet wet with configuration management using ansible to manage windows server it's super easy to do even with kerberos authentication as you can see just a couple of files that i needed to change getting those credentials putting the text files in the right place to know how it needs to connect using winrm and then configuring your playbook and so super easy so hopefully you guys have found this uh helpful and will subscribe to the channel i look to have more how-to videos and technical overviews of various technologies that i find uh extremely helpful uh in the various roles that that i encounter in the enterprise so until next time guys i really enjoyed it please once again hit like subscribe and check out the channel for future videos

Info

Channel: VirtualizationHowto

Views: 197

Rating: undefined out of 5

Keywords: active directory, ansible, automation, configuration management, devops, kerberos, management, python, python3, windows, winrm

Id: M18yDGAd9TU

Channel Id: undefined

Length: 27min 31sec (1651 seconds)

Published: Thu Oct 28 2021