Now do this in containers with gMSAs. It eliminates the need of passing around Admin creds. Which I cannot stress enough. You shouldn’t be throwing your DA credentials into your random Linux machine’s Kerberos cache.
Amazon open sourced a project trying to solve similar problems.
https://github.com/aws/credentials-fetcher
Nifty, but was clearly made with AWS assumptions and we had to roll our own with the various hooks we needed for our cloud infra.
metmac | a day ago
> /usr/local/bin/GetDomainAdminPassword
throwaway2037 | 5 hours ago
I went through a similar journey recently for the local development environment of my team.
I couldn't figure out yet, whether there is a reasonable and safe way to authenticate at an AD inside a GitHub Action. Anyone done that?
majoe | 2 days ago
"You should set your hostname to be your FQDN, uppercased."
Never had an issue with this.
"name: initialize Kerberos ticket"
What's the use case for this Ansible task. Never had a need to manually generate tickets.
edit: didn't read it through; this is part of their automation pipeline
--
We manage 1000+ Windows Servers with Ansible and it's been as simple as Linux SSH. Multiple SOCKS5 proxies to different AD forests, WinRM double hop works great when become:true, GPO works just fine on Linux, initial setup is very simple with realmd. Biggest manual task is setting up the service accounts for Ansible.