[AWS] Deploy Ansible for linux and Windows Domain Joined

Installation Details

  1. Infrastructure: AWS

  2. AMI ID: RHEL-8.2.0_HVM-20200423-x86_64-0-Hourly2-GP2 (ami-07dfba995513840b5)

  3. Instance type : t2.medium

  4. Instance Hardware: 2vcpu , 4G Memory.


Before we start

Install Vim:

sudo yum install vim


Update Packages

sudo yum update

Prepare For Installation

Change the Hostname:

sudo vim /etc/hostname

Add DNS in hosts file.

sudo vim /etc/hosts

Install epel Repo:

yum -y install [<https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm>](<https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm>)

Install Ansible:

sudo yum install ansible

General Configuration Ansible

Create user:

sudo useradd ansible

Generate password:

passwd ansible 

Login with ansible user:

sudo su - ansible

Give Sudo Permissions:

  1. Change user to root

sudo su -
  1. Give ansible sudo privileges (Centos)

[root@itansible ~]# usermod -aG wheel ansible
[root@itansible ~]# sudo su - ansible
[ansible@itansible ~]$ id ansible
uid=1001(ansible) gid=1001(ansible) groups=1001(ansible),10(wheel)

[ansible@itansible ~]$ sudo visudo
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
ansible         ALL=(ALL)       NOPASSWD: ALL
ec2-user        ALL=(ALL)       NOPASSWD: ALL


login back to you ansible user and Create SSH key pair.

[ansible@itansible ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ansible/.ssh/id_rsa):
/home/ansible/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): ******


Configure Linux Managed Hosts:

  1. Create user and password name ansible

  2. Copy the ssh public key from ansible master to to the managed hosts.

# On the managed host, switch to ansible user
Type the command  =  cd .ssh/
# Create authorized_keys file
vim authorized_keys
# Go to ansible master and copy the public key:
cat ~/.ssh/id_rsa.pub [select and copy to your clipboard]
# ssh into ansible managed hosts, and append the contents of that to the authorized_keys file:
[paste your clipboard contents to the authorized_keys file:]
  1. Give sudo permissions (Ubuntu)

ansible@ip-10-64-118-34:~$ sudo visudo

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
ansible     ALL=(ALL) NOPASSWD:ALL


Configure Ansible for Linux

  1. log in to the Ansible Master with the user ansible

  2. Create a linux project directory in ansible home folder

mkdir linux
  1. in the linux directory create 2 file.

[ansible@itansible linux]$ ls
ansible.cfg  inventory
  1. Configure ansible.cfg file like this:

remote_user = ansible
host_key_checking = false
inventory = inventory
become = true
become_method = sudo
become_user = root
become_ask_pass = false
  1. Configure inventory file like this:


  1. Test the connection examples:

[ansible@itansible linux]$ ansible all -m command -a "id ansible"
itansible-slave | CHANGED | rc=0 >>
uid=1001(ansible) gid=1001(ansible) groups=1001(ansible),27(sudo)

[ansible@itansible linux]$ ansible all -m user -a name=test
itansible-slave | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    "changed": true,
    "comment": "",
    "create_home": true,
    "group": 1002,
    "home": "/home/test",
    "name": "test",
    "shell": "/bin/sh",
    "state": "present",
    "system": false,
    "uid": 1002


Configure Ansible for Windows

  1. log in to the Ansible Master with the user ansible

  2. Create a windows project directory in ansible home folder

mkdir windows

Installing the Kerberos Library

# via Yum (RHEL/Centos/Fedora)
sudo yum -y install gcc python-devel krb5-devel krb5-libs krb5-workstation
sudo yum -y pip3 install "pywinrm>=0.2.2"


Configuring Kerberos

Edit your /etc/krb5.conf (which should be installed as a result of installing packages above) and add the following information for each domain you need to connect to:

ansible@ip-10-64-118-34:~$ cat /etc/krb5.conf
default_realm = mydomain.com (Enter your domain)
dns_lookup_realm = true
dns_lookup_kdc = true

Testing a kerberos connection

If you have installed krb5-workstation (yum) or krb5-user (apt-get) you can use the following command to test that you can be authorised by your domain controller.

kinit user@MY.DOMAIN.COM


To see what tickets if any you have acquired, use the command klist


Create Inventory,Config,Variables file

[ansible@itansible windows]$ ls
ansible.cfg group_vars inventory winvars winvars.yml

Create Inventory file

[ansible@itansible windows]$ vim inventory


Create config file

[ansible@itansible windows]$ vim ansible.cfg

host_key_checking = false
inventory = inventory

Create Group_vars directory and variables file

mkdir group_vars
[ansible@itansible group_vars]$ vim windows
ansible_user: user@ARGUS-LOCAL
ansible_password: password
ansible_connection: winrm
ansible_winrm_transport: kerberos
ansible_winrm_server_cert_validation: ignore


Configure Windows Managed Hosts

To configure the Windows Server for remote management by Ansible requires a bit of work. Luckily the Ansible team has created a PowerShell script for this. Download this script from [here] to each Windows Server to manage and run this script as Administrator.

Log into WinServer1 as Administrator, download ConfigureRemotingForAnsible.ps1 and run this PowerShell script without any parameters.

Once this command has been run on the windows 10 , return to the Ansible master Controller host.

Test Connectivity to the Windows Server

If all has gone well, we should be able to perform an Ansible PING test command. This command will simply connect to the remote WinServer1 server and report success or failure.

Type: ansible windows -m win_ping


#Ansible #Devops #Linux

2 views0 comments