Ansible ad-hoc win_ping fails for Windows hosts where direct pywinrm request works

[macro...@gmail.com]

Good morning,

I'm struggling with an annoying issue with my current Ansible setup. Ansible master server is configured and I'm testing basic connectiviy with Linux and Windows nodes.

Connectivity with Linux nodes is working fine, ad-hoc commands return expected values.

Windows test node is configured with an HTTPs listener (with server certificate installed), firewall is disabled, WinRM service is started and available from other Windows hosts. So far I can successfully issue wman commands locally & remotely from Windows nodes:

 

test-wsman -computername winsrv01.domain.lan -Usessl

wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor   : Microsoft Corporation
ProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 3.0

Ansible win_ping issued from Ansible server fails:

ansible 2.4.0.0

  config file = /etc/ansible/ansible.cfg

  configured module search path = [u'/home/ansible/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']

  ansible python module location = /usr/lib/python2.7/site-packages/ansible

  executable location = /usr/bin/ansible

  python version = 2.7.5 (default, Aug  4 2017, 00:39:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-16)]

Using /etc/ansible/ansible.cfg as config file

setting up inventory plugins

Set default localhost to localhost

Parsed /etc/ansible/hosts inventory source with ini plugin

Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/__init__.pyc

META: ran handlers

Using module file /usr/lib/python2.7/site-packages/ansible/modules/windows/win_ping.ps1

<winsrv01.DOMAIN.LAN> ESTABLISH SSH CONNECTION FOR USER:WIN...@DOMAIN.LAN

<winsrv01.DOMAIN.LAN> SSH: ansible.cfg set ssh_args: (-C)(-o)(ControlMaster=auto)(-o)(ControlPersist=60s)

<winsrv01.DOMAIN.LAN> SSH: ANSIBLE_REMOTE_PORT/remote_port/ansible_port set: (-o)(Port=5986)

<winsrv01.DOMAIN.LAN> SSH: ANSIBLE_PRIVATE_KEY_FILE/private_key_file/ansible_ssh_private_key_file set: (-o)(IdentityFile="/home/ansible/.ssh/myrsakey")

<winsrv01.DOMAIN.LAN> SSH: ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set: (-o)(User=WIN...@DOMAIN.LAN)

<winsrv01.DOMAIN.LAN> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=60)

<winsrv01.DOMAIN.LAN> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/home/ansible/.ansible/cp/208bf2aa12)

<winsrv01.DOMAIN.LAN> SSH: EXEC sshpass -d12 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o Port=5986 -o 'IdentityFile="/home/ansible/.ssh/myrsakey"' -o User=WIN...@DOMAIN.LAN -o ConnectTimeout=60 -o ControlPath=/home/ansible/.ansible/cp/208bf2aa12 winsrv01.DOMAIN.LAN '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''

<winsrv01.DOMAIN.LAN> (255, '', 'OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 58: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket "/home/ansible/.ansible/cp/208bf2aa12" does not exist\r\ndebug2: resolving "winsrv01.DOMAIN.LAN" port 5986\r\ndebug2: ssh_connect_direct: needpriv 0\r\ndebug1: Connecting to winsrv01.DOMAIN.LAN [10.0.0.4] port 5986.\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug1: fd 3 clearing O_NONBLOCK\r\ndebug1: Connection established.\r\ndebug3: timeout: 59999 ms remain after connect\r\ndebug1: identity file /home/ansible/.ssh/myrsakey type 1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /home/ansible/.ssh/myrsakey-cert type -1\r\ndebug1: Enabling compatibility mode for protocol 2.0\r\ndebug1: Local version string SSH-2.0-OpenSSH_7.4\r\nConnection timed out during banner exchange\r\n')

winsrv01.DOMAIN.LAN | UNREACHABLE! => {

    "changed": false, 

    "msg": "Failed to connect to the host via ssh: OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 58: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket \"/home/ansible/.ansible/cp/208bf2aa12\" does not exist\r\ndebug2: resolving \"winsrv01.DOMAIN.LAN\" port 5986\r\ndebug2: ssh_connect_direct: needpriv 0\r\ndebug1: Connecting to winsrv01.DOMAIN.LAN [10.0.0.4] port 5986.\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug1: fd 3 clearing O_NONBLOCK\r\ndebug1: Connection established.\r\ndebug3: timeout: 59999 ms remain after connect\r\ndebug1: identity file /home/ansible/.ssh/myrsakey type 1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /home/ansible/.ssh/myrsakey-cert type -1\r\ndebug1: Enabling compatibility mode for protocol 2.0\r\ndebug1: Local version string SSH-2.0-OpenSSH_7.4\r\nConnection timed out during banner exchange\r\n", 

    "unreachable": true

}

pywinrm test script can properly connect to Windows node (after issuing kinit manually on Ansible server to grap a Kerberos ticket):

python test_winrm.py

# test_winrm.py

p = Protocol(
    endpoint='https://winsrv01.domain.lan:5986/wsman',//
    transport='kerberos',
    username='WIN...@DOMAIN.LAN',
    server_cert_validation='ignore')


shell_id = p.open_shell()


command_id = p.run_command(shell_id, 'hostname')


std_out, std_err, status_code = p.get_command_output(shell_id, command_id)


print std_out

Ansible "/etc/ansible/hosts" file :

[local]
localhost ansible_connection=local


[windows]
winsrv01.DOMAIN.LAN


[linux]
linuxsrv01.DOMAIN.LAN

Ansible variables "/etc/ansible/group_vars/windows.yml:

---
# /etc/ansible/group_vars/windows.ym
ansible_user: WINUSER@DOMAIN.LAN
ansible_password: xxxxxxxxxxxxxxxx
ansible_port: 5986
ansible_connexion: winrm
ansible_winrm_scheme: https
ansible_winrm_transport: kerberos,ntlm,plaintext
ansible_winrm_operation_timeout_sec: 60
ansible_winrm_server_cert_validation: ignore

I'm not sure why debug messages show SSH stuff even if target host is a Windows node...

Help would be greatly appreciated

Thanks in advance

[Jordan Borean]

It is showing it tried to connect through ssh because there is a typo in your group vars. Change ansible_connexion: winrm to ansible_connection: winrm and it should start to use the correct connection plugin.

[macro...@gmail.com]

Hi,

You've hit the nail right on the head!! 

"Issue" solved...