"You should set your hostname to be your FQDN, uppercased."
Never had an issue with this.
"name: initialize Kerberos ticket"
What's the use case for this Ansible task. Never had a need to manually generate tickets.
edit: didn't read it through; this is part of their automation pipeline
--
We manage 1000+ Windows Servers with Ansible and it's been as simple as Linux SSH. Multiple SOCKS5 proxies to different AD forests, WinRM double hop works great when become:true, GPO works just fine on Linux, initial setup is very simple with realmd. Biggest manual task is setting up the service accounts for Ansible.
Now do this in containers with gMSAs. It eliminates the need of passing around Admin creds. Which I cannot stress enough. You shouldn’t be throwing your DA credentials into your random Linux machine’s Kerberos cache.
Amazon open sourced a project trying to solve similar problems.
5 comments
[ 2.3 ms ] story [ 16.2 ms ] threadNever had an issue with this.
"name: initialize Kerberos ticket"
What's the use case for this Ansible task. Never had a need to manually generate tickets.
edit: didn't read it through; this is part of their automation pipeline
--
We manage 1000+ Windows Servers with Ansible and it's been as simple as Linux SSH. Multiple SOCKS5 proxies to different AD forests, WinRM double hop works great when become:true, GPO works just fine on Linux, initial setup is very simple with realmd. Biggest manual task is setting up the service accounts for Ansible.
https://web.mit.edu/kerberos/www/krb5-latest/doc/admin/realm...
I couldn't figure out yet, whether there is a reasonable and safe way to authenticate at an AD inside a GitHub Action. Anyone done that?
Amazon open sourced a project trying to solve similar problems.
https://github.com/aws/credentials-fetcher
Nifty, but was clearly made with AWS assumptions and we had to roll our own with the various hooks we needed for our cloud infra.