win_ping.yml

[Nicholas Branson]

I am still holding my Ansible Newbie Keys Tight !  

Not getting very far with Ansible Tower and Windows. Struggling to even Ping a Windows Server. I've configured WinRM service settings, Opened Firewall Port, etc. 

FAILED! msg No setting was provided for required configuration plugin type become plugin: runas setting: become_user

win_ping.yml file

---

  - name: win_ping module

    hosts: windows

    become: true

    gather_facts: false

    tasks:

      - name: test connection

        ansible.windows.win_ping:

vars file

---
ansible_shell_type: powershell
ansible_user: Iwantmymummy
ansible_password: secret not telling you lot !
ansible_connection: winrm
ansible_port: 5986
ansible_winrm_server_cert_validation: ignore
ansible_winrm_transport: credssp
ansible_become_method: runas

Does anyone know what is wrong and how I can move forward ?

Many Thanks,

Nick

[Michael Nelson]

Hi Nick,

Here is an example of a working config, note the use of (hosts: all) in the playbook since the inventory will be managed by Tower:

---

- hosts: all
  tasks:
    - name: Ping windows host
      ansible.windows.win_ping:
      register: ping_result
    
    - name: show ping result
      ansible.builtin.debug:
        var: ping_result

Then in Tower create an inventory and add you connection variables, I suggest you try basic first the upgrade once you can establish a connection:

Add your host to the inventory and select it when creating the job template.

Hope this helps.

Regards,

DISCLAIMER

This email is confidential and subject to important disclaimers and conditions in relation to monitoring, viruses, confidentiality and legal privilege full details of which can be viewed on our Email Policy at the following link: http://www.next.co.uk/Policy/

Next Holdings Ltd registered in England 35161.  Registered Office Desford Road Enderby Leicester LE19 4AT.  Authorised and regulated by the Financial Conduct Authority

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f875f002-c45c-4fd4-808a-1c189d6c30fan%40googlegroups.com.

--
Michael NELSON

[Nicholas Branson]

Thanks for replying Michael, 

I have made changes as recommended and now getting a different error.

FAILED  msg  The Powershell shell family is incompatible with the sudo become plugin

Something inside Tower Presumably

Regards,

Nick

[Michael Nelson]

Hi again,

You need to configure the credential in Tower and apply it to your template.

In the credential settings you set the become user:

Good luck,

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/b56a17c0-d94c-42f3-9c71-32139cc74aean%40googlegroups.com.

--
Michael NELSON

[Nicholas Branson]

I thought I might just need a  become_user option adding.............

[Walter Rowe]

You can't become a user without their password.

[Nicholas Branson]

"msg": "No setting was provided for required configuration plugin_type: become plugin: runas setting: become_user ",
    "_ansible_no_log": false

[Nicholas Branson]

So my Windows Inventory Vars is worng ?

Vars

---
ansible_shell_type: powershell
ansible_user: ansible
ansible_password: secret

ansible_connection: winrm
ansible_port: 5986
ansible_winrm_server_cert_validation: ignore
ansible_winrm_transport: credssp

ansible_become: yes
ansible_become_method: runas

[m.ne...@cityscoot.eu]

Vars
---
ansible_shell_type: powershell
ansible_user: ansible

ansible_password: secret # not needed if using a credential in tower

ansible_connection: winrm
ansible_port: 5986
ansible_winrm_server_cert_validation: ignore
ansible_winrm_transport: credssp

ansible_become: yes # try the ping module without become
ansible_become_method: runas
ansible_become_user: administrator # add the become user when become and become method is used

Best to configure the user settings in the tower credention.

> >> https://groups.google.com/d/msgid/ansible-project/f875f002-c45c-4fd4-808a-1c189d6c30fan%40googlegroups.com <https://groups.google.com/d/msgid/ansible-project/f875f002-c45c-4fd4-808a-1c189d6c30fan%40googlegroups.com?utm_medium=email&utm_source=footer>.

> > --
> > Michael NELSON
> >
> >
> >
> > DISCLAIMER
> >
> > This email is confidential and subject to important
> > disclaimers and conditions in relation to monitoring,
> > viruses, confidentiality and legal privilege full
> > details of which can be viewed on our Email Policy at
> > the following link: http://www.next.co.uk/Policy/

> > <http://www.next.co.uk/Policy/>
> >
> > Next Holdings Ltd registered in England 35161. 
> > Registered Office Desford Road Enderby Leicester LE19
> > 4AT. Authorised and regulated by the Financial Conduct
> > Authority
> >
> > --
> > You received this message because you are subscribed
> > to the Google Groups "Ansible Project" group.
> > To unsubscribe from this group and stop receiving
> > emails from it, send an email to
> > ansible-proje...@googlegroups.com.
> > To view this discussion on the web visit

> > https://groups.google.com/d/msgid/ansible-project/b56a17c0-d94c-42f3-9c71-32139cc74aean%40googlegroups.com <https://groups.google.com/d/msgid/ansible-project/b56a17c0-d94c-42f3-9c71-32139cc74aean%40googlegroups.com?utm_medium=email&utm_source=footer>.
> --
> Michael NELSON
>
> ____

>
>
>
> DISCLAIMER
>
> This email is confidential and subject to important disclaimers and
> conditions in relation to monitoring, viruses, confidentiality and legal
> privilege full details of which can be viewed on our Email Policy at the
> following link: http://www.next.co.uk/Policy/
> <http://www.next.co.uk/Policy/>
>
> Next Holdings Ltd registered in England 35161.  Registered Office
> Desford Road Enderby Leicester LE19 4AT. Authorised and regulated by the
> Financial Conduct Authority
>
> --
> You received this message because you are subscribed to the Google
> Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ansible-proje...@googlegroups.com

> <mailto:ansible-proje...@googlegroups.com>.

> To view this discussion on the web visit

> https://groups.google.com/d/msgid/ansible-project/8de61124-119f-4cda-b20d-0af624e589d5n%40googlegroups.com <https://groups.google.com/d/msgid/ansible-project/8de61124-119f-4cda-b20d-0af624e589d5n%40googlegroups.com?utm_medium=email&utm_source=footer>.
>

[Nicholas Branson]

Management are now asking me,  Can Ansible / Ansible Tower Deploy Windows Systems ?   When I am still struggling to even ping a Windows server !

I've created win2019-tmp and win2022-tmp in VMware, I just need to demonstrate I can create the guest vm using these templates.  

[Wei-Yen Tan]

I can. We are managing windows systems even on the old awx version 9 through winrm and ad

Get Outlook for iOS

---

From: 'Nicholas Branson' via Ansible Project <ansible...@googlegroups.com>
Sent: Wednesday, August 24, 2022 10:37:23 PM
To: Ansible Project <ansible...@googlegroups.com>
Subject: Re: [ansible-project] win_ping.yml

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/220a4181-06ea-4ad9-a8fe-9c5b52b0dfe8n%40googlegroups.com.

[Stuart Lowe]

It can,
We use vcloud director over the top of vmware and we can deploy orgs to vcd, create edge gateways, deploy vm’s input firewall rules and login and configure deployed vm’s once they are deployed.
windows machines are a little more difficult to connect to after a provision that linux servers but if you can get a winrm server up on those servers or an openssh server, you can connect and configure.

We use this module for vcd, https://github.com/vmware/ansible-module-vcloud-director

but you can do it direct to vcenter too, https://docs.ansible.com/ansible/2.6/vmware/scenario_clone_template.html

 

From: 'Nicholas Branson' via Ansible Project <ansible...@googlegroups.com>
Sent: 24 August 2022 11:37
To: Ansible Project <ansible...@googlegroups.com>
Subject: Re: [ansible-project] win_ping.yml

 

Caution: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/220a4181-06ea-4ad9-a8fe-9c5b52b0dfe8n%40googlegroups.com.

---------------

Stuart Lowe He/Him
Senior Cloud Support Engineer
Zen Internet
Team: 01706 902009
Web: zen.co.uk

Proud to be a certified B Corporation

This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.

Zen Internet Limited may monitor email traffic data to manage billing, to handle customer enquiries, and for the prevention and detection of fraud. We may also monitor the content of emails sent to and/or from Zen Internet Limited for the purposes of security, staff training and to monitor the quality of service.
Zen Internet Limited is registered in England and Wales, Sandbrook Park, Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01

[Nicholas Branson]

Not sure my Inventories > Windows > Variables are correct. The ansible user is a domain service account.

---
ansible_shell_type: powershell
ansible_user: branyster.com\ansible
ansible_password: mumstheword

ansible_connection: winrm
ansible_port: 5986
ansible_winrm_server_cert_validation: ignore

ansible_winrm_transport: kerberos
ansible_become: yes
become_user: svc-ansible
ansible_become_method: runas

fatal: [server20]: UNREACHABLE! => {"changed": false, "msg": "basic: the specified credentials were rejected by the server", "unreachable": true}

[Wei-Yen Tan]

Are you connecting through domain or workgroup? It looks like you are connecting through domain credentials through to 5986. From experience this gets finicky. I always use 5985 with domain credentials in conjunction with a krb5.conf file 

Get Outlook for iOS

---

From: 'Nicholas Branson' via Ansible Project <ansible...@googlegroups.com>

Sent: Wednesday, August 24, 2022 11:11:11 PM

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4aff4067-c9ac-4d35-9572-f787a54e3e50n%40googlegroups.com.

[Nicholas Branson]

domain account

[Nicholas Branson]

Not sure how to create krb5.conf file 

[Wei-Yen Tan]

Use 5985 with krb5.conf. 

If you are using 18.0+ I wrote a blog about it last year. Some variables may have changed but the concept stays the same. Just use new ones listed in awx-operator

http://weiyentan.github.io/2021/Installing-awx-kubernetes/

Get Outlook for iOS

---

From: 'Nicholas Branson' via Ansible Project <ansible...@googlegroups.com>

Sent: Wednesday, August 24, 2022 11:28:42 PM

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/b3671a0d-3af7-4141-bfe7-489c8ac8fb12n%40googlegroups.com.

[Nicholas Branson]

Shouldn't I be using port 5986 ?  I've created a WinRM HTTPS Listener on 5986

[Nicholas Branson]

L@@Ks like my ansible service account has not been excluded from DUO 

This might be why my code is failing !   

[Nicholas Branson]

Actually thinking about it DUO only affects RDP. It might be a JITA issue ?

[Nicholas Branson]

I don't think the Windows server is configured properly to allow WinRM connections.  How can I check / test this ?

[Nicholas Branson]

winrm enumerate winrm/config/Listener

[Nicholas Branson]

C:\WINDOWS\system32>netstat -ano | findstr 5986
  TCP    0.0.0.0:5986           0.0.0.0:0              LISTENING       4
  TCP    [::]:5986              [::]:0                 LISTENING       4

[Paul Manno]

Use these vars:

ansible_connection: winrm
ansible_winrm_transport: ntlm
ansible_user: '{{ lookup(''env'', ''WIN_GUEST_USERNAME'') }}'
ansible_password: '{{ lookup(''env'', ''WIN_GUEST_PASSWORD'') }}'
ansible_become_method: runas
ansible_become_user: .\Administrator
ansible_winrm_server_cert_validation: ignore

I'm using ntlm or credssp for domain joined, basic for non-domain joined (local ansible_user account).

Make sure, of course, you have pywinrm installed.  And that you ran the winrm setup script on the windows host.

https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3142f346-34d2-45fe-b959-185e2541a11dn%40googlegroups.com.

[Nicholas Branson]

Blimey !

SSH password:

2

ERROR! couldn't resolve module/action 'ansible.windows.win_ping'. This often indicates a misspelling, missing collection, or incorrect module path.

3

4

The error appears to be in '/ansible/tmp/bwrap_620561_ue_7dz9q/awx_620561_33fab03n/project/win_ping.yml': line 4, column 7, but may

5

be elsewhere in the file depending on the exact syntax problem.

6

7

The offending line appears to be:

8

9

tasks:

10

- name: ping windows host

11

^ here

[Nicholas Branson]

Using /etc/ansible/ansible.cfg as config file

10

SSH password:

11

BECOME password[defaults to SSH password]:

12

host_list declined parsing /ansible/tmp/bwrap_621796_mhovsw3g/awx_621796__sjzeuh7/tmp_0to4mbl as it did not pass its verify_file() method

13

Parsed /ansible/tmp/bwrap_621796_mhovsw3g/awx_621796__sjzeuh7/tmp_0to4mbl inventory source with script plugin

14

ERROR! couldn't resolve module/action 'ansible.windows.win_ping'. This often indicates a misspelling, missing collection, or incorrect module path.

15

16

The error appears to be in '/ansible/tmp/bwrap_621796_mhovsw3g/awx_621796__sjzeuh7/project/win_ping.yml': line 4, column 7, but may

17

be elsewhere in the file depending on the exact syntax problem.

18

19

The offending line appears to be:

20

21

tasks:

22

- name: ping windows host

23

^ here

[Nicholas Branson]

New Yaml

---

-

  become: true

  gather_facts: false

  hosts: windows

  name: "win_ping module"

  tasks:

    -

      ansible.windows.win_ping: ~

      name: "test connection"

[Nicholas Branson]

Enter passphrase for /ansible/tmp/bwrap_622380_u4ia3zo4/awx_622380_c1kn7_7v/artifacts/622380/ssh_key_data:

2

3

ansible-playbook 2.9.23

4

config file = /etc/ansible/ansible.cfg

5

configured module search path = [u'/var/lib/awx/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']

6

ansible python module location = /usr/lib/python2.7/site-packages/ansible

7

executable location = /usr/bin/ansible-playbook

8

python version = 2.7.5 (default, Aug 13 2020, 02:51:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

9

Using /etc/ansible/ansible.cfg as config file

10

SSH password:

11

BECOME password[defaults to SSH password]:

12

host_list declined parsing /ansible/tmp/bwrap_622380_u4ia3zo4/awx_622380_c1kn7_7v/tmpa2miswk1 as it did not pass its verify_file() method

13

Parsed /ansible/tmp/bwrap_622380_u4ia3zo4/awx_622380_c1kn7_7v/tmpa2miswk1 inventory source with script plugin

14

ERROR! couldn't resolve module/action 'ansible.windows.win_ping'. This often indicates a misspelling, missing collection, or incorrect module path.

15

16

The error appears to be in '/ansible/tmp/bwrap_622380_u4ia3zo4/awx_622380_c1kn7_7v/project/win_ping.yml': line 9, column 7, but may

17

be elsewhere in the file depending on the exact syntax problem.

18

19

The offending line appears to be:

20

21

-

22

ansible.windows.win_ping: ~

23

^ here

[Dick Visser]

Seems pretty clear to me. There is a tilde after the module name.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/89f263ab-2eba-43c0-8a06-4ed23ce2cc90n%40googlegroups.com.

--

Sent from Gmail Mobile

[aide...@gmail.com]

you can exec the script ConfigureRemotingForAnsible.ps1 to make sure that remote options are enabled in windows.

https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1

NOTE: sorry my english!!

[Nicholas Branson]

Hello All,

So I think WinRM is working on Windows 2019 Server, but the server is rejecting my Ping request ??

fatal: [server20]: UNREACHABLE! => {

40

"changed": false,

41

"msg": "basic: the specified credentials were rejected by the server",

42

"unreachable": true

43

> win_ping.yml file
> ---
>   - name: win_ping test
>     hosts: windows
>     become: True
>     become_user: ansible
>     gather_facts: False

[Wei-Yen Tan]

Under which port and user? Could be a mismatch 

Get Outlook for iOS

---

From: 'Nicholas Branson' via Ansible Project <ansible...@googlegroups.com>

Sent: Friday, September 2, 2022 11:50:24 PM
To: Ansible Project <ansible...@googlegroups.com>
Subject: [ansible-project] Re: win_ping.yml

 

DISCLAIMER

This email is confidential and subject to important disclaimers and conditions in relation to monitoring, viruses, confidentiality and legal privilege full details of which can be viewed on our Email Policy at the following link: http://www.next.co.uk/Policy/

Next Holdings Ltd registered in England 35161.  Registered Office Desford Road Enderby Leicester LE19 4AT.  Authorised and regulated by the Financial Conduct Authority

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3f524e59-31bd-48a2-a32c-4772ca6ea9a3n%40googlegroups.com.

[Nicholas Branson]

hi  Wei-Yen Tan

domain service account, who is a member of local administrators group.  WinRM configured on port 5986

Not sure if DUO is blocking things...

fatal: [server20]: UNREACHABLE! => {

40

"changed": false,

41

"msg": "basic: the specified credentials were rejected by the server",

42

"unreachable": true

43

[Wei-Yen Tan]

Duo doesn’t block winrm. It intercepts rdp connections. What's the cert you are using in 5986? Did you set to ignore cert validation? 

Get Outlook for iOS

---

From: 'Nicholas Branson' via Ansible Project <ansible...@googlegroups.com>

Sent: Saturday, September 3, 2022 1:23:46 AM
To: Ansible Project <ansible...@googlegroups.com>
Subject: Re: [ansible-project] Re: win_ping.yml

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f2cebc3c-efd5-4758-b1a4-d1acad8acbdcn%40googlegroups.com.

[Nicholas Branson]

Self Signed Certificate

Strange, I've just looked in Tower, and the Variables in the Windows Inventory have all disappeared !

[Wei-Yen Tan]

So self signed can cause issues. 

If they are domain joined machines any reason why you have not set to 5985?  It's encrypted by kerberos. So no plain text 

Get Outlook for iOS

---

From: 'Nicholas Branson' via Ansible Project <ansible...@googlegroups.com>

Sent: Saturday, September 3, 2022 1:48:38 AM

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2bfcc73b-72c8-4375-9f33-dae6f8e11657n%40googlegroups.com.

[Nicholas Branson]

  ansible_shell_type: powershell

  ansible_connection: winrm
  ansible_port: 5986
  ansible_winrm_server_cert_validation: ignore
  ansible_winrm_transport: credssp

  ansible_user: svc-ansible
  ansible_password: !vault |
            $ANSIBLE_VAULT;1.1;AES256
            62323666616535333162323461346330666631623661326465313835323465653964666639396364
            3433643266303531313637383866653464326639326365620a633136623131343265363830366462
            62323539383964316634623666343962313664633434363532306231626437313936646466333662
            3162366636313961630a396362663334613363653838326465363465376336333261353134633038
            6465

[Wei-Yen Tan]

Why credssp? 

Get Outlook for iOS

---

From: 'Nicholas Branson' via Ansible Project <ansible...@googlegroups.com>

Sent: Saturday, September 3, 2022 1:53:17 AM

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/932e8ae2-17cc-4901-b736-5bfeeab647bbn%40googlegroups.com.

[Wei-Yen Tan]

If it's in tower I would strongly use a machine credential and if you are connecting to a domain set up a krb5.conf and use 5985. Problems disappear then. 

Get Outlook for iOS

---

From: Wei-Yen Tan <weiye...@gmail.com>
Sent: Saturday, September 3, 2022 1:54:52 AM
To: ansible...@googlegroups.com <ansible...@googlegroups.com>

[Wei-Yen Tan]

Also if it's a domain user should it have the kerberos notation. Ansib...@DOMAIN.LOCAL? By putting in the way that you are  it may look like a local user 

Get Outlook for iOS

---

From: Wei-Yen Tan <weiye...@gmail.com>
Sent: Saturday, September 3, 2022 1:54:52 AM

To: ansible...@googlegroups.com <ansible...@googlegroups.com>

[Nicholas Branson]

VERY HAPPY !

win_ping.yml  now works successfully. So WinRM must be configured correctly.   Thew !

We were putting variables into the Windows Inventory Variables section. But we now have a main.yml file.

Also thanks to Wei-Yen Tan

for suggesting we use kerberos and FQDN on the account  ans...@mummy.loves.me.com !

main.yml file

---

  # Put your variables in here

  ansible_shell_type: powershell

  ansible_connection: winrm

  ansible_port: 5985

  ansible_winrm_server_cert_validation: ignore

  ansible_winrm_transport: kerberos

  ansible_winrm_kinit_mode: managed

  ansible_user: ans...@missmummy.loc

  ansible_password: !vault |

            $ANSIBLE_VAULT;1.1;AES2561234556678901334964757527852875278  etc

Thanks Everyone...

Let's move forward !

[Wei-Yen Tan]

If you are using tower why not use machine credentials instead of putting it in the playbook? 

Get Outlook for iOS

---

From: 'Nicholas Branson' via Ansible Project <ansible...@googlegroups.com>

Sent: Saturday, September 3, 2022 12:45:44 AM

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/62b87139-8f68-4bc3-b961-dd2eedc4b5dfn%40googlegroups.com.