2

I'm using Ansible to administer a group of Windows servers, with my control machine running CentOS 7.1. I've set up my /etc/krb5.conf file to authenticate to a domain controller so I can use one domain account to authenticate to all of my hosts. This works fine - as long as I manually run kinit user@DOMAIN.COM first.

The problem is, as soon as I reboot my control machine, the Kerberos ticket expires, and any attempt to run Ansible against the Windows servers results in the standard "no Kerberos credentials" error, until I run kinit again.

Is there a recommended practice for either:

  1. Persisting Kerberos tickets in the event of a system reboot

  2. Authenticating against a specific domain on boot?

EDIT: here's my (modified) output to realm discover:

[root@server ~]# realm discover
my.domain.com
type: kerberos
  realm-name: MY.DOMAIN.COM
  domain-name: my.domain.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common
  login-formats: %U@my.domain.com
  login-policy: allow-realm-logins
MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • You should automatically get a ticket when you log in, if the system is properly joined to the domain (which it sounds like it is not). Try [joining it properly to the domain](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/realmd-domain.html) and then try again. – Michael Hampton Aug 19 '15 at 18:46
  • Did you log in with a local user account or a domain user account? If a local user account, then you'll always have to run `kinit` manually. – Michael Hampton Aug 20 '15 at 14:17
  • I'm using a domain account to login - so I shouldn't need to touch `kinit` –  Aug 20 '15 at 16:40

0 Answers0