Hi,
Well, thanks for your page, I've made some progress. I am able to
authenticate with the domain admin user now. I even have an "echo
$(whoami)" that I run in the playbook as raw and that is outputting the
domain admin username (<domain>\administrator).
However still have the following problems:
- When the setup.exe is run (raw) it doesn't seem to complete. It just
kind of sits there until I kill it.
- When I run the Sharepoint psconfig.exe, it's giving me this error:
TASK: [raw C:/Progra~1/Common~1/Micros~1/WebSer~1/12/BIN/psconfig.exe -cmd
evalprovision provision] ***
failed: [ansible1.domain2.whatever.com] => {"rc": 4294967295}
Copyright (C) Microsoft Corporation 2005. All rights reserved.ard version
12.0.6413.1000
Performing configuration task 1 of 3
Initializing SharePoint Products and Technologies configuration...
Successfully initialized the SharePoint Products and Technologies
configuration.
Performing configuration task 2 of 3
Creating sample data...
Failed to create sample data.
An exception of type
Microsoft.SharePoint.PostSetupConfiguration.PostSetupConfigurationTaskException
was thrown. Additional exception information: The evalprovision command is
invalid or a failure has been encountered.
Cannot create sample data because this computer is not part of a server
farm. Run this configuration wizard again to create or join a server farm.
I think I've seen that before, when I was originally doing the Chef
implementation, and if I recall, it occurs because I'm not logged into the
Sharepoint machine as the right user, so it can't "join the farm".
Is this the double-hop problem you mentioned? So there is no way to get
this working with Ansible?
Thanks,
Jim
On Saturday, August 1, 2015 at 8:51:48 AM UTC-4, O haya wrote:
>
> Hi,
>
> I'll take a look at that, but, and I know that this is jumping around a
> bit, but... going back to earlier in the thread: Any idea why when I was
> using scripts it was failing, whereas going to raw and individual commands
> was necessary (and also Start-Process didn't seem to work even under raw)?
>
> As I said, I'm basically trying to replicate some things that we already
> have working with Chef, but with Ansible, and so far, there are a number of
> significant issues like these.
>
> I understand these issues are with Windows targets, but unfortunately,
> that (Windows) is a large part of our infrastructure.
>
> Thanks,
> Jim
>
>
>
> On Saturday, August 1, 2015 at 6:37:18 AM UTC-4, Trond Hindenes wrote:
>
> The painful process of setting up the self-signed cert and all that is why
> we created the boostrap script which sets up your windows node for Ansible.
> That process is documented here:
> http://docs.ansible.com/ansible/intro_windows.html#windows-system-prep
>
> Regarding domain authentication, I created a blog post about that which
> you'll find here:
>
> http://hindenes.com/trondsworking/2015/07/27/ansible-and-windows-configuring-kerberosactive-directory-authentication/
>
> Hopefully using that you should be able to get it working.
> Once that's done you'll probably see another problem, which is around
> kerberos and double-hop remoting. Basically if you use Kerberos to
> authenticate from your ansible controller to your windows node you can't
> use the same kerberos "session" to authenticate from the windows node to a
> third windows node (such as a database with integrated auth or whatever).
> This problem relates to Kerberos in general and doesn't have anything to do
> with Ansible. People are working on tweaking Ansible to better support
> different auth schemes so that it's possible to authenticate from Ansible
> using basic auth via domain creds, but that support isn't currently there.
>
>
> On Saturday, August 1, 2015 at 1:20:03 AM UTC+2, O haya wrote:
>
> Hi,
>
> It was very painful, but I think that I've been able to enable port 5986
> for SSL. I had to:
>
> - Create a self-signed cert for the Ansible node machine using
> makecert.exe from the .NET 3.5 SDK for Windows
> - Enable the WinRM listener
> - Open incoming port # 5986 on the firewall
>
> Now, using "netstat -an" I can see 5986 listening and I can "openssl
> s_client" to port 5986 from the Ansible server.
>
> If I put "administrator" as the username in the group_var/windows.yml, and
> port 5986, and then do ansible:
>
> [root@centos65 ansible_test]# ansible windows -i host -m win_ping
> ansible1.domain2.whatever.com | success >> {
> "changed": false,
> "ping": "pong"
> }
>
>
> However, if I change the username in windows.yml to
> <domain>\administrator, and do "ansible windows -i host -m win_ping" it
> fails with a 401 error (not authorized).
>
>
> [root@centos65 ansible_test]# ansible windows -i host -m win_ping -vvvv
> <ansible1.domain2.whatever.com> ESTABLISH WINRM CONNECTION FOR USER:
> domain2\administrator on PORT 5986 TO ansible1.domain2.whatever.com
> <ansible1.domain2.whatever.com> WINRM CONNECT: transport=plaintext
> endpoint=https://ansible1.domain2.whatever.com:5986/wsman
> <ansible1.domain2.whatever.com> WINRM CONNECTION ERROR: 401 Unauthorized.
> basic auth failed
> ansible1.domain2.whatever.com | FAILED => 401 Unauthorized. basic auth
> failed
> [root@centos65 ansible_test]#
>
>
>
>
>
>
>
> I'm not sure where to go from here. I mean 5986 seems to be working, and
> is SSL-enabled, so shouldn't the authentication work now?
>
> Jim
>
>
>
>
> On Friday, July 31, 2015 at 3:51:42 PM UTC-4, O haya wrote:
>
> Hi,
>
> Just some comments:
>
> - It looks to me like if the user name in group_vars\windows.yml has
> format "<domain>\username", then Ansible tries to connect to port 5985
> using httpS/SSL and I get the SSL errors, but if username has format
> "username" and I don't get SSL error.
>
> - As I said, the target machine is only listening on 5985 and not
> listening on 5986 at all.
>
>
> Am I supposed to do something (other than pip kerberos above) to enable
> SSL at the node? is the node supposed to be listening on 5986?
>
> Thanks,
> Jim
>
>
> P.S. And BTW, yes, I am still a little confused above what a module is
> vs. what a playbook is in Ansible, especially a Powershell module vs. a
> Playbook that runs Powershell scripts.
>
>
>
>
> On Friday, July 31, 2015 at 3:34:05 PM UTC-4, O haya wrote:
>
> Hi,
>
> FYI, the target Windows machine is not listening on 5986 at all, just on
> 5985.
>
> Here's my current playbook:
>
> # This playbook tests the script module on Windows hosts
>
> - name: Run powershell script
> hosts: windows
> gather_facts: false
> tasks:
> - name: Run powershell script-1
> script: scripts/install-1.ps1
> - pause: prompt="press ENTER"
> - raw: cd c:/Sharepoint2007SP2files
> - raw: c:/Sharepoint2007SP2files/setup.exe /config config.xml
> - pause: prompt="press ENTER AGAIN"
> - raw: cd "C:/Progra~1/Common~1/Micros~1/WebSer~1/12/BIN/"
> - raw: C:/Progra~1/Common~1/Micros~1/WebSer~1/12/BIN/psconfig.exe -cmd
> evalprovision provision
>
>
> and here's groups_var/windows.yml:
>
> ansible_ssh_user: domain2\administrator
> ansible_ssh_pass: XXXXXX
> ansible_ssh_port: 5985
> ansible_connection: winrm
>
>
> Also, to be clear, I've been running:
>
> ansible-playbook install-3parts.yml
>
> Jim
>
>
>
> On Friday, July 31, 2015 at 1:28:40 PM UTC-4, J Hawkesworth wrote:
>
> I think maybe you need to connect on 5986 to use kerberos - different
> version of ansible but likely the same - as mentioned here:
> https://groups.google.com/forum/#!topic/ansible-devel/CpZ0c7na9cI
>
> If that's not it.... can you share your current playbook and
> group_vars/windows settings (minus passwords of course)? - Its easier to
> get an idea of what might be happening.
>
> Also, looking at your messages above I am surprised you can treat your
> powershell script as if it is an ansible module so instead of
>
> ansible windows -i host -m installit -vvvv
>
> try
>
> ansible windows -i host -m script -a installit.ps1 -vvvv
>
> Hope this helps,
>
> Jon
>
> On Friday, July 31, 2015 at 4:29:42 PM UTC+1, O haya wrote:
>
> Hi,
>
> Yes, I think that I already did that (it was in my notes):
>
> [root@centos65 ~]# pip install kerberos
> Requirement already satisfied (use --upgrade to upgrade): kerberos in
> /usr/lib64/python2.6/site-packages
> [root@centos65 ~]#
>
>
> So why would I be getting the errors I posted in the earlier post now?
>
> Thanks,
> Jim
>
>
>
> On Friday, July 31, 2015 at 9:13:06 AM UTC-4, J Hawkesworth wrote:
>
> A linux machine can function as a domain member. Or you can set things up
> so that your ansible machine can authenticate against the domain as needed
> and then ansible can connect as a domain user (and a domain administrator).
>
> There are extra steps if you need to connect as a domain user - see this
> page:
> http://docs.ansible.com/ansible/intro_windows.html#installing-on-the-control-machine
>
> Probably just need to install kerberos - have you installed this?
>
> Jon
>
>
>
> On Friday, July 31, 2015 at 1:50:53 PM UTC+1, O haya wrote:
>
> I was doing "cd" to set the current directory and then running the
> ./setup.exe, but it didn't work, so I use <path>/setup.exe instead and that
> seems to have worked.
>
> However, now, I am encountering a problem:
>
> <ansibleclient1.whatever.com> ESTABLISH WINRM CONNECTION FOR USER:
> domain2\administrator on PORT 5985 TO ansibleclient1.whatever.com
> <ansibleclient1.whatever.com> WINRM CONNECT: transport=plaintext endpoint=
> http://ansibleclient1.whatever.com:5985/wsman
> <ansibleclient1.whatever.com> WINRM CONNECTION ERROR: 401 Unauthorized.
> basic auth failed
> <ansibleclient1.whatever.com> WINRM CONNECT: transport=plaintext endpoint=
> https://ansibleclient1.whatever.com:5985/wsman
> <ansibleclient1.whatever.com> WINRM CONNECTION ERROR: 500 WinRMTransport.
> [Errno 1] _ssl.c:492: error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown protocol
> fatal: [ansibleclient1.whatever.com] => 500 WinRMTransport. [Errno 1]
> _ssl.c:492: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol
>
> FATAL: all hosts have already failed -- aborting
>
> PLAY RECAP
> ********************************************************************
> to retry, use: --limit @/root/install-3parts.retry
>
> ansibleclient1.whatever.com : ok=0 changed=0 unreachable=1
> failed=0
>
>
> As I mentioned, I am trying to install Sharepoint, which uses AD, so when
> I do the installation, I have to be logged into the target machine as a
> domain administrator. However, when I try to use "domain2\administrator"
> in the group_vars/windows.yml I get the above error.
>
> I don't know if it's possible to get past this, but even if I can, I've
> just realized that there may be another problem. As I said, I have to be
> able to log into the machine as a domain admin. When I did the Chef
> implementation, I found that I could only do that if I did the log in from
> a domain member machine. However, since Ansible controller only runs on
> Linux, that seems to mean that this is all going to be impossible (or can a
> Linux machine be a domain member?)?
>
> Since our use case is heavily Windows-based, that is leading me to think
> that Ansible may not be suitable for us?
>
> Thanks,
> Jim
>
>
> On Friday, July 31, 2015 at 8:06:55 AM UTC-4, O haya wrote:
>
> Hi,
>
> The same comment about the "-ArgumentList", but I got rid of that and have
> simply:
>
> ./setup.exe xxxxx
>
> and still get the same error...
>
> Jim
>
>
>
> On Friday, July 31, 2015 at 8:03:40 AM UTC-4, O haya wrote:
>
> Hi,
>
> I realized that the "-Wait" param was left over from when I was using
> Start-Process, so I got rid of the "-Wait" and tested again, but still got
> exactly the same error.
>
> Jim
>
>
> On Friday, July 31, 2015 at 7:56:20 AM UTC-4, O haya wrote:
>
> Hi,
>
> I tried using raw and got this:
>
>
> TASK: [raw ./setup.exe -ArgumentList "xxxxxx" -Wait] **************
> failed: [ansibleclient1.whatever.com] => {"rc": 1}
> stderr: '.' is not recognized as an internal or external command,
> operable program or batch file.
>
>
> FATAL: all hosts have already failed -- aborting
>
>
>
>
>
>
> On Friday, July 31, 2015 at 7:36:07 AM UTC-4, O haya wrote:
>
> I'm running Ansible 1.9.2, which is I think the latest (just downloaded it
> a couple of days ago).
>
>
> I've tried running the setup.exe and psconfig.exe without Start-Process
> but within the .ps1 still, and that has the same problem.
>
> I'll try to break out setup.exe and psconfig.exe and run them with raw in
> playbook task and see if that works differently. I think that's what
> you're suggesting, right?
>
>
> BTW, it's really hard to understand what is actually happening? From
> logging from the setup.exe, it looks like it is running but only partially.
> Logging looks strange. I can see that it starts running but then the
> logging just ends, with no errors. Then, I suspect because setup.exe is
> stopping/ending, the psconfig.exe can't run because the files haven't been
> fully laid down.
>
>
>
> Thanks,
> Jim
>
>
>
> On Friday, July 31, 2015 at 1:23:38 AM UTC-4, J Hawkesworth wrote:
>
> What ansible version are you using? If I recall we had a problem in the
> past with execution policy being set differently under some circumstances,
> which I speculate might be causing your problems.
>
> As a 'get-you-going' suggestion, you could try running the problematic
> commands (without the start-process) using the 'raw' module.
>
> Hope this helps, let us know how you get on.
>
> Jon
>
> On Thursday, July 30, 2015 at 9:36:42 PM UTC+1, O haya wrote:
>
> Hi,
>
> FYI, I've also tried changing from using Start-Process to Invoke-Command,
> but it still seems to do the same thing (hangs) when I try to run the ps1
> via Ansible. I don't know if this'll help, but here's the output with
> -vvvv:
>
> Enter code here...
> [root@centos65 ansible_test]# ansible windows -i host -m installit -vvvv
> <ansibleclient1.whatever.com> ESTABLISH WINRM CONNECTION FOR USER:
> administrator on PORT 5985 TO ansibleclient1.whatever.com
> <ansibleclient1.whatever.com> WINRM CONNECT: transport=plaintext endpoint=
> http://ansibleclient1.whatever.com:5985/wsman
> <ansibleclient1.whatever.com> REMOTE_MODULE installit
> <ansibleclient1.whatever.com> EXEC (New-Item -Type Directory -Path
> $env:temp -Name "ansible-tmp-1438288265.32-170673722533874").FullName |
> Write-Host -Separator '';
> <ansibleclient1.whatever.com> WINRM EXEC 'PowerShell' ['-NoProfile',
> '-NonInteractive', '-EncodedCommand',
> 'KABOAGUAdwAtAEkAdABlAG0AIAAtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgB0AGUAbQBwACAALQBOAGEAbQBlACAAIgBhAG4AcwBpAGIAbABlAC0AdABtAHAALQAxADQAMwA4ADIAOAA4ADIANgA1AC4AMwAyAC0AMQA3ADAANgA3ADMANwAyADIANQAzADMAOAA3ADQAIgApAC4ARgB1AGwAbABOAGEAbQBlACAAfAAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAtAFMAZQBwAGEAcgBhAHQAbwByACAAJwAnADsA']
> <ansibleclient1.whatever.com> WINRM RESULT <Response code 0, out
> "C:\Users\Administrat", err "">
> <ansibleclient1.whatever.com> PUT /tmp/tmpJaC2C3 TO
> C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\installit
> <ansibleclient1.whatever.com> WINRM PUT /tmp/tmpJaC2C3 to
> C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\installit.ps1
>
> (offset=0 size=2030)
> <ansibleclient1.whatever.com> WINRM PUT /tmp/tmpJaC2C3 to
> C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\installit.ps1
>
> (offset=2030 size=2030)
> <ansibleclient1.whatever.com> WINRM PUT /tmp/tmpJaC2C3 to
> C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\installit.ps1
>
> (offset=4060 size=2030)
> <ansibleclient1.whatever.com> WINRM PUT /tmp/tmpJaC2C3 to
> C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\installit.ps1
>
> (offset=6090 size=2008)
> <ansibleclient1.whatever.com> PUT /tmp/tmputTM97 TO
> C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\arguments
> <ansibleclient1.whatever.com> WINRM PUT /tmp/tmputTM97 to
> C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\arguments
>
> (offset=0 size=2)
> <ansibleclient1.whatever.com> EXEC PowerShell -NoProfile -NonInteractive
> -ExecutionPolicy Unrestricted -File
> C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\installit.ps1
>
> C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\arguments;
>
> Remove-Item
> "C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\"
>
> -Force -Recurse;
> <ansibleclient1.whatever.com> WINRM EXEC 'PowerShell' ['-NoProfile',
> '-NonInteractive', '-EncodedCommand',
> 'UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARgBpAGwAZQAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABl
>
> ...
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/5dcf395e-ad84-4432-9774-196cee080fd6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
