Popular Posts

Thursday, November 14, 2024

Setting up Ansible control node for managing Linux and Windows hosts

Background

In this post, I will walk you through the complete end-to-end procedure for setting up an Ansible controller node and setting up the connection for managing RHEL and Windows Server nodes.


Azure setup

I have created 3 servers and placed them in a simple network configuration.

Infra:

    10.0.3.4 ansiblecontrol (RHEL 8.7)

App:

    10.0.5.4 linuxnode1 (RHEL 8.7)

    10.0.5.5 windowsnode1 (Windows Server 2019)





OS preparation

Ensure all hosts are configured with the correct FQDN and IP configurations. This is more so important when dealing with domain-joined nodes.

ex:

  • run hostnamectl set-hostname ansiblecontrol.local.vanguard.com to set the hostname for RHEL
  • add DNS suffix to computer name on System Settings on Windows Server

Make sure the control node can reach the managed nodes in the absence of DNS by adding entries in /etc/hosts




Setting up Ansible on Control node

  1. Install ansible sudo yum install ansible

     2. Generate SSH key pair for ansible user ssh-keygen


     3. Copy public key to linuxnode1 ssh-copy-id linuxnode1.local.vanguard.com


     4. Install pywinrm for managing Windows nodes pip3 install "pywinrm>=0.3.0"



     5. Import windows module collection ansible-galaxy collection install ansible.windows




Setting up Linux managed node

    1. Add ansible user on linuxnode1 sudo useradd ansible
    2. Add ansible user in the sudoers file for password-less authentication for all elevated commands using sudo visudo




    Setting up Windows managed node

         1. Ensure PowerShell version is 5.0 and above using $PSVersionTable command. Also make sure .NET version is later than 4.0. However, with newer Windows Servers, this shouldnt be an issue.

        2. Set up WinRM listener on port 5986 for HTTPS transport. This requires the creation of a self-signed certificate. Ansible has provided a script for this task which is available to download on GitHub



        2. Additionally, make sure Windows Firewall is switched off


    Sample Ansible directory setup

    1. Create inventory file by grouping the 2 managed nodes by operating system


        2. Define group_vars.

            Create a new file called windows.yml in group_vars. The contents of the file defines the connection parameters that will be used by ansible to connect with hosts under the windows group of the inventory file. This will also work for any dynamic inventory as long as those hosts are also added to the windows group during playbook runtime.
             
            For domain-joined windows servers, it is advised to use the more secure kerberos instead of ntlm. In such cases, kerberos packages must be installed and krb5.conf configured on the ansible control node to obtain kerberos tickets from the AD domain.



        3. Encrypt windows group_vars using ansible-vault to protect sensitive information
            ansible-vault encrypt windows.yml
        

        4. Perform a ping to verify connectivity using ad-hoc ping command. Make sure to use --ask-vault-pass for windows nodes









    Sample playbook

     1. The following playbook will install webserver on both nodes depending on their OS



    2. Execute the playbook first by doing a dry-run

    ansible-playbook installwebserver.yml -i testservers --check --ask-vault-pass



    3. Run the playbook

    ansible-playbook installwebserver.yml -i testservers --ask-vault-pass





    Saturday, November 9, 2024

    Password sync issues between AD and Entra ID - ‘User must change password at next logon’

    Background

    You want to reset a user's password in an Entra ID-connected Active Directory environment.


    Issue

    In Active Directory Users and Computers, you reset a user's password by making sure 'User must change password at next login' is selected.









    The password was reset successfully. However, after allowing enough time for the Entra Connect sync, the user cannot authenticate with the new password on M365 and/or the company portal. The error message indicates an incorrect password.


    Troubleshooting steps

    In the Entra ID admin portal, the password for the same user is reset, enabling successful authentication into web-based services, with the updated password also reflected in Active Directory.

    It appeared that the password hash sync only works from Entra to AD, not the other way around.

    If the ‘User must change password at next logon’ flag was deselected when the password was reset, it would work across both Entra and AD.


    Conclusion

    The ‘User must change password at next logon’ flag will not sync with Entra unless the ForcePasswordChangeOnLogOn feature is enabled on the Entra ID tenant (see below).

    Implement password hash synchronization with Microsoft Entra Connect Sync - Microsoft Entra ID


    If the option ‘User must change password at next logon’ is selected in Active Directory, but that feature is not enabled in Entra ID, password changes will not be synced (see below).

    azure-content/articles/active-directory/active-directory-aadconnectsync-implement-password-synchronization.md at master · toddkitta/azure-content

    As a workaround, 'User must change password at next logon’ was deselected during password reset until changes were made to the Entra ID tenant.