Control Windows Hosts with an Non-AD-joined Ansible Container

Intro

We had a need to control windows hosts in different domains, the only hold-up? We needed to do it with a non AD-joined container. Turns out, it can totally be done.

Prerequisites

• The windows host has to be running winrm.
• Alpine Base Image

Install Required Alpine Packages

apk add --no-cache ansible git python3 py3-pip python3-dev musl-dev krb5 krb5-dev gcc

Install required python libraries

pip3 install --upgrade pywinrm
pip3 install --upgrade pywinrm[kerberos]

Create an Ansible Host File

---
all:
  children:
    windows:
      hosts:
        desktop:
      vars:
        ansible_port: 5985
        ansible_connection: winrm
        ansible_winrm_scheme: http
        ansible_winrm_server_cert_validation: ignore
        ansible_become_method: runas
        ansible_winrm_transport: kerberos
        ansible_winrm_kerberos_delegation: yes
        ansible_host: desktop.example.com

Add the Domain Info to the KRB Config

[logging]
[libdefaults]
    dns_canonicalize_hostname = false
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    default_realm = EXAMPLE.COM
[realms]
    EXAMPLE.COM = {}
[domain_realm]
    example.com = EXAMPLE.COM
    .example.com = EXAMPLE.COM

Profit

# ansible 'all' -i hosts.yaml -m win_ping --extra-vars "ansible_user=user@EXAMPLE.COM ansible_password=${pass}"

desktop | SUCCESS => {
    "changed": false,
    "ping": "pong"
}