Documentation

12. User Authentication with Kerberos

The following tip explains how user authentication via Active Directory (AD), also referred to as authentication through Kerberos, can be done for Ansible Tower.

First, setup the Kerberos packages in the Tower system so that you can successfully generate a Kerberos ticket. To install the packages, use the following steps:

yum install krb5-workstation
yum install krb5-devel
yum install krb5-libs
pip install kerberos

Once installed, edit the /etc/krb.conf file, as follows, to provide the address of the AD, the domain, and so forth:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = WEBSITE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 WEBSITE.COM = {
  kdc = WIN-SA2TXZOTVMV.website.com
  admin_server = WIN-SA2TXZOTVMV.website.com
 }

[domain_realm]
 .website.com = WEBSITE.COM
 website.com = WEBSITE.COM

Once the configuration file has been updated, you should be able to successfully authenticate and get a valid token. The following steps show how to authenticate and get a token:

[root@ip-172-31-26-180 ~]# kinit username
Password for username@WEBSITE.COM:
[root@ip-172-31-26-180 ~]#

Check if we got a valid ticket.

[root@ip-172-31-26-180 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: username@WEBSITE.COM

Valid starting     Expires            Service principal
01/25/16 11:42:56  01/25/16 21:42:53  krbtgt/WEBSITE.COM@WEBSITE.COM
  renew until 02/01/16 11:42:56
[root@ip-172-31-26-180 ~]#

Once you have a valid ticket, you can check to ensure that everything is working fine from command line. To test this, make sure that your inventory looks like the following:

[windows]
win01.WEBSITE.COM

[windows:vars]
ansible_ssh_user = username@WEBSITE.COM
ansible_connection = winrm
ansible_ssh_port = 5986

Make sure the hostname is the proper client hostname matching the entry in AD and is not the IP address. Also, in the username declaration, ensure that the domain name (the text after ” @ ”) is in properly entered with regard to upper- and lower-case letters, as Kerberos is case sensitive. For Tower, you should also ensure that the inventory looks the same.

Note

If you encounter a Server not found in Kerberos database error message, and your inventory is configured using FQDNs (not IP addresses), ensure that the service principal name is not missing or mis-configured.

Now, if you were to run a playbook, it should run as expected. Test this by running the playbook as the awx user.

Once you have verified that playbooks work as they should, integration with Tower is easy. Generate the Kerberos ticket as the awx user and Tower should automatically pick up the generated ticket for authentication.

Note

The python kerberos package must be installed. Ansible is designed to check if kerberos package is installed and, if so, it uses kerberos authentication.

A problem you may encounter is that a ticket would be generated every 24 hours (as the default life time of a ticket is 24 hours). To change this, edit the /etc/krb.conf file.

Another solution is to use cron to kinit the process every 24 hours. To automate this, you must generate a keytab file which stores the user password so that kinit will not prompt for the user password. Use the following steps to generate this keytab file and then get the kerberos ticket:

> ktutil
  ktutil:  addent -password -p username@WEBSITE.COM -k 1 -e rc4-hmac
  provide password
  ktutil:  wkt username.keytab
  ktutil:  quit

Now, add the following command to cron:

kinit username@WEBSITE.COM -k -t username.keytab

Note

Make sure the system time is in sync between AD, Tower, and the clients.

Note

Client hostnames can looked up via DNS, both normally and reversed.