win_group_membership

157 views
Skip to first unread message

anil kumar

unread,
Mar 27, 2018, 6:37:30 PM3/27/18
to Ansible Project
Hello,

few questions on this module -

Context -  we have Cloudform, that spins up windows machine and joins it to domain, now I need to add user to the local "Remote Desktop user" group on target windows machine. I hoping to achieve that using win_group_membership module, now my questions are - 
  • what type of protocol does it work with eg: winrm?
  • Type of auth/permissions/privileges needed?
simple example would be great

appreciate you help.

Jordan Borean

unread,
Mar 27, 2018, 9:32:35 PM3/27/18
to Ansible Project
You can currently only use the winrm connection plugin with Ansible to talk to Windows hosts. WinRM allows you to connect using both domain and local accounts and usually you need administrative rights on that host to both connect and manipulate group membership. WinRM allows you to authenticate using various protocol such as;

* Basic
* Certificate (not the same as SSH keys)
* NTLM
* Kerberos
* CredSSP

More details can be found here http://docs.ansible.com/ansible/latest/user_guide/windows.html.

Thanks

Jordan

Anil

unread,
Mar 28, 2018, 11:58:53 AM3/28/18
to ansible...@googlegroups.com
Thanks for elaborate information on ansible with windows.

Winrm is disabled by default. Not sure about the security constraints when we enable this service. 

I will do research on it.
--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/QDoRl0_KU-Y/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/444b5db2-68b0-4fbf-906d-07ec4303d11a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

anil kumar

unread,
Mar 28, 2018, 7:05:32 PM3/28/18
to ansible...@googlegroups.com
do you have any ideas on configuring winrm in the template(vmware)?

On Wed, Mar 28, 2018 at 11:58 AM, Anil <visit...@gmail.com> wrote:
Thanks for elaborate information on ansible with windows.

Winrm is disabled by default. Not sure about the security constraints when we enable this service. 

I will do research on it.

On Mar 27, 2018, at 9:32 PM, Jordan Borean <jbor...@gmail.com> wrote:

You can currently only use the winrm connection plugin with Ansible to talk to Windows hosts. WinRM allows you to connect using both domain and local accounts and usually you need administrative rights on that host to both connect and manipulate group membership. WinRM allows you to authenticate using various protocol such as;

* Basic
* Certificate (not the same as SSH keys)
* NTLM
* Kerberos
* CredSSP

More details can be found here http://docs.ansible.com/ansible/latest/user_guide/windows.html.

Thanks

Jordan

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/QDoRl0_KU-Y/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.

J Hawkesworth

unread,
Mar 29, 2018, 4:12:11 AM3/29/18
to Ansible Project
vmware_guest module allows you to run scripts in 'runonce' section, so you can run the configure for remoting script as part of this, and any other steps you need.

I use a playbook like the following to create vm from template.   Before using you have to add a hostname to the 'domainmember' group and allocate it an ip address in your inventory, like this

# ansible inventory
[domainmember]
testmachine01 ip=172.17.0.1




---
# spin up a vm  from a template


- hosts: localhost
  gather_facts: true


- hosts: domainmember
  gather_facts: false
  vars:
    template: Winserver-TEMPLATE
  vars_prompt:
     - name: 'vmware_user'
       prompt: 'Enter VMWare username'
       private: no
     - name: 'vmware_cred'
       prompt: 'Enter VMWare password'
       private: yes
  pre_tasks:
    - name: show what we are planning on doing
      debug:
         msg: "ensure vm with hostname {{inventory_hostname}} and ip {{hostvars[inventory_hostname]['ip']}} exists."


    - name: clone vmware template and customise so it is ready for use as domain member
      vmware_guest:
         annotation: "Ansible cloned from template '{{template}}' on {{hostvars['localhost']['ansible_date_time']['date']}} by {{vmware_user}}"
         cluster: Dev Cluster
         datacenter: Dev datacenter
         folder: /Development/
         hostname: vcenterhost
         name: "{{inventory_hostname}}"
         password: "{{ vmware_cred }}"
         resource_pool: Normal
         state: poweredon
         template: "{{template}}"
         username: '{{vmware_user}}'
         validate_certs: no
         hardware:
            memory_mb: 1024
            num_cpus: 1
         networks:
          - name: VM Network
            ip: "{{hostvars[inventory_hostname]['ip']}}"
            netmask: 255.255.128.0
            gateway: 172.x.x.1
# deliberately not specifying a domain here            domain: devdomain.local
            dns_servers:
              - 172.x.x.x
              - 172.x.x.x2
# I had trouble using vmxnet3, it allways seems to want to be dhcp-configured.
# may be worth retrying in future but ensuring static ip configured in template
#            devicetype: vmxnet3
            devicetype: e1000e
            type: static
         customization:
           autologon: yes
           autologoncount: 5
           hostname: "{{inventory_hostname}}"
           ip: "{{hostvars[inventory_hostname]['ip']}}"
           netmask: 255.255.128.0
           gateway: 172.x.x.x
           dns_servers:
              - 172.x.x.x
              - 172.x.x.x2
# deliberately not specifying a domain here            domain: devdomain.local
           password: "{{guest_administrator_pass}}"
           joindomain: devdomain.local
           domainadmin: "{{ win_dom_user }}"
           domainadminpassword: "{{ win_dom_cred }}"
           runonce:
             - powershell.exe -ExecutionPolicy Unrestricted -File C:\Users\Administrator\Downloads\ConfigureRemotingForAnsible.ps1 -ForceNewSSLCert
             - C:\finishsetup.bat
           timezone: 85
# set timezone correctly or domain trust relationship will be lost
      delegate_to: localhost


    - name: wait for connection to become reachable
      wait_for_connection:
        delay: 75
        sleep: 11
        timeout: 675


# by this point host should be on the domain so you can start running roles to provision your windows host





On Thursday, March 29, 2018 at 12:05:32 AM UTC+1, anil kumar wrote:
do you have any ideas on configuring winrm in the template(vmware)?
On Wed, Mar 28, 2018 at 11:58 AM, Anil <visit...@gmail.com> wrote:
Thanks for elaborate information on ansible with windows.

Winrm is disabled by default. Not sure about the security constraints when we enable this service. 

I will do research on it.

On Mar 27, 2018, at 9:32 PM, Jordan Borean <jbor...@gmail.com> wrote:

You can currently only use the winrm connection plugin with Ansible to talk to Windows hosts. WinRM allows you to connect using both domain and local accounts and usually you need administrative rights on that host to both connect and manipulate group membership. WinRM allows you to authenticate using various protocol such as;

* Basic
* Certificate (not the same as SSH keys)
* NTLM
* Kerberos
* CredSSP

More details can be found here http://docs.ansible.com/ansible/latest/user_guide/windows.html.

Thanks

Jordan

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/QDoRl0_KU-Y/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

anil kumar

unread,
Apr 4, 2018, 8:04:37 PM4/4/18
to ansible...@googlegroups.com
thanks much for the example. 

Quick question on ConfigureRemotingForAnsible.ps1 -ForceNewSSLCert -DisableBasicAuth, does this mean we can use any auth protocol as below expect Basic(not secure), correct? I am more inclined toward kerberos auth. 
* Basic
* Certificate (not the same as SSH keys)
* NTLM
* Kerberos
* CredSSP

To unsubscribe from this group and all its topics, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/00d1e2b2-c215-43a9-8632-64b58a256426%40googlegroups.com.

Jordan Borean

unread,
Apr 5, 2018, 5:05:47 PM4/5/18
to Ansible Project
With -DisableBasicAuth set then you can only use the defaults which NTLM and Kerberos. You can always check by running winrm get winrm/config/service and look at the values under the Auth section.

Thanks

Jordan
Reply all
Reply to author
Forward
0 new messages