HN Reader

Now do this in containers with gMSAs. It eliminates the need of passing around Admin creds. Which I cannot stress enough. You shouldn’t be throwing your DA credentials into your random Linux machine’s Kerberos cache.

Amazon open sourced a project trying to solve similar problems.

https://github.com/aws/credentials-fetcher

Nifty, but was clearly made with AWS assumptions and we had to roll our own with the various hooks we needed for our cloud infra.

I went through a similar journey recently for the local development environment of my team.

I couldn't figure out yet, whether there is a reasonable and safe way to authenticate at an AD inside a GitHub Action. Anyone done that?

"You should set your hostname to be your FQDN, uppercased."

Never had an issue with this.

"name: initialize Kerberos ticket"

What's the use case for this Ansible task. Never had a need to manually generate tickets.

edit: didn't read it through; this is part of their automation pipeline

--

We manage 1000+ Windows Servers with Ansible and it's been as simple as Linux SSH. Multiple SOCKS5 proxies to different AD forests, WinRM double hop works great when become:true, GPO works just fine on Linux, initial setup is very simple with realmd. Biggest manual task is setting up the service accounts for Ansible.