Hi, I'll take a look at that, but, and I know that this is jumping around a bit, but... going back to earlier in the thread: Any idea why when I was using scripts it was failing, whereas going to raw and individual commands was necessary (and also Start-Process didn't seem to work even under raw)?
As I said, I'm basically trying to replicate some things that we already have working with Chef, but with Ansible, and so far, there are a number of significant issues like these. I understand these issues are with Windows targets, but unfortunately, that (Windows) is a large part of our infrastructure. Thanks, Jim On Saturday, August 1, 2015 at 6:37:18 AM UTC-4, Trond Hindenes wrote: > > The painful process of setting up the self-signed cert and all that is why > we created the boostrap script which sets up your windows node for Ansible. > That process is documented here: > http://docs.ansible.com/ansible/intro_windows.html#windows-system-prep > > Regarding domain authentication, I created a blog post about that which > you'll find here: > > http://hindenes.com/trondsworking/2015/07/27/ansible-and-windows-configuring-kerberosactive-directory-authentication/ > > Hopefully using that you should be able to get it working. > Once that's done you'll probably see another problem, which is around > kerberos and double-hop remoting. Basically if you use Kerberos to > authenticate from your ansible controller to your windows node you can't > use the same kerberos "session" to authenticate from the windows node to a > third windows node (such as a database with integrated auth or whatever). > This problem relates to Kerberos in general and doesn't have anything to do > with Ansible. People are working on tweaking Ansible to better support > different auth schemes so that it's possible to authenticate from Ansible > using basic auth via domain creds, but that support isn't currently there. > > > On Saturday, August 1, 2015 at 1:20:03 AM UTC+2, O haya wrote: > > Hi, > > It was very painful, but I think that I've been able to enable port 5986 > for SSL. I had to: > > - Create a self-signed cert for the Ansible node machine using > makecert.exe from the .NET 3.5 SDK for Windows > - Enable the WinRM listener > - Open incoming port # 5986 on the firewall > > Now, using "netstat -an" I can see 5986 listening and I can "openssl > s_client" to port 5986 from the Ansible server. > > If I put "administrator" as the username in the group_var/windows.yml, and > port 5986, and then do ansible: > > [root@centos65 ansible_test]# ansible windows -i host -m win_ping > ansible1.domain2.whatever.com | success >> { > "changed": false, > "ping": "pong" > } > > > However, if I change the username in windows.yml to > <domain>\administrator, and do "ansible windows -i host -m win_ping" it > fails with a 401 error (not authorized). > > > [root@centos65 ansible_test]# ansible windows -i host -m win_ping -vvvv > <ansible1.domain2.whatever.com> ESTABLISH WINRM CONNECTION FOR USER: > domain2\administrator on PORT 5986 TO ansible1.domain2.whatever.com > <ansible1.domain2.whatever.com> WINRM CONNECT: transport=plaintext > endpoint=https://ansible1.domain2.whatever.com:5986/wsman > <ansible1.domain2.whatever.com> WINRM CONNECTION ERROR: 401 Unauthorized. > basic auth failed > ansible1.domain2.whatever.com | FAILED => 401 Unauthorized. basic auth > failed > [root@centos65 ansible_test]# > > > > > > > > I'm not sure where to go from here. I mean 5986 seems to be working, and > is SSL-enabled, so shouldn't the authentication work now? > > Jim > > > > > On Friday, July 31, 2015 at 3:51:42 PM UTC-4, O haya wrote: > > Hi, > > Just some comments: > > - It looks to me like if the user name in group_vars\windows.yml has > format "<domain>\username", then Ansible tries to connect to port 5985 > using httpS/SSL and I get the SSL errors, but if username has format > "username" and I don't get SSL error. > > - As I said, the target machine is only listening on 5985 and not > listening on 5986 at all. > > > Am I supposed to do something (other than pip kerberos above) to enable > SSL at the node? is the node supposed to be listening on 5986? > > Thanks, > Jim > > > P.S. And BTW, yes, I am still a little confused above what a module is > vs. what a playbook is in Ansible, especially a Powershell module vs. a > Playbook that runs Powershell scripts. > > > > > On Friday, July 31, 2015 at 3:34:05 PM UTC-4, O haya wrote: > > Hi, > > FYI, the target Windows machine is not listening on 5986 at all, just on > 5985. > > Here's my current playbook: > > # This playbook tests the script module on Windows hosts > > - name: Run powershell script > hosts: windows > gather_facts: false > tasks: > - name: Run powershell script-1 > script: scripts/install-1.ps1 > - pause: prompt="press ENTER" > - raw: cd c:/Sharepoint2007SP2files > - raw: c:/Sharepoint2007SP2files/setup.exe /config config.xml > - pause: prompt="press ENTER AGAIN" > - raw: cd "C:/Progra~1/Common~1/Micros~1/WebSer~1/12/BIN/" > - raw: C:/Progra~1/Common~1/Micros~1/WebSer~1/12/BIN/psconfig.exe -cmd > evalprovision provision > > > and here's groups_var/windows.yml: > > ansible_ssh_user: domain2\administrator > ansible_ssh_pass: XXXXXX > ansible_ssh_port: 5985 > ansible_connection: winrm > > > Also, to be clear, I've been running: > > ansible-playbook install-3parts.yml > > Jim > > > > On Friday, July 31, 2015 at 1:28:40 PM UTC-4, J Hawkesworth wrote: > > I think maybe you need to connect on 5986 to use kerberos - different > version of ansible but likely the same - as mentioned here: > https://groups.google.com/forum/#!topic/ansible-devel/CpZ0c7na9cI > > If that's not it.... can you share your current playbook and > group_vars/windows settings (minus passwords of course)? - Its easier to > get an idea of what might be happening. > > Also, looking at your messages above I am surprised you can treat your > powershell script as if it is an ansible module so instead of > > ansible windows -i host -m installit -vvvv > > try > > ansible windows -i host -m script -a installit.ps1 -vvvv > > Hope this helps, > > Jon > > On Friday, July 31, 2015 at 4:29:42 PM UTC+1, O haya wrote: > > Hi, > > Yes, I think that I already did that (it was in my notes): > > [root@centos65 ~]# pip install kerberos > Requirement already satisfied (use --upgrade to upgrade): kerberos in > /usr/lib64/python2.6/site-packages > [root@centos65 ~]# > > > So why would I be getting the errors I posted in the earlier post now? > > Thanks, > Jim > > > > On Friday, July 31, 2015 at 9:13:06 AM UTC-4, J Hawkesworth wrote: > > A linux machine can function as a domain member. Or you can set things up > so that your ansible machine can authenticate against the domain as needed > and then ansible can connect as a domain user (and a domain administrator). > > There are extra steps if you need to connect as a domain user - see this > page: > http://docs.ansible.com/ansible/intro_windows.html#installing-on-the-control-machine > > Probably just need to install kerberos - have you installed this? > > Jon > > > > On Friday, July 31, 2015 at 1:50:53 PM UTC+1, O haya wrote: > > I was doing "cd" to set the current directory and then running the > ./setup.exe, but it didn't work, so I use <path>/setup.exe instead and that > seems to have worked. > > However, now, I am encountering a problem: > > <ansibleclient1.whatever.com> ESTABLISH WINRM CONNECTION FOR USER: > domain2\administrator on PORT 5985 TO ansibleclient1.whatever.com > <ansibleclient1.whatever.com> WINRM CONNECT: transport=plaintext endpoint= > http://ansibleclient1.whatever.com:5985/wsman > <ansibleclient1.whatever.com> WINRM CONNECTION ERROR: 401 Unauthorized. > basic auth failed > <ansibleclient1.whatever.com> WINRM CONNECT: transport=plaintext endpoint= > https://ansibleclient1.whatever.com:5985/wsman > <ansibleclient1.whatever.com> WINRM CONNECTION ERROR: 500 WinRMTransport. > [Errno 1] _ssl.c:492: error:140770FC:SSL > routines:SSL23_GET_SERVER_HELLO:unknown protocol > fatal: [ansibleclient1.whatever.com] => 500 WinRMTransport. [Errno 1] > _ssl.c:492: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > protocol > > FATAL: all hosts have already failed -- aborting > > PLAY RECAP > ******************************************************************** > to retry, use: --limit @/root/install-3parts.retry > > ansibleclient1.whatever.com : ok=0 changed=0 unreachable=1 > failed=0 > > > As I mentioned, I am trying to install Sharepoint, which uses AD, so when > I do the installation, I have to be logged into the target machine as a > domain administrator. However, when I try to use "domain2\administrator" > in the group_vars/windows.yml I get the above error. > > I don't know if it's possible to get past this, but even if I can, I've > just realized that there may be another problem. As I said, I have to be > able to log into the machine as a domain admin. When I did the Chef > implementation, I found that I could only do that if I did the log in from > a domain member machine. However, since Ansible controller only runs on > Linux, that seems to mean that this is all going to be impossible (or can a > Linux machine be a domain member?)? > > Since our use case is heavily Windows-based, that is leading me to think > that Ansible may not be suitable for us? > > Thanks, > Jim > > > On Friday, July 31, 2015 at 8:06:55 AM UTC-4, O haya wrote: > > Hi, > > The same comment about the "-ArgumentList", but I got rid of that and have > simply: > > ./setup.exe xxxxx > > and still get the same error... > > Jim > > > > On Friday, July 31, 2015 at 8:03:40 AM UTC-4, O haya wrote: > > Hi, > > I realized that the "-Wait" param was left over from when I was using > Start-Process, so I got rid of the "-Wait" and tested again, but still got > exactly the same error. > > Jim > > > On Friday, July 31, 2015 at 7:56:20 AM UTC-4, O haya wrote: > > Hi, > > I tried using raw and got this: > > > TASK: [raw ./setup.exe -ArgumentList "xxxxxx" -Wait] ************** > failed: [ansibleclient1.whatever.com] => {"rc": 1} > stderr: '.' is not recognized as an internal or external command, > operable program or batch file. > > > FATAL: all hosts have already failed -- aborting > > > > > > > On Friday, July 31, 2015 at 7:36:07 AM UTC-4, O haya wrote: > > I'm running Ansible 1.9.2, which is I think the latest (just downloaded it > a couple of days ago). > > > I've tried running the setup.exe and psconfig.exe without Start-Process > but within the .ps1 still, and that has the same problem. > > I'll try to break out setup.exe and psconfig.exe and run them with raw in > playbook task and see if that works differently. I think that's what > you're suggesting, right? > > > BTW, it's really hard to understand what is actually happening? From > logging from the setup.exe, it looks like it is running but only partially. > Logging looks strange. I can see that it starts running but then the > logging just ends, with no errors. Then, I suspect because setup.exe is > stopping/ending, the psconfig.exe can't run because the files haven't been > fully laid down. > > > > Thanks, > Jim > > > > On Friday, July 31, 2015 at 1:23:38 AM UTC-4, J Hawkesworth wrote: > > What ansible version are you using? If I recall we had a problem in the > past with execution policy being set differently under some circumstances, > which I speculate might be causing your problems. > > As a 'get-you-going' suggestion, you could try running the problematic > commands (without the start-process) using the 'raw' module. > > Hope this helps, let us know how you get on. > > Jon > > On Thursday, July 30, 2015 at 9:36:42 PM UTC+1, O haya wrote: > > Hi, > > FYI, I've also tried changing from using Start-Process to Invoke-Command, > but it still seems to do the same thing (hangs) when I try to run the ps1 > via Ansible. I don't know if this'll help, but here's the output with > -vvvv: > > Enter code here... > [root@centos65 ansible_test]# ansible windows -i host -m installit -vvvv > <ansibleclient1.whatever.com> ESTABLISH WINRM CONNECTION FOR USER: > administrator on PORT 5985 TO ansibleclient1.whatever.com > <ansibleclient1.whatever.com> WINRM CONNECT: transport=plaintext endpoint= > http://ansibleclient1.whatever.com:5985/wsman > <ansibleclient1.whatever.com> REMOTE_MODULE installit > <ansibleclient1.whatever.com> EXEC (New-Item -Type Directory -Path > $env:temp -Name "ansible-tmp-1438288265.32-170673722533874").FullName | > Write-Host -Separator ''; > <ansibleclient1.whatever.com> WINRM EXEC 'PowerShell' ['-NoProfile', > '-NonInteractive', '-EncodedCommand', > 'KABOAGUAdwAtAEkAdABlAG0AIAAtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgB0AGUAbQBwACAALQBOAGEAbQBlACAAIgBhAG4AcwBpAGIAbABlAC0AdABtAHAALQAxADQAMwA4ADIAOAA4ADIANgA1AC4AMwAyAC0AMQA3ADAANgA3ADMANwAyADIANQAzADMAOAA3ADQAIgApAC4ARgB1AGwAbABOAGEAbQBlACAAfAAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAtAFMAZQBwAGEAcgBhAHQAbwByACAAJwAnADsA'] > <ansibleclient1.whatever.com> WINRM RESULT <Response code 0, out > "C:\Users\Administrat", err ""> > <ansibleclient1.whatever.com> PUT /tmp/tmpJaC2C3 TO > C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\installit > <ansibleclient1.whatever.com> WINRM PUT /tmp/tmpJaC2C3 to > C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\installit.ps1 > > (offset=0 size=2030) > <ansibleclient1.whatever.com> WINRM PUT /tmp/tmpJaC2C3 to > C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\installit.ps1 > > (offset=2030 size=2030) > <ansibleclient1.whatever.com> WINRM PUT /tmp/tmpJaC2C3 to > C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\installit.ps1 > > (offset=4060 size=2030) > <ansibleclient1.whatever.com> WINRM PUT /tmp/tmpJaC2C3 to > C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\installit.ps1 > > (offset=6090 size=2008) > <ansibleclient1.whatever.com> PUT /tmp/tmputTM97 TO > C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\arguments > <ansibleclient1.whatever.com> WINRM PUT /tmp/tmputTM97 to > C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\arguments > > (offset=0 size=2) > <ansibleclient1.whatever.com> EXEC PowerShell -NoProfile -NonInteractive > -ExecutionPolicy Unrestricted -File > C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\installit.ps1 > > C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\arguments; > > Remove-Item > "C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\" > > -Force -Recurse; > <ansibleclient1.whatever.com> WINRM EXEC 'PowerShell' ['-NoProfile', > '-NonInteractive', '-EncodedCommand', > 'UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARgBpAGwAZQAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAAzADgAMgA4ADgAMgA2ADUALgAzADIALQAxADcAMAA2ADcAMwA3ADIAMgA1ADMAMwA4ADcANABcAFwAaQBuAHMAdABhAGwAbABpAHQALgBwAHMAMQAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAAzADgAMgA4ADgAMgA2ADUALgAzADIALQAxADcAMAA2ADcAMwA3ADIAMgA1ADMAMwA4ADcANABcAFwAYQByAGcAdQBtAGUAbgB0AHMAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACIAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADMAOAAyADgAOAAyADYANQAuADMAMgAtADEANwAwADYANwAzADcAMgAyADUAMwAzADgANwA0AFwAIgAgAC0ARgBvAHIAYwBlACAALQBSAGUAYwB1AHIAcwBlADsA'] > > > > > > > On Thursday, July 30, 2015 at 3:33:46 PM UTC-4, O haya wrote: > > Hi, > > It seems like when the .ps1 is run under Ansible, the two lines with > "Start-Process" are not executing. The first one, which runs setup.exe is > supposed to cause copying the Sharepoint files, etc. and then the second is > supposed to run psconfig.exe. > > > I've also tried modifying the ps1 file to eliminate the "Start-Process" > and then run the playbook again, but it seems to hang. I can tell because > when this script runs normally (not with Ansible) it creates some > directories and files on E:, but when i run under Ansible, nothing is being > created on E:. > > Thanks, > Jim > > > On Thursday, July 30, 2015 at 2:17:55 PM UTC-4, O haya wrote: > > Hi, > > I have started trying to replicate some of the things that we are > currently doing with Chef, but with Ansible. One of these is installing > Microsoft Sharepoint (on Windows 2008 R2). > > In Chef, I do this using some Powershell scripting, so I am t > > ... -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/b5079b59-765e-4544-b1e5-8beb84c42f71%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
