Unable to git clone on Windows host via win_shell/win_command

[Benjamin Metzler]

Hi All,

I'm hitting a wall wrt to win_shell and a "git clone".  I am trying to use win_shell to clone a git repo w/o success.  I am getting the below error.  

Using module file /home/user/.local/lib/python2.7/site-packages/ansible/modules/windows/win_shell.ps1
Pipelining is enabled.
<<HOST_NAME>> ESTABLISH PSRP CONNECTION FOR USER: <USER> ON PORT 5985 TO <HOST_NAME>
<<HOST_NAME>> PSRP OPEN RUNSPACE: auth=negotiate configuration=Microsoft.PowerShell endpoint=http://<HOST_NAME>:5985/wsman
PSRP: EXEC (via pipeline wrapper)
<<HOST_NAME>> PSRP RC: 0
<<HOST_NAME>> PSRP STDOUT: {"start":"2019-11-04 11:56:37.380685","stdout":"","cmd":"git clone https://example.com/scm/project/tools.git","msg":"non-zero return code","stderr":"Cloning into \u0027tools\u0027...\nLogon failed, use ctrl+c to cancel basic credential prompt.\r\nbash: /dev/tty: No such device or address\nerror: failed to execute prompt script (exit code 1)\nfatal: could not read Username for \u0027https://example.com\u0027: tools error","changed":true,"rc":1,"failed":true,"delta":"0:00:01.984372","end":"2019-11-04 11:56:39.365057"}
<<HOST_NAME>> PSRP STDERR:
<<HOST_NAME>> PSRP CLOSE RUNSPACE: 26C4A0F7-D74B-4E23-9CBA-02C47DAD8A8E
fatal: [<HOST_NAME>]: FAILED! => {
    "changed": true,
    "cmd": "git clone https://example.com/scm/project/tools.git",
    "delta": "0:00:01.984372",
    "end": "2019-11-04 11:56:39.365057",
    "msg": "non-zero return code",
    "rc": 1,
    "start": "2019-11-04 11:56:37.380685",
    "stderr": "Cloning into 'tools'...\nLogon failed, use ctrl+c to cancel basic credential prompt.\r\nbash: /dev/tty: No such device or address\nerror: failed to execute prompt script (exit code 1)\nfatal: could not read Username for 'https://example.com': No tools",
    "stderr_lines": [
        "Cloning into 'tools'...",
        "Logon failed, use ctrl+c to cancel basic credential prompt.",
        "bash: /dev/tty: No such device or address",
        "error: failed to execute prompt script (exit code 1)",
        "fatal: could not read Username for 'https://example.com': No tools"
    ],
    "stdout": "",
    "stdout_lines": []
}

My yml file looks like this:

---
- name: Download Tools
  hosts: all
  gather_facts: false

  tasks:
  - name: Update the Tools repo
    win_shell: git clone https://example.com/scm/project/tools.git
    args:
      chdir: C:\

My hosts looks like this:

[windows]
vm-w10-tcp-23


[windows:vars]
ansible_connection=winrm
# ansible_winrm_transport=ntlm
ansible_connection=psrp
ansible_port=5985
ansible_psrp_protocol=http
ansible_winrm_server_cert_validation=ignore

(note the ansible username and password are in a vault file)

I am running Ansible 2.8.6 on Ubuntu 18.04.3.  The client is Windows 10 with WinRM as the communication channel.  I am able to do other things via ansible such as create directories, copy files over, run commands.

I have tried using win_command and win_git (https://github.com/tivrobo/ansible-win_git) without success.  

I think it is a credentials issue but I can't figure out what, specifically where it says "Logon failed" and "could not read Username".  The credentials are in the Windows Credential Manager and if I connect to the Windows system as the ansible user and run the git clone it succeeds w/o issue.

Any help is appreciated.

Ben

[Jordan Borean]

By default a network login on Windows does not have the users password available so it cannot take advantage of things that are encrypted with their credentials. This includes things like the Windows credential manager so it’s unable to find the password for your remote URL. You either need to connect with credssp auth or use become on the task with the users explicit credentials to bypass this.

Thanks

Jordan

[Benjamin Metzler]

Hi Jordan.  Thanks for the information.

I tried CredSSP (and kerberos) and both give me a:

fatal: [<HOST_NAME>]: FAILED! => {
    "changed": false,
    "module_stderr": "#< CLIXML\r\n",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}

I've enabled CredSSP on the agent via:

Enable-WSManCredSSP -Role Server -Force

and I am able to ping with credssp enabled:

$ ansible all -i hosts -m win_ping
<HOST_NAME> | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

Ben

[Phong Pham]

I'm using Enable-WSManCredSSP -Role Server -Force 

I'm able to use win_ping but git clone via Shell still got hang up... Any help is appreciated!