Problems Connecting To Windows 2012 R2

73 views
Skip to first unread message

bwie...@gmail.com

unread,
Oct 20, 2016, 1:01:29 PM10/20/16
to Ansible Project



I am new to Ansible, so please bear with me.... I am trying to bring up an Ansible test environment whereby I can test config management against a Windows environment. The environment consists of an Ansible management server running Linux Red Hat Enterprise Linux Server release 6.7 and a test Windows 2012 R2 server. I believe I have all the necessary packages installed to support the WinRM/Kerberos connection from the Ansible management server to the Windows server. Here are the packages I believe to have been installed on the Ansible management server to support Windows:

pywinrm
python-devel
krb5-devel
krb5-libs
krb5-workstation
kerberos
requests-kerberos

I have updated /etc/krb5.conf file. When I run a "kinit 'user'@MY.DOMAIN.COM" on the Ansible management server I get the following:

ansible@servername:/home/ansible # kinit xxx...@MY.DOMAIN.COM
Password for xxx...@MY.DOMAIN.COM:
ansible@servername:/home/ansible #

I then ran a "klist" to ensure the kerberos connection was made:


ansible@servername:/home/ansible # klist
Ticket cache: FILE:/tmp/krb5cc_5000
Default principal: xxx...@MY.DOMAIN.COM

Valid starting     Expires            Service principal
10/20/16 07:17:28  10/20/16 17:17:58  krbtgt/MY.DOM...@MY.DOMAIN.COM
        renew until 10/21/16 07:17:28
ansible@servername:/home/ansible #

I then created a /group_vars/windows.yml file consisting of the following:

ansible_user: xxx...@MY.DOMAIN.COM
ansible_password: xxxxx
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore

but when I go to run a "ansible winTest -m win_ping -vvvv" it appears the it is trying an SSL connection instead of a winrm connection, possibly?:


ansible@servername:/home/ansible # ansible winTest -m win_ping -vvvvv
Using /home/ansible/.ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<172.31.0.166> ESTABLISH SSH CONNECTION FOR USER: None
<172.31.0.166> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s)
<172.31.0.166> SSH: ansible_password/ansible_ssh_pass not set: (-o)(KbdInteractiveAuthentication=no)(-o)(PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey)(-o)(PasswordAuthentication=no)
<172.31.0.166> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10)
<172.31.0.166> SSH: PlayContext set ssh_common_args: ()
<172.31.0.166> SSH: PlayContext set ssh_extra_args: ()
<172.31.0.166> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/home/ansible/.ansible/cp/ansible-ssh-%h-%p-%r)
<172.31.0.166> SSH: EXEC ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/ansible-ssh-%h-%p-%r xxx.xx.x.xxx '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1476962695.95-263373308192487 `" && echo ansible-tmp-1476962695.95-263373308192487="` echo $HOME/.ansible/tmp/ansible-tmp-1476962695.95-263373308192487 `" ) && sleep 0'"'"''
xxx.xx.x.xxx | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh.",
    "unreachable": true
}
ansible@servername:/home/ansible #


If I telnet to the windows server it appears the port is open:

ansibleservername:/home/ansible # telnet xxx.xx.x.xxx 5985
Trying xxx.xx.x.xxx...
Connected to xxx.xx.x.xxx.
Escape character is '^]'.


and if I verify that remoting is working on the windows server it appears to be working locally:

PS C:\Users\XXXXXX> $Credential = Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS C:\Users\XXXXXX> $Session = New-PSSession -Credential $Credential -ComputerName xxx.xx.x.xxx
PS C:\Users\XXXXXX> Invoke-Command -Session $Session -ScriptBlock {gci e:\}


    Directory: E:\


Mode                LastWriteTime     Length Name                                  PSComputerName
----                -------------     ------ ----                                  --------------
d----        10/19/2016   1:11 PM            Applications                          xxx.xx.x.xxx
da---        10/19/2016   1:06 PM            Logs                                  xxx.xx.x.xxx
d----        10/19/2016   1:11 PM            temp                                  xxx.xx.x.xxx


PS C:\Users\XXXXXX>


I also tried to connect to WinRM from another Windows server:

PS C:\Users\XXXXX> $Credential = Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS C:\Users\XXXXXX> $Session = New-PSSession -Credential $Credential -ComputerName xxx.xx.x.xxx
PS C:\Users\XXXXXX> Invoke-Command -Session $Session -ScriptBlock {gci e:\}


    Directory: E:\


Mode                LastWriteTime     Length Name                                  PSComputerName
----                -------------     ------ ----                                  --------------
d----        10/19/2016   1:11 PM            Applications                          xxx.xx.x.xxx
da---        10/19/2016   1:06 PM            Logs                                  xxx.xx.x.xxx
d----        10/19/2016   1:11 PM            temp                                  xxx.xx.x.xxx


PS C:\Users\XXXXXX>



Is there a config step whereby I specify Ansible use a winrm connection that I missed? Any assitance would be greatly appreciated.....


Thanks,

Bob Wieberdink

Matt Davis

unread,
Oct 20, 2016, 1:11:19 PM10/20/16
to Ansible Project
In 2.1 we had to back off on some of the automatic transport detection stuff with the advent of NTLM and support for things like Microsoft accounts- try adding

ansible_winrm_transport=kerberos

to your inventory...


On Thursday, October 20, 2016 at 10:01:29 AM UTC-7, bwie...@gmail.com wrote:



I am new to Ansible, so please bear with me.... I am trying to bring up an Ansible test environment whereby I can test config management against a Windows environment. The environment consists of an Ansible management server running Linux Red Hat Enterprise Linux Server release 6.7 and a test Windows 2012 R2 server. I believe I have all the necessary packages installed to support the WinRM/Kerberos connection from the Ansible management server to the Windows server. Here are the packages I believe to have been installed on the Ansible management server to support Windows:

pywinrm
python-devel
krb5-devel
krb5-libs
krb5-workstation
kerberos
requests-kerberos

I have updated /etc/krb5.conf file. When I run a "kinit 'user'@MY.DOMAIN.COM" on the Ansible management server I get the following:

ansible@servername:/home/ansible # kinit xxx...@MY.DOMAIN.COM
Password for xxx...@MY.DOMAIN.COM:
ansible@servername:/home/ansible #

I then ran a "klist" to ensure the kerberos connection was made:


ansible@servername:/home/ansible # klist
Ticket cache: FILE:/tmp/krb5cc_5000
Default principal: xxx...@MY.DOMAIN.COM

Valid starting     Expires            Service principal
10/20/16 07:17:28  10/20/16 17:17:58  krbtgt/MY.DOMAIN.COM@MY.DOMAIN.COM

J Hawkesworth

unread,
Oct 21, 2016, 12:34:49 PM10/21/16
to Ansible Project
Is 'winTest' the hostname or the name of a group of hosts in your inventory?

the windows host(s) that you want to connect to will need to be in a group called 'windows' in your inventory.

[windows]
winTest
... other hosts

The name of the group, windows, has to match the name of the file (minus .yml extension) in group_vars.  Without this, ansible doesn't know that the host is a windows box and needs to connect via winrm etc, and just uses default ssh connection type.

So that could be what's happening here.

Hope that helps,

Jon


On Thursday, October 20, 2016 at 6:11:19 PM UTC+1, Matt Davis wrote:
In 2.1 we had to back off on some of the automatic transport detection stuff with the advent of NTLM and support for things like Microsoft accounts- try adding

ansible_winrm_transport=kerberos

to your inventory...

On Thursday, October 20, 2016 at 10:01:29 AM UTC-7, bwie...@gmail.com wrote:I



I am new to Ansible, so please bear with me.... I am trying to bring up an Ansible test environment whereby I can test config management against a Windows environment. The environment consists of an Ansible management server running Linux Red Hat Enterprise Linux Server release 6.7 and a test Windows 2012 R2 server. I believe I have all the necessary packages installed to support the WinRM/Kerberos connection from the Ansible management server to the Windows server. Here are the packages I believe to have been installed on the Ansible management server to support Windows:

pywinrm
python-devel
krb5-devel
krb5-libs
krb5-workstation
kerberos
requests-kerberos

I have updated /etc/krb5.conf file. When I run a "kinit 'us...@MY.DOMAIN.COM" on the Ansible management server I get the following:

ansible@servername:/home/ansible # kinit xxx...@MY.DOMAIN.COM
Password for xxx...@MY.DOMAIN.COM:
ansible@servername:/home/ansible #

I then ran a "klist" to ensure the kerberos connection was made:


ansible@servername:/home/ansible # klist
Ticket cache: FILE:/tmp/krb5cc_5000
Default principal: xxx...@MY.DOMAIN.COM

Valid starting     Expires            Service principal
10/20/16 07:17:28  10/20/16 17:17:58  krbtgt/MY.DOM...@MY.DOMAIN.COM
Reply all
Reply to author
Forward
0 new messages