Wednesday, 26 February 2020




Please perform the below pre-requisists to set up the same:- 


1) Install and Configure Kerberos on the Ansible Server - Please refer to my earlier blog for the same. I have pasted the link below:- 

2) Make sure that you are able to ping the Windows Servers from the Ansible Server.

3)  Make sure that you are able to ping the domain from the Ansible server as well.

4) Please approve the patches from the WSUS or SCCM server in your environment. Here we need to make sure that the patches should be downloaded and visible on the Windows Server which is going to be patched.

5) Please follow the below steps for installation and configuration of Kerberos on the Ansible Server,


We have the below demo setup:-

Master Ansible Server -
Windows DC Server - -
Member Server - -

1) Run the below commands to install pre-requisists for kerberos in linux

yum -y group install “Development Tools”
yum -y install epel-release
yum -y install python-devel krb5-devel krb5-libs krb5-workstation
yum install -y ansible python2-winrm
yum -y install python-pip
yum install -y python-requests-kerberos
sudo pip install --upgrade requests-kerberos
pip install --upgrade pip

2) Please make sure that you do the DNS entry for your DNS server in your environment.

3) Edit the krb5.conf file located in the /etc folder.

In the below example, I have done the entries for:-

default_realm = ABC.LOCAL


kdc =
admin_server -

For domain_realm

.abc.local = ABC.LOCAL
abc.local = ABC.LOCAL

4) If kerberos is configured correctly, the below command will ask for the password as shown below:-

5) Once we have configured Kerberos authentication from Ansible to the Windows DC server, we can proceed with the Ansible-Playbook Creation.

6)  I have created the ansible-playbook - patchwin12.yml with the below details:-

I will run the playbook with the command - ansible-playbook patchwin12.yml -i winhost

This playbook will install the patch - KB3042085 on the servers mentioned in the winhost file and will also reboot the servers.If the reboot is set to No then the windows servers will not reboot.

7) Please find the details of the winhost file used in the below example:-

8) Please find the output that the patch has been installed on the server.

We can see the status of the patch installed on the server:-

Note:- Please enter the password for the user - administrator which will be used for authentication on the Windows Servers. Also the winhost group has only 1 server in this example. We can add multiple servers.

No comments:

Post a comment