Ansible to windows client connection

[sindhu shree]

Hi.

Am facing some authentication issues when i run  ansible all -m win_ping. Response - 10.67.104.45 | UNREACHABLE! => {

    "changed": false,

    "msg": "basic: the specified credentials were rejected by the server",

    "unreachable": true

}

The user which am trying to connect is administrator user. I followed some steps to add user and change the permissions using 

winrm configSDDL default, but no luck. 

Am using basic authentication. 

Am new to Linux , i would appreciate if i get any help on this. 

[Dinesh Singh]

This basically means server rejecting the login. If you have firewall at windows server then allow Linux server to communicate.

With Regards,
Dinesh Singh
Email - dines...@gmail.com

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/903eaa26-07ef-4c09-97ed-c6c446856378%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Dinesh Singh]

Also enable remote execution policy on your windows server.

With Regards,
Dinesh Singh
Email - dines...@gmail.com

On Fri, Jan 18, 2019, 5:59 PM sindhu shree <sindhus...@gmail.com wrote:

[sindhu shree]

which option should i enable? winrm is allowed and no such specific options for linux.

[Dinesh Singh]

Follow this once and see if it works

https://www.ansible.com/blog/connecting-to-a-windows-host

With Regards,
Dinesh Singh
Email - dines...@gmail.com

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/cfd903cc-5946-45fa-8804-1698c8683dab%40googlegroups.com.

[sindhu shree]

Execution policy has set to Unrestricted  (Using Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force), still the same.

[sindhu shree]

I followed this article and also ansible windows doc.

[Rahamath]

There is a PS script which will set required winrm settings (auth to basic). You need to run that script on windows host.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a1c29c47-f70e-4779-8131-354421ecc02b%40googlegroups.com.

[Jordan Borean]

Setting the execution policy or firewall is unrelated to authentication failures. If you really want to use Basic auth make sure you have run the following to enable it on the WIndows host;

Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value True

You can verify what have been enabled and disabled by running 'winrm get winrm/config/service'. By default Basic auth is not enabled for security reasons.

Thanks

Jordan

[Jordan Borean]

I forgot to mention that running over http (like you are) for basic auth will only work if you have disabled message encryption on the Windows host. Do not do this, do something sane like running over https or use an authentication option that supports message encryption like Kerberos or NTLM.

[sindhu shree]

I did that. Am getting some certificate related errors.

I just checked the connection with other windows power shell as follows.

PS C:\Users\sindhu.p> winrs -r:https://ipaddress:5986/wsman -u:username -p:password ipconfig

Error : 

Winrs error:The server certificate on the destination computer (10.67.104.45:5986) has the following errors:

The SSL certificate is signed by an unknown certificate authority.

The SSL certificate contains a common name (CN) that does not match the hostname. 

[sindhu shree]

Am trying for https. 

Power shell basic script as follows

$url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"

$file = "$env:temp\ConfigureRemotingForAnsible.ps1"

$username = "username"

$password = "password "

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force

$browser = New-Object System.Net.WebClient

$browser.Proxy.Credentials =[System.Net.CredentialCache]::DefaultNetworkCredentials 

$browser.DownloadFile($url, $file)

# version can be 3.0, 4.0 or 5.1

#&$file -Version 3.0 -Username $username -Password $password -Verbose

#(New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file)

powershell.exe -ExecutionPolicy ByPass -File $file

Setting up a listener :

$selector_set = @{

    Address = "*"

    Transport = "HTTPS"

}

$value_set = @{

    CertificateThumbprint = "EF39ECD8A40F83ACC2BE85D95303EED2EB7DCE5C"

}

New-WSManInstance -ResourceURI "winrm/config/Listener" -SelectorSet $selector_set -ValueSet $value_set

And i followed the steps mention here : 

https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html#host-requirements.

1. Power shell upgrade

2. Hotfix

3. Basic winrm setup

4. Setting up listener

[sindhu shree]

I did that. Am getting some certificate related errors.

I just checked the connection with other windows power shell as follows.

PS C:\Users\sindhu.p> winrs -r:https://ipaddress:5986/wsman -u:username -p:password ipconfig

Error : 

Winrs error:The server certificate on the destination computer (10.67.104.45:5986) has the following errors:

The SSL certificate is signed by an unknown certificate authority.

The SSL certificate contains a common name (CN) that does not match the hostname. 

- show quoted text -

On Friday, January 18, 2019 at 7:46:17 PM UTC+5:30, Rahamath Ulla wrote:

[sindhu shree]

How to connect windows client without using user name and password, in linux we can have certificate for password less authentication. How can i achieve the same with windows client?

[sindhu shree]

After seeing your suggestion, tried with Kerberos and NTLM

This is what i see

10.67.104.45 | UNREACHABLE! => {

    "changed": false,

    "msg": "Failed to connect to the host via ssh: OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 51: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket \"/root/.ansible/cp/966bc611a0\" does not exist\r\ndebug2: resolving \"10.67.104.45\" port 22\r\ndebug2: ssh_connect_direct: needpriv 0\r\ndebug1: Connecting to 10.67.104.45 [10.67.104.45] port 22.\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug1: connect to address 10.67.104.45 port 22: Connection timed out\r\nssh: connect to host 10.67.104.45 port 22: Connection timed out\r\n",

    "unreachable": true

}

I must be missing something, please guide me where exactly going wrong.