The painful process of setting up the self-signed cert and all that is why we created the boostrap script which sets up your windows node for Ansible. That process is documented here: http://docs.ansible.com/ansible/intro_windows.html#windows-system-prep
Regarding domain authentication, I created a blog post about that which you'll find here: http://hindenes.com/trondsworking/2015/07/27/ansible-and-windows-configuring-kerberosactive-directory-authentication/ Hopefully using that you should be able to get it working. Once that's done you'll probably see another problem, which is around kerberos and double-hop remoting. Basically if you use Kerberos to authenticate from your ansible controller to your windows node you can't use the same kerberos "session" to authenticate from the windows node to a third windows node (such as a database with integrated auth or whatever). This problem relates to Kerberos in general and doesn't have anything to do with Ansible. People are working on tweaking Ansible to better support different auth schemes so that it's possible to authenticate from Ansible using basic auth via domain creds, but that support isn't currently there. On Saturday, August 1, 2015 at 1:20:03 AM UTC+2, O haya wrote: > Hi, > > It was very painful, but I think that I've been able to enable port 5986 > for SSL. I had to: > > - Create a self-signed cert for the Ansible node machine using > makecert.exe from the .NET 3.5 SDK for Windows > - Enable the WinRM listener > - Open incoming port # 5986 on the firewall > > Now, using "netstat -an" I can see 5986 listening and I can "openssl > s_client" to port 5986 from the Ansible server. > > If I put "administrator" as the username in the group_var/windows.yml, and > port 5986, and then do ansible: > > [root@centos65 ansible_test]# ansible windows -i host -m win_ping > ansible1.domain2.whatever.com | success >> { > "changed": false, > "ping": "pong" > } > > > However, if I change the username in windows.yml to > <domain>\administrator, and do "ansible windows -i host -m win_ping" it > fails with a 401 error (not authorized). > > > [root@centos65 ansible_test]# ansible windows -i host -m win_ping -vvvv > <ansible1.domain2.whatever.com> ESTABLISH WINRM CONNECTION FOR USER: > domain2\administrator on PORT 5986 TO ansible1.domain2.whatever.com > <ansible1.domain2.whatever.com> WINRM CONNECT: transport=plaintext > endpoint=https://ansible1.domain2.whatever.com:5986/wsman > <ansible1.domain2.whatever.com> WINRM CONNECTION ERROR: 401 Unauthorized. > basic auth failed > ansible1.domain2.whatever.com | FAILED => 401 Unauthorized. basic auth > failed > [root@centos65 ansible_test]# > > > > > > > > I'm not sure where to go from here. I mean 5986 seems to be working, and > is SSL-enabled, so shouldn't the authentication work now? > > Jim > > > > > On Friday, July 31, 2015 at 3:51:42 PM UTC-4, O haya wrote: > > Hi, > > Just some comments: > > - It looks to me like if the user name in group_vars\windows.yml has > format "<domain>\username", then Ansible tries to connect to port 5985 > using httpS/SSL and I get the SSL errors, but if username has format > "username" and I don't get SSL error. > > - As I said, the target machine is only listening on 5985 and not > listening on 5986 at all. > > > Am I supposed to do something (other than pip kerberos above) to enable > SSL at the node? is the node supposed to be listening on 5986? > > Thanks, > Jim > > > P.S. And BTW, yes, I am still a little confused above what a module is > vs. what a playbook is in Ansible, especially a Powershell module vs. a > Playbook that runs Powershell scripts. > > > > > On Friday, July 31, 2015 at 3:34:05 PM UTC-4, O haya wrote: > > Hi, > > FYI, the target Windows machine is not listening on 5986 at all, just on > 5985. > > Here's my current playbook: > > # This playbook tests the script module on Windows hosts > > - name: Run powershell script > hosts: windows > gather_facts: false > tasks: > - name: Run powershell script-1 > script: scripts/install-1.ps1 > - pause: prompt="press ENTER" > - raw: cd c:/Sharepoint2007SP2files > - raw: c:/Sharepoint2007SP2files/setup.exe /config config.xml > - pause: prompt="press ENTER AGAIN" > - raw: cd "C:/Progra~1/Common~1/Micros~1/WebSer~1/12/BIN/" > - raw: C:/Progra~1/Common~1/Micros~1/WebSer~1/12/BIN/psconfig.exe -cmd > evalprovision provision > > > and here's groups_var/windows.yml: > > ansible_ssh_user: domain2\administrator > ansible_ssh_pass: XXXXXX > ansible_ssh_port: 5985 > ansible_connection: winrm > > > Also, to be clear, I've been running: > > ansible-playbook install-3parts.yml > > Jim > > > > On Friday, July 31, 2015 at 1:28:40 PM UTC-4, J Hawkesworth wrote: > > I think maybe you need to connect on 5986 to use kerberos - different > version of ansible but likely the same - as mentioned here: > https://groups.google.com/forum/#!topic/ansible-devel/CpZ0c7na9cI > > If that's not it.... can you share your current playbook and > group_vars/windows settings (minus passwords of course)? - Its easier to > get an idea of what might be happening. > > Also, looking at your messages above I am surprised you can treat your > powershell script as if it is an ansible module so instead of > > ansible windows -i host -m installit -vvvv > > try > > ansible windows -i host -m script -a installit.ps1 -vvvv > > Hope this helps, > > Jon > > On Friday, July 31, 2015 at 4:29:42 PM UTC+1, O haya wrote: > > Hi, > > Yes, I think that I already did that (it was in my notes): > > [root@centos65 ~]# pip install kerberos > Requirement already satisfied (use --upgrade to upgrade): kerberos in > /usr/lib64/python2.6/site-packages > [root@centos65 ~]# > > > So why would I be getting the errors I posted in the earlier post now? > > Thanks, > Jim > > > > On Friday, July 31, 2015 at 9:13:06 AM UTC-4, J Hawkesworth wrote: > > A linux machine can function as a domain member. Or you can set things up > so that your ansible machine can authenticate against the domain as needed > and then ansible can connect as a domain user (and a domain administrator). > > There are extra steps if you need to connect as a domain user - see this > page: > http://docs.ansible.com/ansible/intro_windows.html#installing-on-the-control-machine > > Probably just need to install kerberos - have you installed this? > > Jon > > > > On Friday, July 31, 2015 at 1:50:53 PM UTC+1, O haya wrote: > > I was doing "cd" to set the current directory and then running the > ./setup.exe, but it didn't work, so I use <path>/setup.exe instead and that > seems to have worked. > > However, now, I am encountering a problem: > > <ansibleclient1.whatever.com> ESTABLISH WINRM CONNECTION FOR USER: > domain2\administrator on PORT 5985 TO ansibleclient1.whatever.com > <ansibleclient1.whatever.com> WINRM CONNECT: transport=plaintext endpoint= > http://ansibleclient1.whatever.com:5985/wsman > <ansibleclient1.whatever.com> WINRM CONNECTION ERROR: 401 Unauthorized. > basic auth failed > <ansibleclient1.whatever.com> WINRM CONNECT: transport=plaintext endpoint= > https://ansibleclient1.whatever.com:5985/wsman > <ansibleclient1.whatever.com> WINRM CONNECTION ERROR: 500 WinRMTransport. > [Errno 1] _ssl.c:492: error:140770FC:SSL > routines:SSL23_GET_SERVER_HELLO:unknown protocol > fatal: [ansibleclient1.whatever.com] => 500 WinRMTransport. [Errno 1] > _ssl.c:492: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > protocol > > FATAL: all hosts have already failed -- aborting > > PLAY RECAP > ******************************************************************** > to retry, use: --limit @/root/install-3parts.retry > > ansibleclient1.whatever.com : ok=0 changed=0 unreachable=1 > failed=0 > > > As I mentioned, I am trying to install Sharepoint, which uses AD, so when > I do the installation, I have to be logged into the target machine as a > domain administrator. However, when I try to use "domain2\administrator" > in the group_vars/windows.yml I get the above error. > > I don't know if it's possible to get past this, but even if I can, I've > just realized that there may be another problem. As I said, I have to be > able to log into the machine as a domain admin. When I did the Chef > implementation, I found that I could only do that if I did the log in from > a domain member machine. However, since Ansible controller only runs on > Linux, that seems to mean that this is all going to be impossible (or can a > Linux machine be a domain member?)? > > Since our use case is heavily Windows-based, that is leading me to think > that Ansible may not be suitable for us? > > Thanks, > Jim > > > On Friday, July 31, 2015 at 8:06:55 AM UTC-4, O haya wrote: > > Hi, > > The same comment about the "-ArgumentList", but I got rid of that and have > simply: > > ./setup.exe xxxxx > > and still get the same error... > > Jim > > > > On Friday, July 31, 2015 at 8:03:40 AM UTC-4, O haya wrote: > > Hi, > > I realized that the "-Wait" param was left over from when I was using > Start-Process, so I got rid of the "-Wait" and tested again, but still got > exactly the same error. > > Jim > > > On Friday, July 31, 2015 at 7:56:20 AM UTC-4, O haya wrote: > > Hi, > > I tried using raw and got this: > > > TASK: [raw ./setup.exe -ArgumentList "xxxxxx" -Wait] ************** > failed: [ansibleclient1.whatever.com] => {"rc": 1} > stderr: '.' is not recognized as an internal or external command, > operable program or batch file. > > > FATAL: all hosts have already failed -- aborting > > > > > > > On Friday, July 31, 2015 at 7:36:07 AM UTC-4, O haya wrote: > > I'm running Ansible 1.9.2, which is I think the latest (just downloaded it > a couple of days ago). > > > I've tried running the setup.exe and psconfig.exe without Start-Process > but within the .ps1 still, and that has the same problem. > > I'll try to break out setup.exe and psconfig.exe and run them with raw in > playbook task and see if that works differently. I think that's what > you're suggesting, right? > > > BTW, it's really hard to understand what is actually happening? From > logging from the setup.exe, it looks like it is running but only partially. > Logging looks strange. I can see that it starts running but then the > logging just ends, with no errors. Then, I suspect because setup.exe is > stopping/ending, the psconfig.exe can't run because the files haven't been > fully laid down. > > > > Thanks, > Jim > > > > On Friday, July 31, 2015 at 1:23:38 AM UTC-4, J Hawkesworth wrote: > > What ansible version are you using? If I recall we had a problem in the > past with execution policy being set differently under some circumstances, > which I speculate might be causing your problems. > > As a 'get-you-going' suggestion, you could try running the problematic > commands (without the start-process) using the 'raw' module. > > Hope this helps, let us know how you get on. > > Jon > > On Thursday, July 30, 2015 at 9:36:42 PM UTC+1, O haya wrote: > > Hi, > > FYI, I've also tried changing from using Start-Process to Invoke-Command, > but it still seems to do the same thing (hangs) when I try to run the ps1 > via Ansible. I don't know if this'll help, but here's the output with > -vvvv: > > Enter code here... > [root@centos65 ansible_test]# ansible windows -i host -m installit -vvvv > <ansibleclient1.whatever.com> ESTABLISH WINRM CONNECTION FOR USER: > administrator on PORT 5985 TO ansibleclient1.whatever.com > <ansibleclient1.whatever.com> WINRM CONNECT: transport=plaintext endpoint= > http://ansibleclient1.whatever.com:5985/wsman > <ansibleclient1.whatever.com> REMOTE_MODULE installit > <ansibleclient1.whatever.com> EXEC (New-Item -Type Directory -Path > $env:temp -Name "ansible-tmp-1438288265.32-170673722533874").FullName | > Write-Host -Separator ''; > <ansibleclient1.whatever.com> WINRM EXEC 'PowerShell' ['-NoProfile', > '-NonInteractive', '-EncodedCommand', > 'KABOAGUAdwAtAEkAdABlAG0AIAAtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgB0AGUAbQBwACAALQBOAGEAbQBlACAAIgBhAG4AcwBpAGIAbABlAC0AdABtAHAALQAxADQAMwA4ADIAOAA4ADIANgA1AC4AMwAyAC0AMQA3ADAANgA3ADMANwAyADIANQAzADMAOAA3ADQAIgApAC4ARgB1AGwAbABOAGEAbQBlACAAfAAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAtAFMAZQBwAGEAcgBhAHQAbwByACAAJwAnADsA'] > <ansibleclient1.whatever.com> WINRM RESULT <Response code 0, out > "C:\Users\Administrat", err ""> > <ansibleclient1.whatever.com> PUT /tmp/tmpJaC2C3 TO > C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\installit > <ansibleclient1.whatever.com> WINRM PUT /tmp/tmpJaC2C3 to > C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\installit.ps1 > > (offset=0 size=2030) > <ansibleclient1.whatever.com> WINRM PUT /tmp/tmpJaC2C3 to > C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\installit.ps1 > > (offset=2030 size=2030) > <ansibleclient1.whatever.com> WINRM PUT /tmp/tmpJaC2C3 to > C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\installit.ps1 > > (offset=4060 size=2030) > <ansibleclient1.whatever.com> WINRM PUT /tmp/tmpJaC2C3 to > C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\installit.ps1 > > (offset=6090 size=2008) > <ansibleclient1.whatever.com> PUT /tmp/tmputTM97 TO > C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\arguments > <ansibleclient1.whatever.com> WINRM PUT /tmp/tmputTM97 to > C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\arguments > > (offset=0 size=2) > <ansibleclient1.whatever.com> EXEC PowerShell -NoProfile -NonInteractive > -ExecutionPolicy Unrestricted -File > C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\installit.ps1 > > C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\arguments; > > Remove-Item > "C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\" > > -Force -Recurse; > <ansibleclient1.whatever.com> WINRM EXEC 'PowerShell' ['-NoProfile', > '-NonInteractive', '-EncodedCommand', > 'UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARgBpAGwAZQAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAAzADgAMgA4ADgAMgA2ADUALgAzADIALQAxADcAMAA2ADcAMwA3ADIAMgA1ADMAMwA4ADcANABcAFwAaQBuAHMAdABhAGwAbABpAHQALgBwAHMAMQAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAAzADgAMgA4ADgAMgA2ADUALgAzADIALQAxADcAMAA2ADcAMwA3ADIAMgA1ADMAMwA4ADcANABcAFwAYQByAGcAdQBtAGUAbgB0AHMAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACIAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADMAOAAyADgAOAAyADYANQAuADMAMgAtADEANwAwADYANwAzADcAMgAyADUAMwAzADgANwA0AFwAIgAgAC0ARgBvAHIAYwBlACAALQBSAGUAYwB1AHIAcwBlADsA'] > > > > > > > On Thursday, July 30, 2015 at 3:33:46 PM UTC-4, O haya wrote: > > Hi, > > It seems like when the .ps1 is run under Ansible, the two lines with > "Start-Process" are not executing. The first one, which runs setup.exe is > supposed to cause copying the Sharepoint files, etc. and then the second is > supposed to run psconfig.exe. > > > I've also tried modifying the ps1 file to eliminate the "Start-Process" > and then run the playbook again, but it seems to hang. I can tell because > when this script runs normally (not with Ansible) it creates some > directories and files on E:, but when i run under Ansible, nothing is being > created on E:. > > Thanks, > Jim > > > On Thursday, July 30, 2015 at 2:17:55 PM UTC-4, O haya wrote: > > Hi, > > I have started trying to replicate some of the things that we are > currently doing with Chef, but with Ansible. One of these is installing > Microsoft Sharepoint (on Windows 2008 R2). > > In Chef, I do this using some Powershell scripting, so I am trying to do > that with Ansible. > > I am using this simple Playbook which I found and modified to run a > Powershell script: > > --- > # This playbook tests the script module on Windows hosts > > - name: Run powershell script > hosts: windows > gather_facts: false > tasks: > - name: Run powershell script > script: scripts/install.ps1 > > > The install.ps1 looks something like: > > dism /Online /quiet /Enable-Feature ... > > cd c:\Sharepoint2007SP2files > > echo "About to run setup.exe..." >> c:/install-SHAREPOINT2007FULL.log > > Start-Process ./setup.exe -ArgumentList ... -Wait >> > c:/install-SHAREPOINT2007FULL.log > > echo "About to CD..." >> c:/install-SHAREPOINT2007FULL.log > > cd "C:/Program Files/Common Files/Microsoft Shared/Web Server > Extensions/12/BIN/" > > echo "About to run psconfig.exe..." >> c:/install-SHAREPOINT2007FULL.log > > Start-Process -FilePath ./psconfig.exe -ArgumentList ... -Wait >> > c:/install-SHAREPOINT2007FULL.log > > echo "ALL DONE!!" >> c:/install-SHAREPOINT2007FULL.log > > > When I try to run the Playbook using Ansible, I get this: > > PLAY [Run powershell script] > ************************************************** > > TASK: [Run powershell script] > ************************************************* > changed: [ansibleclient1.whatever.com] > > PLAY RECAP > ******************************************************************** > ansibleclient1.whatever.com : ok=1 changed=1 unreachable=0 > failed=0 > > > And that completes almost immediately, and when I look at that log file, I > see the output messages, but it looks like the actual installation steps > that are supposed to run under "Start-Process" are not being invoked at > all. I can tell this is the case because files that are supposed to be > created during the Setup.exe and psconfig.exe runs are not being created. > > I ran the same Powershell script "manually" and it works > correctly/completely. > > Does anyone know why these commands are being skipped when this Powershell > script is run under Ansible? > > Thanks, > Jim > > > ... -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/85653edd-7801-4f08-84e8-050a20ce1492%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
