winrm

[Nikhil Shah]

Nshah Feb 2, 12:42 Hello, I followed the guidelines in setting up a windows node.  http://docs.ansible.com/ansible/intro_windows.html#windows-system-prep I am using Windows 2008 R2, which had PowerShell 2.0 installed; I upgraded to PowerShell 4.0 (since the requirements said PowerShell 3.0).... When trying to run ansible, I am running the following and getting the below listed error message: ansible-playbook -i hosts ipconfig.yml --ask-vault Vault password: PLAY [test raw module] ******************************************************** TASK: [run ipconfig] **********************************************************  fatal: [qa-codegen01.theorchard.local] => 500 WinRMTransport. [Errno 111] Connection refused FATAL: all hosts have already failed -- aborting Note - I went ahead and enabled winRM and configured with the following settings: winrm quickconfig -q winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="300"}' winrm set winrm/config '@{MaxTimeoutms="1800000"}' winrm set winrm/config/service '@{AllowUnencrypted="true"}' winrm set winrm/config/service/auth '@{Basic="true"}'

[Nikhil Shah]

maybe this might be a bit more insight:

ansible windows -m win_ping -vvvv 

<10.40.1.31> ESTABLISH WINRM CONNECTION FOR USER: root on PORT 5986 TO XXXXXXX

<10.40.1.31> WINRM CONNECT: transport=plaintext endpoint=https://XXXXX:5986/wsman

<10.40.1.31> WINRM CONNECTION ERROR: 500 WinRMTransport. [Errno 111] Connection refused

10.40.1.31 | FAILED => 500 WinRMTransport. [Errno 111] Connection refused

I've got a group_var/windows.yml:

ansible_user: us...@domain.local

ansible_password: XXXXXXXX

ansible_port: 5986

ansible_connection: winrm

# The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates:

ansible_winrm_server_cert_validation: ignore

[J Hawkesworth]

You have

ansible_user: us...@domain.local

set, implying that you want to use a domain user.

When you run, the following is shown:

transport=plaintext endpoint=https://XXXXX:5986/wsman

The transport needs to be kerberos to connect with a domain user.

I suspect you are missing the python kerberos library.

If this can't be loaded then ansible will attempt a plaintext connection which I am fairly certain won't work with a domain user.

You don't mention which OS you are running ansible on but you probably need to install

python-kerberos from yum 

or

pykerberos from pip

Hope this helps

Jon

[Nikhil Shah]

That's a good start, I am using CentOS, and I was able to run yum install python-kerberos just now. However, still seems to be getting same message when rerunning:

Installed:

  python-kerberos.x86_64 0:1.1-15.el7                                                                                                                                   

Complete!

[root@bamagent06 ansible]# ansible windows -m win_ping -vvvv 

<10.40.1.31> ESTABLISH WINRM CONNECTION FOR USER: root on PORT 5986 TO xx.xx.xx.xx

<10.40.1.31> WINRM CONNECT: transport=plaintext endpoint=https://xx.xx.xx.xx:5986/wsman

<10.40.1.31> WINRM CONNECTION ERROR: 500 WinRMTransport. [Errno 111] Connection refused

10.40.1.31 | FAILED => 500 WinRMTransport. [Errno 111] Connection refused

It's as if it's not using my group_vars/windows.yml to pick up the creds.

[Nikhil Shah]

I've tested kerberos following http://docs.ansible.com/ansible/intro_windows.html#id9. I ran 

 kinit us...@DOMAIN.LOCAL  and it doesn't come back with anything but it also doesn't come back with a failure. I also try inputting the wrong password on purpose and it throws a "kinit: Preauthentication failed while getting initial credentials" leading me to believe kerberos auth is working fine...I don't understand why its not using kerberos and using "root" and plaintext. I even tried to set the ansible_user/password/host/port in the hosts file for that inventory group. 

On Wednesday, February 3, 2016 at 8:45:49 AM UTC-5, J Hawkesworth wrote:

[Joe Levis]

Nikhil,

I ran into many problems getting kerberos to work with ansible as well, but finally got it working.

First, ensure that you've obtained a valid kerberos ticket by running 'klist' on the command line after running your kinit command. Please post that back here if you can.

Second, make sure your Linux box where you're running Ansible is registered on the same domain as the Windows server you are trying to connect to.

Third, your ansible_user domain needs to be in all CAPS like so us...@DOMAIN.LOCAL

Let us know what you come up with.

-Joe

[Nikhil Shah]

Just an update, but still having issues....I realized I was using ansible 1.9.4 and the syntax is a bit different than ansible 2.0 (e.g ansible_ssh_user vs. ansible_user), now seeing this error:

[root@bamagent06 ansible]# ansible windows -m win_ping -vvvv 

<XX.XX.XX.XX> ESTABLISH WINRM CONNECTION FOR USER:  on PORT 5986 TO XX.XX.XX.XX

<XX.XX.XX.XX> WINRM CONNECT: transport=kerberos endpoint=https://XX.XX.XX.XX:5986/wsman

XX.XX.XX.XX | FAILED => Traceback (most recent call last):

  File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 586, in _executor

    exec_rc = self._executor_internal(host, new_stdin)

  File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 789, in _executor_internal

    return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)

  File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 968, in _executor_internal_inner

    conn = self.connector.connect(actual_host, actual_port, actual_user, actual_pass, actual_transport, actual_private_key_file, delegate_host)

  File "/usr/lib/python2.7/site-packages/ansible/runner/connection.py", line 52, in connect

    self.active = conn.connect()

  File "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", line 140, in connect

    self.protocol = self._winrm_connect()

  File "/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py", line 96, in _winrm_connect

    protocol.send_message('')

  File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 193, in send_message

    return self.transport.send_message(message)

  File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 269, in send_message

    krb_ticket = KerberosTicket(self.krb_service)

  File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 205, in __init__

    kerberos.authGSSClientStep(krb_context, '')

GSSError: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))

On Tuesday, February 2, 2016 at 4:01:55 PM UTC-5, Nikhil Shah wrote:

[Joe Levis]

Right, so like I said in my previous response: make sure your Linux box is registered on the Windows domain.

Run 'dnsdomainname' to check if your Linux machine is joined to a domain.

If not, you need to use something like PBIS to do so:

https://community.spiceworks.com/how_to/80336-join-ubuntu-14-04lts-to-a-windows-domain-using-pbis-open

-Joe

[Nikhil Shah]

OK, so i setup a new ubuntu serer and followed instructions on tying to domain and looks to be successful...here is the latest error:

root@ansible02:/etc/ansible# ansible windows -m win_ping -vvvv

Using /etc/ansible/ansible.cfg as config file

Loaded callback minimal of type stdout, v2.0

An exception occurred during task execution. The full traceback is:

Traceback (most recent call last):

  File "/usr/lib/pymodules/python2.7/ansible/executor/process/worker.py", line 114, in run

    self._shared_loader_obj,

  File "/usr/lib/pymodules/python2.7/ansible/executor/task_executor.py", line 119, in run

    res = self._execute()

  File "/usr/lib/pymodules/python2.7/ansible/executor/task_executor.py", line 366, in _execute

    self._connection = self._get_connection(variables=variables, templar=templar)

  File "/usr/lib/pymodules/python2.7/ansible/executor/task_executor.py", line 582, in _get_connection

    connection = self._shared_loader_obj.connection_loader.get(conn_type, self._play_context, self._new_stdin)

  File "/usr/lib/pymodules/python2.7/ansible/plugins/__init__.py", line 326, in get

    self._module_cache[path] = self._load_module_source('.'.join([self.package, name]), path)

  File "/usr/lib/pymodules/python2.7/ansible/plugins/__init__.py", line 313, in _load_module_source

    module = imp.load_source(name, path, module_file)

  File "/usr/lib/pymodules/python2.7/ansible/plugins/connection/winrm.py", line 28, in <module>

    import xmltodict

ImportError: No module named xmltodict

10.40.1.31 | FAILED! => {

    "failed": true, 

    "stdout": ""

}

root@ansible02:/etc/ansible# ansible-playbook -i hosts ipconfig.yml

PLAY [test raw module] *********************************************************

TASK [run ipconfig] ************************************************************

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ImportError: No module named xmltodict

fatal: [10.40.1.31]: FAILED! => {"failed": true, "stdout": ""}

PLAY RECAP *********************************************************************

10.40.1.31                 : ok=0    changed=0    unreachable=0    failed=1   

[Nikhil Shah]

sorry for buggin you all soo much, but i feel im almost there!

root@ansible02:/etc/ansible# ansible windows -m win_ping -vvvv

Using /etc/ansible/ansible.cfg as config file

Loaded callback minimal of type stdout, v2.0

<10.40.1.31> ESTABLISH WINRM CONNECTION FOR USER: ag...@domain.LOCAL on PORT 5986 TO 10.40.1.31

10.40.1.31 | FAILED! => {

    "failed": true, 

    "msg": "ERROR! kerberos: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('No Kerberos credentials available', -1765328243)), ssl: 500 WinRMTransport. [Errno 111] Connection refused"

}

ro

On Tuesday, February 2, 2016 at 4:01:55 PM UTC-5, Nikhil Shah wrote:

[Nikhil Shah]

I'd like to thank you all, i was able to resolve my windows issue. Few things I had to do was the following:

1. Use Ubuntu instead of CentOS (which is not the reason for the issues)

2. Install PBIS and set that stuff up

3. Follow the instructions on http://docs.ansible.com/ansible/intro_windows.html

4. pip install xmltodict

5. pip install pywinrm

6. Install apt-get install krb5-user (to be able to run kinit)

7. Kept getting "ssl: 500 WinRMTransport" so i ended up using HTTP port 5985 (Ill figure out the whole SSL stuff at a later point)

Thanks guys!

On Tuesday, February 2, 2016 at 4:01:55 PM UTC-5, Nikhil Shah wrote:

[Gilberto Valentin]

I am glad you got this working. I have to prepare for this same setup and wondering if you have any comprehensive notes that you can share here?