Saturday, April 27, 2019

Ansible to Windows via Kerberos

#####
##### krb5.keytab w. spn stored securely
#####
root@ldaptest:/home/YHL.LOC/ansible/playbooks# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 ansible@YHL.LOC

 #####
##### krb5 klist after logged in
#####
ansible@ldaptest:~/playbooks$ klist
Ticket cache: FILE:/tmp/krb5cc_657801107_o9jMRd
Default principal: ansible@YHL.LOC

 Valid starting       Expires              Service principal
04/27/2019 22:50:06  04/28/2019 08:50:06  krbtgt/YHL.LOC@YHL.LOC
renew until 05/04/2019 22:50:05

 #####
##### ansible hosts
#####
[all]
dnsdc01.yhl.loc
dnsdc02.yhl.loc

 [all:vars]
ansible_user = ansible@YHL.LOC
ansible_connection = winrm
ansible_port = 5985
ansible_winrm_transport = kerberos
#ansible_winrm_cert_validation = ignore
ansible_become = false
###
### ansible-playbook run
###
ansible@ldaptest:~/playbooks$ ansible-playbook -i hosts ipconfig.yml

 PLAY [ipconfig module] *********************************************************

 TASK [setup] *******************************************************************
ok: [dnsdc01.yhl.loc]
ok: [dnsdc02.yhl.loc]

 TASK [run ipconfig command] ****************************************************
changed: [dnsdc01.yhl.loc]
changed: [dnsdc02.yhl.loc]

 PLAY RECAP *********************************************************************
dnsdc01.yhl.loc            : ok=3    changed=1    unreachable=0    failed=0
dnsdc02.yhl.loc            : ok=3    changed=1    unreachable=0    failed=0

 #####
##### klist post ansible run
#####
ansible@ldaptest:~/playbooks$ klist
Ticket cache: FILE:/tmp/krb5cc_657801107
Default principal: ansible@YHL.LOC

 Valid starting       Expires              Service principal
04/27/2019 22:40:12  04/28/2019 08:40:12  krbtgt/YHL.LOC@YHL.LOC
renew until 05/04/2019 22:40:08
04/27/2019 23:02:46  04/28/2019 08:40:12  HTTP/dnsdc01.yhl.loc@YHL.LOC
renew until 05/04/2019 22:40:08
04/27/2019 23:02:46  04/28/2019 08:40:12  HTTP/dnsdc02.yhl.loc@YHL.LOC
renew until 05/04/2019 22:40:08
at No comments:
Subscribe to: Posts (Atom)

Current Audible Reading List

Title You Never Forget Your First: A Biography of George Washington A Self-Made Man: The Politica...

  • OpenVAS Performance Tuning
    As part of a project I'm working on right now I wanted to know what the "optimal" settings were for running OpenVAS on an ODRO...
  • OpenVAS port 80
    By default the OPenVAS security assistant listens on port 80 and redirects connections to port 9392, this causes issues if you want to run a...
  • Installing and using Tor on Max OS/X
    I often have need to use Tor for various testing purposes, mainly to determine how an adversary uses it, and I often just want to run it fro...