Re: Unable to do basic win_ping from CentOS7 to Windows 2012

[Jordan Borean]

If you have configured WinRM using the ConfigureRemotingForAnsible.ps1 script I would highly advise you to use HTTPS over port 5986 instead of HTTP. For one HTTP is sent over in cleartext and your credentials can be seen by anyone listening in. The other warning you are getting is because the cert validation variable is not correct, it should be ansible_winrm_server_cert_validation.

Change your inventory to be

ansible_user: ansibleadmin
ansible_password: Passw0rd
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignore

Thanks

Jordan 

[Jordan Borean]

No worries, glad I could help.

[J Hawkesworth]

Its odd that you are getting the insecure request warnings - I am wondering if you are running ansible from a folder with a different ansible.cfg in it perhaps, as the ansible_winrm_server_cert_validation: ignore doesn't seem to be taking effect.

On Wednesday, August 30, 2017 at 10:55:31 PM UTC+1, Thijn Bukkems wrote:

Not sure if you would know the answer to this and I should probably start a new thread but for some reason the -m setup command doesn't return any values. When run, it looks like I'm getting an empty array. P.s. I blanked out hostnames for security reasons

[admin@localhost ansible]$ ansible -m setup web
/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
XXXXXXX.domain.local | SUCCESS => {
    "ansible_facts": {},
    "changed": false
}
XXXXXXX.domain.local | SUCCESS => {
    "ansible_facts": {},
    "changed": false
}

[J Hawkesworth]

Please share your playbook or command line

On Wednesday, August 30, 2017 at 11:23:35 PM UTC+1, Thijn Bukkems wrote:

Also tried to stop or start the print spooler just to test another command.. This is what's in the log

2017-08-30 17:19:53,300 urllib3.connectionpool Starting new HTTPS connection (1): XXXX.domain

2017-08-30 17:19:53,314 urllib3.connectionpool Starting new HTTPS connection (1): YYYY.domain

2017-08-30 17:19:53,350 urllib3.connectionpool https://XXXX.domainl:5986 "POST /wsman HTTP/1.1" 401 0

2017-08-30 17:19:53,352 urllib3.connectionpool Resetting dropped connection: YYYY.domain

2017-08-30 17:19:53,363 urllib3.connectionpool https://YYYY.domain:5986 "POST /wsman HTTP/1.1" 401 0

2017-08-30 17:19:53,365 urllib3.connectionpool Resetting dropped connection: YYYY.domain

2017-08-30 17:19:53,402 urllib3.connectionpool https:XXXX.domain:5986 "POST /wsman HTTP/1.1" 401 0

2017-08-30 17:19:53,415 urllib3.connectionpool https:/YYYY.domainl:5986 "POST /wsman HTTP/1.1" 401 0

2017-08-30 17:19:53,523 urllib3.connectionpool https://YYYY.domainl:5986 "POST /wsman HTTP/1.1" 200 1640

2017-08-30 17:19:53,532 urllib3.connectionpool https://YYYY.domain:5986 "POST /wsman HTTP/1.1" 200 847

2017-08-30 17:19:53,610 urllib3.connectionpool https:XXXX.domainl:5986 "POST /wsman HTTP/1.1" 200 1640

2017-08-30 17:19:53,619 urllib3.connectionpool https://XXXX.domain:5986 "POST /wsman HTTP/1.1" 200 847

2017-08-30 17:19:53,795 urllib3.connectionpool https:/YYYY.domainl:5986 "POST /wsman HTTP/1.1" 200 753

2017-08-30 17:19:53,883 urllib3.connectionpool https://XXXX.domainl:5986 "POST /wsman HTTP/1.1" 200 753

2017-08-30 17:19:59,803 urllib3.connectionpool https://YYYY.domainl:5986 "POST /wsman HTTP/1.1" 200 2563

2017-08-30 17:19:59,809 urllib3.connectionpool https:/YYYY.domain:5986 "POST /wsman HTTP/1.1" 200 757

2017-08-30 17:19:59,815 urllib3.connectionpool https:/YYYY.domainl:5986 "POST /wsman HTTP/1.1" 200 602

2017-08-30 17:19:59,822 p=5178 u=root | YYYY.domain | FAILED! => {

    "changed": false,

    "failed": true,

    "module_stderr": "Exception calling \"Run\" with \"1\" argument(s): \"Exception calling \"Invoke\" with \r\n\"0\" argument(s): \"The running command st$    "module_stdout": "",

    "msg": "MODULE FAILURE",

    "rc": 1

}

2017-08-30 17:19:59,899 urllib3.connectionpool https://nYYYY.domainl:5986 "POST /wsman HTTP/1.1" 200 2563

2017-08-30 17:19:59,905 urllib3.connectionpool https:/YYYY.domainal:5986 "POST /wsman HTTP/1.1" 200 757

2017-08-30 17:19:59,911 urllib3.connectionpool https://YYYY.domainl:5986 "POST /wsman HTTP/1.1" 200 602

2017-08-30 17:19:59,916 p=5178 u=root |  YYYY.domain | FAILED! => {

    "changed": false,

    "failed": true,

    "module_stderr": "Exception calling \"Run\" with \"1\" argument(s): \"Exception calling \"Invoke\" with \r\n\"0\" argument(s): \"The running command st$    "module_stdout": "",

    "msg": "MODULE FAILURE",

    "rc": 1

}

[sohail.p...@gmail.com]

Use windows fqdn name in place of IPaddress then it will work

On Wednesday, August 30, 2017 at 10:21:48 PM UTC+5:30, Thijn Bukkems wrote:

Hi all,

Just getting started with Ansible as proof of concept but already stuck and not sure how to make it work. I have a CentOS7 box that is not on the domain but on the same network and 2 Windows 2012 R2 servers.

I ran the ConfigurePowerShellForAnsible.ps1 scripts on both servers as admin, as suggested. I set up a local account named 'ansibleadmin' on both servers.

This is the output I get when trying to win_ping the servers:

[admin@localhost ansible]$ ansible web -m win_ping

 [WARNING]: ansible_winrm_cert_validation unsupported by pywinrm (is an up-to-date version of pywinrm installed?)

 [WARNING]: ansible_winrm_cert_validation unsupported by pywinrm (is an up-to-date version of pywinrm installed?)

10.128.2.108 | UNREACHABLE! => {

    "changed": false,

    "msg": "plaintext: the specified credentials were rejected by the server",

    "unreachable": true

}

10.128.2.215 | UNREACHABLE! => {

    "changed": false,

    "msg": "plaintext: the specified credentials were rejected by the server",

    "unreachable": true

}

Some background information regarding my inventory files etc:

inventory.yml:

---
[web]
10.128.2.215
10.128.2.108

group_vars/web.yml:

---
ansible_user: ansibleadmin
ansible_password: Passw0rd
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_cert_validation: ignore

ansible.cfg:

[defaults]
inventory      = /etc/ansible/inventory.yml

Versions:

Pywinrm 0.2.2

Python 2.7.5

Ansible 2.3.1.0

CentOS 7.3.1611 (Core)

I have no clue why I can't get it to work with a local account and am hesitant to move on to kerberos AD authentication if I can't even get this to work. Any advice? 

[J Hawkesworth]

Well spotted!  Yeah, use hostnames. If you end up switching over to using kerberos hostnames are essential (as is fully functioning DNS lookups (both hostname -> ip and ip -> hostname).

Jon

[J Hawkesworth]

What are you trying that produces the access denied message?



On Thursday, August 31, 2017 at 11:20:25 AM UTC+1, Thijn Bukkems wrote:

Thanks guys, I changed to fqdn shortly after that original post. Strangely enough now only getting access denied with 1 machine even though the winrm settings and user accounts on both are exactly the same. they even reside in the same subnet. very strange!

Op donderdag 31 augustus 2017 02:54:28 UTC-7 schreef J Hawkesworth:

[uday kiran]

It is working when I kept port: 5985