win_copy betwen two win servers with ntlm auth

[Klemen Vicic]

Hello,

I'm trying to copy files betwen two win servers with ntlm authentication. This is my ansible hosts conf:

## Windows servers configuration

[win]

server1.domain.com

server2.domain.com

[win:vars]

ansible_user=serve...@domain.com

ansible_password=serveradminpassword

ansible_connection=winrm

ansible_winrm_transport=ntlm

ansible_port=5985

ansible_winrm_server_cert_validation=ignore

This is my script:

- name: Copy files in windows systems

  hosts: win

  tasks:

  gather_facts: false

  tasks:

   - win_copy:

      src: '\\server1.domain.com\c$\temp\test-transfer-ansible.txt'

      dest: '\\server2.domain.com\c$\temp'

      remote_src: True

That's the output when I try to run a script:

[root@Ansible win]# ansible-playbook win_remote-copy.yml -f 10

 [WARNING]: While constructing a mapping from /var/lib/awx/projects/win/win_remote-copy.yml, line 2, column 3, found a duplicate dict key (tasks). Using last defined value only.

PLAY [Copy files in windows systems] **************************************************************************************************************************************************

TASK [win_copy] ***********************************************************************************************************************************************************************

/usr/lib/python2.7/site-packages/requests_ntlm/requests_ntlm.py:200: NoCertificateRetrievedWarning: Requests is running with a non urllib3 backend, cannot retrieve server certificate for CBT

  NoCertificateRetrievedWarning)

/usr/lib/python2.7/site-packages/requests_ntlm/requests_ntlm.py:200: NoCertificateRetrievedWarning: Requests is running with a non urllib3 backend, cannot retrieve server certificate for CBT

  NoCertificateRetrievedWarning)

fatal: [server1.domain.com]: FAILED! => {"changed": false, "dest": "\\\\server1.domian.com\\c$\\temp", "module_stderr": "Exception calling \"Run\" with \"1\" argument(s): \"Exception calling \"Invoke\" with \"0\" argument(s): \"The running command st\r\nopped because the preference variable \"ErrorActionPreference\" or common parameter is set to Stop: Access is denied\"\"\r\nAt line:65 char:5\r\n+     $output = $entrypoint.Run($payload)\r\n+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : NotSpecified: (:) [], ParentContainsErrorRecordException\r\n    + FullyQualifiedErrorId : ScriptMethodRuntimeException\r\n \r\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1, "src": "\\\\server1.domain.com\\c$\\temp\\test-transfer-ansible.txt"}

fatal: [server2.domain.com]: FAILED! => {"changed": false, "dest": "\\\\server2.domain.com\\c$\\temp", "module_stderr": "Exception calling \"Run\" with \"1\" argument(s): \"Exception calling \"Invoke\" with \"0\" argument(s): \"The running command \r\nstopped because the preference variable \"ErrorActionPreference\" or common parameter is set to Stop: Access is denied\"\"\r\nAt line:65 char:5\r\n+     $output = $entrypoint.Run($payload)\r\n+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : NotSpecified: (:) [], ParentContainsErrorRecordException\r\n    + FullyQualifiedErrorId : ScriptMethodRuntimeException\r\n \r\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1, "src": "\\\\server1.domain.com\\c$\\temp\\test-transfer-ansible.txt"}

        to retry, use: --limit @/var/lib/awx/projects/win/win_remote-copy.retry

PLAY RECAP ****************************************************************************************************************************************************************************

server1.doman.com      : ok=0    changed=0    unreachable=0    failed=1

server2.domain.com     : ok=0    changed=0    unreachable=0    failed=1

[root@Ansible win]#

Any clue what is wrong with the scrpt...? User is server admin,

Thanks for any help.

[J Hawkesworth]

I think you are hitting the so called 'double hop' issue, where, by design, your credentials are not delegated to the remote servers where the file you want to copy is (or to the remote server where you want to copy the file to).  This is a limitation of Windows, rather than anything wrong with your playbooks as such.  See https://docs.ansible.com/ansible/2.5/user_guide/windows_winrm.html#limitations

Looking here: https://docs.ansible.com/ansible/2.5/user_guide/windows_winrm.html#authentication-options I think ntlm does not support credential delegation.

So I think you have a few options.  

* switch to kerberos or credssp and enable credential delegation 

or

* experiment with using 'become'.  See the explanation and win_copy example here: https://docs.ansible.com/ansible/2.5/user_guide/become.html#become-and-windows

or

Reorganize things so you don't need to use windows shares.   Win_copy can be slow, especially for large files, so if you are dealing with large files you might find its quicker to put the files you need behind a web server and fetch them onto the hosts where they are needed using `win_get_url` (that's what I do).

Hope this helps,

Jon