The local Administrator account should work, and you don't need to remove it from the domain. I was trying to say a user account that's registered on the domain doesn't seem to be supported currently... or I did something wrong.
While I personally am an admin on these boxes, I don't have the credentials for the local Admin account. So instead, I tried: - damon - damon@domainnamehere And those both failed. I saw a post in here about a fork for supporting domain accounts, but it's still in development, although it sounds like it's progressing pretty well. So then I: - created a local user account on the Windows client *(cleverly named ansible)* - put them in the administrators group on that client - updated /etc/ansible/group_vars/windows.yml with their creds And that did it (along with the basic auth from earlier). As far as the issue you're seeing, that probably should be a new topic; I was just bumping and clarifying this one to see if it should be in the intro page. But, have you completed all of the steps on the Windows setup page? http://docs.ansible.com/intro_windows.html I ask because I had missed one or two steps on the Windows client, I just scrolled over them by accident. Here's my summary of the steps I did to get the target client online and responding: ### Prepare the target system(s) 1. RDP into the host 2. Launch Powershell 3. Run the following commands: Enable-PSRemoting -Force Set-ExecutionPolicy RemoteSigned 4. Poke a hole through the firewall: Set-NetFirewallRule -Name "WINRM-HTTP-In-TCP-PUBLIC" -RemoteAddress Any 5. Create the https certificate 6. and then register a listener. *Note that in order to register it, I had to first run PowerShell, then launch a cmd window from there, and THEN register the listener. Also I didn't use the FQDN, only the output of hostname; also no spaces in the Cert* # while in PowersHell, run... hostname cmd winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="yourhostnamehere";CertificateThumbprint="0e...........21"} 7. Deleting the HTTP transport worked fine from POSH 8. Poke yet another hole in the firewall netsh advfirewall firewall add rule Profile=public name="Allow WinRM HTTPS" dir=in localport=5986 protocol=TCP action=allow 9. Test it. 2-3 more steps and this is a 12step program, just like everything else on Windows. On Wednesday, July 30, 2014 5:20:25 PM UTC-5, Aaron Rogers wrote: > > I'm completely new to Ansible but when I saw that Windows support is being > added I had to jump right in this morning. So far my Ansible instance can > talk to a test Linux host with no issues. For my Windows box I stumbled > across your #1 and #2 items mentioned above but I'm not sure what you mean > by #3. Can you elaborate? > > Here is the error I am getting. Note that the Windows box is in a domain > but I am using the local Administrator account to connect. I can try > removing it from the domain if you think that is worth testing. > > ansible myhost.mydomain.com -m win_ping --ask-vault-pass -vvvv > Vault password: > <myhost.mydomain.com> ESTABLISH WINRM CONNECTION FOR USER: Administrator > on PORT 5985 TO myhost.mydomain.com > <myhost.mydomain.com> WINRM CONNECT: transport=plaintext endpoint= > http://myhost.mydomain.com:5985/wsman > <myhost.mydomain.com> REMOTE_MODULE win_ping > <myhost.mydomain.com> EXEC (New-Item -Type Directory -Path $env:temp > -Name "ansible-tmp-1406758554.1-201733087669750").FullName | Write-Host > -Separator ''; > <myhost.mydomain.com> WINRM EXEC 'PowerShell' ['-NoProfile', > '-NonInteractive', '-EncodedCommand', > 'KABOAGUAdwAtAEkAdABlAG0AIAAtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgB0AGUAbQBwACAALQBOAGEAbQBlACAAIgBhAG4AcwBpAGIAbABlAC0AdABtAHAALQAxADQAMAA2ADcANQA4ADUANQA0AC4AMQAtADIAMAAxADcAMwAzADAAOAA3ADYANgA5ADcANQAwACIAKQAuAEYAdQBsAGwATgBhAG0AZQAgAHwAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAALQBTAGUAcABhAHIAYQB0AG8AcgAgACcAJwA7AA=='] > Traceback (most recent call last): > File "/srv/ansible/lib/ansible/runner/connection_plugins/winrm.py", line > 147, in exec_command > result = self._winrm_exec(cmd_parts[0], cmd_parts[1:], from_exec=True) > File "/srv/ansible/lib/ansible/runner/connection_plugins/winrm.py", line > 118, in _winrm_exec > vvvv('WINRM RESULT %r' % response, host=self.host) > File "/usr/lib/python2.6/site-packages/winrm/__init__.py", line 12, in > __repr__ > self.status_code, self.std_out[:20], self.std_err[:20]) > ValueError: zero length field name in format > myhost.mydomain.com | FAILED => failed to exec cmd PowerShell -NoProfile > -NonInteractive -EncodedCommand > KABOAGUAdwAtAEkAdABlAG0AIAAtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgB0AGUAbQBwACAALQBOAGEAbQBlACAAIgBhAG4AcwBpAGIAbABlAC0AdABtAHAALQAxADQAMAA2ADcANQA4ADUANQA0AC4AMQAtADIAMAAxADcAMwAzADAAOAA3ADYANgA5ADcANQAwACIAKQAuAEYAdQBsAGwATgBhAG0AZQAgAHwAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAALQBTAGUAcABhAHIAYQB0AG8AcgAgACcAJwA7AA== > > > > On Wednesday, July 30, 2014 2:15:23 PM UTC-7, Damon Overboe wrote: >> >> Sorry to revive a somewhat old post, but I was following the basic guide >> from here: http://docs.ansible.com/intro_windows.html, and running the >> command Jason Rizio mentioned solved the 401 error for me as well: >> >> winrm set winrm/config/service/auth @{Basic="true"} >> >> So I'm thinking, how about adding a debugging section to the bottom that >> page? >> >> 1. Mentioning the Basic auth command *(and any security concerns)* >> 2. As well as a note about -vvvv to get verbose feedback >> 3. And possibly a third note about the account (currently) needing >> to be on the local machine; domain accounts seem like they're still >> under >> development on a separate fork. >> >> I know Ansible docs recommend you learn it first and then cross over to >> the dark side, but #2 would probably be huge on that page *(in case >> there are others just like me that did a tutorial on linux:linux and then >> thought, wow, lets make this work with Windows!)* >> >> On Sunday, June 29, 2014 9:11:55 PM UTC-5, Jason Rizio wrote: >>> >>> Well I seemed to have got it working by running the following winrm >>> command on the windows box: >>> >>> *winrm set winrm/config/service/auth @{Basic="true"}* >>> >>> It looks like by default the winrm service basic authentication setting >>> is set to false. >>> >>> I also had some issues with ansible complaining that it couldnt find >>> powershell.ps1 in a python module directory - "imported module support code >>> does not exist". Which is wierd as I have not installed Ansible any other >>> way apart from using Git - I made sure it was a fresh build and ran source >>> ./hacking/env-setup to make sure. >>> >>> I simply copied the powershell.ps1 script to the folder it was looking >>> for and it now works. >>> >>> *cp /home/ubuntu/ansible/lib/ansible/module_utils/powershell.ps1 >>> /usr/local/lib/python2.7/dist-packages/ansible-1.7-py2.7.egg/ansible/module_utils/* >>> >>> Hope this helps you out Trond. >>> >>> >>> >>> >>> >>> On Monday, June 30, 2014 10:44:19 AM UTC+10, Jason Rizio wrote: >>>> >>>> Here are my documented steps: >>>> >>>> ** Windows Host Setup >>>> >>>> Note: Windows server is using Windows Server Datacenter 2008 with SP2 >>>> (Amazon EC2) >>>> >>>> 1. Install Powershell - .NET 4.5 Framework - >>>> http://www.microsoft.com/en-us/download/details.aspx?id=30653 >>>> 2. Install Powershell 3.0 - Windows Management Framework 3.0 - >>>> http://www.microsoft.com/en-us/download/details.aspx?id=34595 >>>> 3. Run: pip install >>>> http://github.com/diyan/pywinrm/archive/master.zip#egg=pywinrm on >>>> Ubuntu Ansible Control box (Ubuntu 14.04) >>>> 4. Setup Windows servername (ip-xxxxxxxx) in Ansible hosts file >>>> 5. Setup group_vars/windows.yml with: >>>> >>>> ansible_ssh_user: Administrator >>>> ansible_ssh_pass: "Password" >>>> ansible_ssh_port: 5986 >>>> ansible_connection: winrm >>>> >>>> 6. Windows server - Powershell command: Enable-PSRemoting -Force >>>> 7. Windows server - PowerShell command: Set-ExecutionPolicy RemoteSigned >>>> 8. Windows server - cmd: NetSH ADVFirewall Set AllProfiles Settings >>>> remotemanagement Enable >>>> 9. Created a self signed certificate using the following powershell >>>> script (Subject name is the server hostname: ip-xxxxxxxx) - >>>> http://social.technet.microsoft.com/wiki/contents/articles/4714.how-to-generate-a-self-signed-certificate-using-powershell.aspx >>>> >>>> - I answered Yes for both Server and Client Authentication (No to >>>> everything else) >>>> >>>> 10. Copied certificate into Trusted Root Certification Authority >>>> 11. Windows server - cmd: winrm create >>>> winrm/config/Listener?Address=*+Transport=HTTPS >>>> >>>> @{Hostname="ip-xxxxxxxx";CertificateThumbprint="481asaflkdfj8bee1e44c44320598jdsklfj8ecb4a844d"} >>>> >>>> 12. Windows server - cmd: winrm delete >>>> winrm/config/listener?Address=*+Transport=HTTP >>>> 13. Windows server - cmd: netsh advfirewall firewall add rule >>>> Profile=public name="Allow WinRM HTTPS" dir=in localport=5986 protocol=TCP >>>> action=allow >>>> >>>> Hope that helps. >>>> >>>> cheers, >>>> Jason >>>> >>>> >>>> On Monday, June 30, 2014 7:02:39 AM UTC+10, Michael DeHaan wrote: >>>>> >>>>> Yeah if you want to start a clean one and let us know if you get stuck >>>>> that would be great. >>>>> >>>>> Thank you! >>>>> >>>>> >>>>> On Sun, Jun 29, 2014 at 3:33 PM, Trond Hindenes <[email protected]> >>>>> wrote: >>>>> >>>>>> Thanks Michael, >>>>>> >>>>>> I've basically been trying to follow the docs - wondering if I should >>>>>> try and re-setup my ansible node from the beginning and document each >>>>>> step >>>>>> as I go. As you can see above i'm *pretty* sure there's nothing >>>>>> wrong with my remoting endpoint :-) >>>>>> >>>>>> These VMs live in Azure, so if it would help I'd absolutely be >>>>>> willing to let you guys have a look for yourselves. In the meantime I'll >>>>>> just build a fresh ansible host. >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Ansible Project" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To post to this group, send email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/ansible-project/28312eb2-1563-43b3-9882-68a8ecf3e3fc%40googlegroups.com >>>>>> >>>>>> <https://groups.google.com/d/msgid/ansible-project/28312eb2-1563-43b3-9882-68a8ecf3e3fc%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0c99a5ca-4e8e-49bf-ac06-a0ecbfb3149f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
