Connect to WinRM using domain account from ansible controller not joined into AD domain

The discussion we had previously is only useful to manage a windows PC with local username/password. In order to manage a domain windows PC we have to install kerberos module for Ansible. I will give the guide regarding the setup of ansible controller to manage a domain windows PC while ansible controller itself is not within the domain.

1, Even through ansible controller is not necessary to join the domain, it is necessary that  machine of ansible controller can reach domain DNS and NTP services.  We can configure NTP server as the same domain NTP server if possible.

To get NTP used with windows host, enter “w32tm /query /peers” in cmd of window.

2, Join domain network, acquired IP address, WINS, DNS etc från domain network, this can happens automatically via DHCP when connected ansible controller to the domained network.

3, Install kerberos for ansible (example for Mac OS X)

pip install request kerberos
pip install pywinrm[kerberos]

4, Configure kerberos

edit etc/krb5.conf file, if krb5.conf is not existed, create one:

below is an example of krb5.conf file:

mac-c02t6npagtfj:etc grayin$ vi krb5.conf

        krb5_run_aklog = 1
        krb5_aklog_path = /usr/local/krb5/bin/aklog
        default_lifetime = 25h
        telnet = {
                autologin = 1
        xdm = {
               retain_ccache = 1
                afs_retain_token = 1
       pam = {
                ticket_lifetime = 90000
                renew_lifetime = 90000
                forwardable = true
        forwardable = true
        default_realm = LFAD.LFNET.SE
        DOMAIN.COM = {
                kdc = E00DC0008.DOMAIN.COM
                admin_server = E00DC0008.DOMAIN.COM
                default_domain =
[domain_realm] = DOMAIN.COM = DOMAIN.COM
        profile = /etc/kdc.conf
        default = SYSLOG:INFO:LOCAL6


[realms] and [domain_realm] are the area where new domain information need to be added. Using echo %username% will allow you to identify the authenticating domain controller.If you just desire to identify which domain controller the user retrieved group policies from you can type gpresult /r.

5, Test kerberos connection

#kinit user@MY.DOMAIN.COM

#To see what tickets if any you have acquired, use the command klist


mac-c02t6npagtfj:ansible_test grayin$ kinit username@DOMAIN.COM
username@DOMAIN.COM's password: 

'mac-c02t6npagtfj:ansible_test grayin$ klist
Credentials cache: API:FA05485A-8E6B-45F8-9526-D4B4EEDA5D1D
        Principal: username@DOMAIN.COM
  Issued                Expires               Principal
Mar  8 14:49:48 2018  Mar  9 00:49:44 2018  krbtgt/DOMAIN.COM@DOMAIN.COM

Once you have a valid ticket, you can check to ensure that everything is working as expected from command line. To test this, make sure that your inventory looks like the following:


ansible_user = username@DOMAIN.COM
ansible_connection = winrm
ansible_port = 5986
# The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates:
ansible_winrm_server_cert_validation = ignore

Especially “ansible_winrm_transport” can be changed to ssl if you want to authenticate with a local account of windows PC.  When connecting to windows host there are several authentication options that can be used, refer to here

Option Local Accounts Active Directory Accounts Credential Delegation
Basic, ssl Yes No No
Certificate Yes No No
Kerberos No Yes Yes
NTLM Yes Yes No
CredSSP Yes Yes

6, Make sure that managed windows pc is listening on 5986 and the firewall on PC is turned off or traffic to/from port 5986 is allowed. To check the state of configuration settings, type winrm get winrm/config. To check if tcp 5986 is listening and no firewall blocking, type telnet win01 5986 from ansible controller.

It can be a very headache to turn off windows defenders when “off” button is grey i no matter windows security center or windows firewall&network, or windows defender. the most efficient way for me is to go directly to regedit and change value there.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender find “start” value from domain/private/public separately and set the value from 1 to 0.

Of course you can allow winrm https 5986 application from firewall allow application setup. But this option is grey too in my test environment. Then we can try to change configuration from pgedit.msc, to use group policy editor to create incoming traffic rules for winrm:

Go to gpedit.msc, computer configuration ->windows settings ->security settings -> windows firewall with advanced security -> inbound rules add rules


In my test I got stuck in “password incorrect” message when set correct password in the inventory sensible_password=password, even though I am pretty sure that I have typed the correct password.

mac-c02t6npagtfj:ansible_test grayin$ ansible-playbook -i host main.yaml
PLAY [Hit a Specific Host on the Server] *************************************************************************************************************************************************************************************************
TASK [Gathering Facts] *******************************************************************************************************************************************************************************************************************
fatal: [D75C0004.LFAD.LFNET.SE]: UNREACHABLE! => {"changed": false, "msg": "Kerberos auth failure: a940bf@LFAD.LFNET.SE's password: \nkinit: Password incorrect", "unreachable": true}
to retry, use: --limit @/Users/grayin/ansible_test/main.retry

Here is the discussion regarding this problem. It seems that  winrm module work if you get a kerberos token via kinit before executing ansible, even if the host isn’t joined to the domain. It fails though if you try to rely on the ansible_user/ansible_password combination.

I also encountered another problem that I must have account which owns administrative right for window computer in order to get connection successfully, Otherwise ansible kerberos connection will get error for either  time_out or credential refused or need paaeven though I have a valid kerberos toke listed by klist.



Catalyst 2960S bootloop/keep reloading during upgrading

2960 switch went to a booting loop due to bug CSCvf46629 when doing an upgrade from 15.2(2)E7 from 15.0(2)SE7.  That is when VTP mode set as client on the switch, switch will go into reloadloop when trying to upgrade switch to 12.2.2E7.

To recover the switch we need to move the switch to old IOS then boot switch up, then change the vtp mode to transparent.

If you have old IOS image in the flash, then just need to boot switch during pressing “mode” button until switch prompt shows up, then doing flash_init and boot from the old image.

In my case the old IOS image was removed during new image installation, so I have to download the old IOS image to the switch via console port.

Below is the steps to follow:

In rommon


-Set BAUD 115200

-copy xmodem: flash:OLD_IOS_image

Transfer the IOS file from computer to the switch with Serial tool in Mac or Hyperterminal in window. Once old IOS is copied:

-Boot flash:OLD_IOS_image

Once switch boots up in old IOS customer needs to boot up the switch and change the vtp mode, Then do the upgrade from 15.2(2)E7 from 15.0(2)SE7Then change the vtp mode back.

To set Baud as 115200 is because using the default Baud rate 9600 for file transfering will take 3-4 hours to download the ios image to the switch. Once switched to rate 11520 I can download image within half hour. Some other people also tried a different rate, like 57600, which can work too with a little bit longer download time.

One another alternative workaround might be to rename config.text to config.backup in rommon, then tried to boot up the switch with new image. By removing config.text the switch will not have vtp mode client configured, it should be able to bypass VTP client mode bug and boot the switch without need to go back to old image.  After switch is booted with new image, we can just to the following to recover the configuration:

-rename config.backup config.text

-copy config.text running-config

The process is the same as the process of password recovery. This alternative work-around haven’t been verified but is worth testing.

two vtp server in a same domain

When vtp is configured, the configured vlans are stored in vlan.dat file, not in running-configure or startup-configure file.

It is common that two vtp server in a same domain is running, this is for vlans database redudant. When there is a new change generated in one VTP server, the update will be sent out inside the vtp domain, the other vtp server in the same domain will update its vlan.dat also.

Be careful to setup the same vtp version on both servers, otherwise the server with higher version will become master.

When replacing a switch that is acting as VTP server in the network, the best way is to change the new switch into client mode first, in order to get vlans updated from other vtp servers, then change the new switch back to server mode.

Configure OS x as tftp server and download from vrf enabled 6800 chassis

Below is the steps that I used to download files from vrf enabled 6800 chassis to my mac laptop:

1, Enable tftp server in OS x:

sudo launchctl load -F /System/Library/LaunchDaemons/tftp.plist
sudo launchctl start

By default use private/tftpboot/ filefolder for tftp download and upload:

sudo chmod 777 /private/tftpboot
sudo chmod 777 /private/tftpboot/*

2, setup tftp route in 6800

I want to download/upload from/to mgmt port, mgmt port belongs to a separated management vrf. In order to make tftp server IP routed correctly, we need add the following configuration into the chassis:

cat6k#ip tftp source-interface mgmt0

3, Now it is ready for tftp download/upload to OS x from/to vrf enabled Chassis.

cat6k#copy running-config tftp://172.27.x.x

Address or name of remote host [172.27.x.x]?

Destination filename [xxx-confg]? running-config


85918 bytes copied in 1.084 secs (79260 bytes/sec)

Access layer design

refer to

1, Looped triangle

The triangle looped topology is currently the most widely implemented in the enterprise data center. This topology provides a deterministic design that makes it easy to troubleshoot while providing a high level of flexibility

2, looped square

The square-based looped topology is not as common today in the enterprise data center but has recently gained more interest. The square looped topology increases the access layer switch density when compared to a triangle loop topology while retaining the same loop topology characteristics. This becomes particularly important when 10GE uplinks are used. This topology is very similar to the triangle loop topology, with differences in where spanning tree blocking occurs

Spanning tree blocks the link between the access layer switches, with the lowest cost path to root being via the uplinks to the aggregation switches, as shown in Figure 6-9. This allows both uplinks to be active to the aggregation layer switches while providing a backup path in the event of an uplink failure. The backup path can also be a lower bandwidth path because it is used only in a backup situation. This might also permit configurations such as 10GE uplinks with GEC backup.

The possible disadvantages of the square loop design relate to inter-switch link use, because 50 percent of access layer traffic might cross the inter-switch link to reach the default gateway/active service module. There can also be degradation in performance in the event of an uplink failure because, in this case, the oversubscription ratio doubles.

3, Loop free U

4, Loop free invented U


Useful F5 commands

1, When copy configuration from one unit to the other unit, or creating a lot of vips at the same time, it would be easier to do it via CLI:
a) Edit the configuration on editor
b) Copy and paste the configuration throught F5 cli terminal
user@(xxx)(cfg-sync In Sync)(/S1-green-P:Active)(/partition)(tmos)# load sys config from-terminal merge
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.

2, ssldump for trouble ssl session
a) use find to find the path of keyfile
[user@xxx:/S1-green-P:Active:In Sync] / # find -iname *.key*
for example
b) ssldump -A -d -k <key file> -n -i <capture VLAN> <traffic expression>
-A Print all fields
-d Show application data when private key is provided via -k
-k Private key file, found in /config/ssl/ssl.key/; the key file can be located under client SSL profile
-n Do not try to resolve PTR records for IP addresses
-i The capture VLAN name is the ingres VLAN for the TLS traffic
For example:
[user@xxx:/S1-green-P:Active:Changes Pending] / # ssldump -A -k ./config/filestore/files_d/partition_d/certificate_key_d/ -i 0.0 host and port 443

3, Use command biptop on cli to check all currenct connections
For example:
[user@xxx:/S1-green-P:Active:In Sync] ~ # bigtop
QUERYING… | bits since | bits in prior | current
| Mar 4 00:16:03 | 0 seconds | time
BIG-IP ACTIVE |—In—-Out—Conn-|—In—-Out—Conn-| 14:28:57 691.0T 1.418P 8.543G 0 0 0

VIRTUAL ip:port |—In—-Out—Conn-|—In—-Out—Conn-|-Nodes Up–
/partition/ 668.2T 213.5T 704.4M 0 0 0 0

4, You can use the openssl command to verify the client certificate against the Trusted Certificate Authority bundle prior to importing it onto the BIG-IP system. For example, the following openssl command verifies the client certificate, client.crt, against the Trusted Certificate Authority bundle:

openssl verify -purpose sslclient -CAfile /path/to/trusted-ca-bundle.crt /path/to/client.crt

If the chain of trust can be established for the server certificate using the specified chain, the command returns output similar to the following example:

client.crt: OK
5, Use tcpdump to show more tmm information,
for example, to check routed vip:
tcpdump -vs0 -i 0.0:nnn host
it shows below, the red part showed routed vip when received request from client.
16:28:44.474154 IP (tos 0x0, ttl 255, id 37043, offset 0, flags [DF], proto: TCP (6), length: 52) vip.http > host.38934: ., cksum 0x4282 (incorrect (-> 0x8e1f), ack 159 win 4297 <nop,nop,timestamp 913578425 3245706819> out slot1/tmm2 lis=/partition/xxxhttp-vip flowtype=64 flowid=5701C0361D00 peerid=5