Remember that you need to use single quotation marks around params which
contain the dollar sign. This works fine on my box:
ansible -m raw -a 'echo $(whoami)' windows_web
It's difficult to try and help you as there seems to be so much going on. I
would advise you to test this using powershell remoting from another
windows box. Might be easier to track down errors that way, and then move
to ansible when you have everything working. As for the double-hop problem
a normal way to solve it is to have a script which sets up a scheduled job
where the installer is run.
On Sunday, August 2, 2015 at 9:06:26 PM UTC+2, O haya wrote:
> Hi,
>
> At this point, I am pretty sure that:
>
> - commands that are run inside a powershell script/ps1 using the "script"
> module are running under the user that I have in the
> group_vars/windows.yml, but
> - commands that get run under "raw" are not being run as that user.
>
> - the setup.exe and psconfig.exe are being run and the returned
> immediately when they are in a script/ps1 file
>
> I don't know WHAT user is used for the 'raw' commands though, as I've
> tried "echo $(whoami)" redirecting the output to a file, but when I do that
> I get access denied:
>
> TASK [raw]
> **********************************************************************
> fatal: [ansible1.domain2.whatever.com]: FAILED! => {"changed": false,
> "failed": true, "rc": 1, "stderr": "#< CLIXML\r\n<Objs Version=\"1.1.0.1\"
> xmlns=\"http://schemas.microsoft.com/powershell/2004/04\";><S
> S=\"Error\">out-file : Access to the path 'E:\\' is
> denied._x000D__x000A_</S><S S=\"Error\">At line:1
> char:1_x000D__x000A_</S><S S=\"Error\">+ echo \"About to run setup...\"
> >> e: emp_x000C_oo_x000D__x000A_</S><S S=\"Error\">+
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~_x000D__x000A_</S><S S=\"Error\">
> + CategoryInfo : OpenError: (:) [Out-File],
> UnauthorizedAccessExc _x000D__x000A_</S><S S=\"Error\">
> eption_x000D__x000A_</S><S S=\"Error\"> + FullyQualifiedErrorId :
> FileOpenFailure,Microsoft.PowerShell.Commands.Ou _x000D__x000A_</S><S
> S=\"Error\"> tFileCommand_x000D__x000A_</S><S S=\"Error\">
> _x000D__x000A_</S></Objs>", "stdout": "", "stdout_lines": []}
>
>
>
>
> Jim
>
>
>
> On Saturday, August 1, 2015 at 4:31:10 PM UTC-4, O haya wrote:
>
> Hi,
>
> Well, thanks for your page, I've made some progress. I am able to
> authenticate with the domain admin user now. I even have an "echo
> $(whoami)" that I run in the playbook as raw and that is outputting the
> domain admin username (<domain>\administrator).
>
>
> However still have the following problems:
>
> - When the setup.exe is run (raw) it doesn't seem to complete. It just
> kind of sits there until I kill it.
>
> - When I run the Sharepoint psconfig.exe, it's giving me this error:
>
> TASK: [raw C:/Progra~1/Common~1/Micros~1/WebSer~1/12/BIN/psconfig.exe -cmd
> evalprovision provision] ***
> failed: [ansible1.domain2.whatever.com] => {"rc": 4294967295}
> Copyright (C) Microsoft Corporation 2005. All rights reserved.ard version
> 12.0.6413.1000
>
> Performing configuration task 1 of 3
> Initializing SharePoint Products and Technologies configuration...
>
> Successfully initialized the SharePoint Products and Technologies
> configuration.
>
> Performing configuration task 2 of 3
> Creating sample data...
>
> Failed to create sample data.
>
> An exception of type
> Microsoft.SharePoint.PostSetupConfiguration.PostSetupConfigurationTaskException
>
> was thrown. Additional exception information: The evalprovision command is
> invalid or a failure has been encountered.
> Cannot create sample data because this computer is not part of a server
> farm. Run this configuration wizard again to create or join a server farm.
>
>
> I think I've seen that before, when I was originally doing the Chef
> implementation, and if I recall, it occurs because I'm not logged into the
> Sharepoint machine as the right user, so it can't "join the farm".
>
> Is this the double-hop problem you mentioned? So there is no way to get
> this working with Ansible?
>
> Thanks,
> Jim
>
>
>
> On Saturday, August 1, 2015 at 8:51:48 AM UTC-4, O haya wrote:
>
> Hi,
>
> I'll take a look at that, but, and I know that this is jumping around a
> bit, but... going back to earlier in the thread: Any idea why when I was
> using scripts it was failing, whereas going to raw and individual commands
> was necessary (and also Start-Process didn't seem to work even under raw)?
>
> As I said, I'm basically trying to replicate some things that we already
> have working with Chef, but with Ansible, and so far, there are a number of
> significant issues like these.
>
> I understand these issues are with Windows targets, but unfortunately,
> that (Windows) is a large part of our infrastructure.
>
> Thanks,
> Jim
>
>
>
> On Saturday, August 1, 2015 at 6:37:18 AM UTC-4, Trond Hindenes wrote:
>
> The painful process of setting up the self-signed cert and all that is why
> we created the boostrap script which sets up your windows node for Ansible.
> That process is documented here:
> http://docs.ansible.com/ansible/intro_windows.html#windows-system-prep
>
> Regarding domain authentication, I created a blog post about that which
> you'll find here:
>
> http://hindenes.com/trondsworking/2015/07/27/ansible-and-windows-configuring-kerberosactive-directory-authentication/
>
> Hopefully using that you should be able to get it working.
> Once that's done you'll probably see another problem, which is around
> kerberos and double-hop remoting. Basically if you use Kerberos to
> authenticate from your ansible controller to your windows node you can't
> use the same kerberos "session" to authenticate from the windows node to a
> third windows node (such as a database with integrated auth or whatever).
> This problem relates to Kerberos in general and doesn't have anything to do
> with Ansible. People are working on tweaking Ansible to better support
> different auth schemes so that it's possible to authenticate from Ansible
> using basic auth via domain creds, but that support isn't currently there.
>
>
> On Saturday, August 1, 2015 at 1:20:03 AM UTC+2, O haya wrote:
>
> Hi,
>
> It was very painful, but I think that I've been able to enable port 5986
> for SSL. I had to:
>
> - Create a self-signed cert for the Ansible node machine using
> makecert.exe from the .NET 3.5 SDK for Windows
> - Enable the WinRM listener
> - Open incoming port # 5986 on the firewall
>
> Now, using "netstat -an" I can see 5986 listening and I can "openssl
> s_client" to port 5986 from the Ansible server.
>
> If I put "administrator" as the username in the group_var/windows.yml, and
> port 5986, and then do ansible:
>
> [root@centos65 ansible_test]# ansible windows -i host -m win_ping
> ansible1.domain2.whatever.com | success >> {
> "changed": false,
> "ping": "pong"
> }
>
>
> However, if I change the username in windows.yml to
> <domain>\administrator, and do "ansible windows -i host -m win_ping" it
> fails with a 401 error (not authorized).
>
>
> [root@centos65 ansible_test]# ansible windows -i host -m win_ping -vvvv
> <ansible1.domain2.whatever.com> ESTABLISH WINRM CONNECTION FOR USER:
> domain2\administrator on PORT 5986 TO ansible1.domain2.whatever.com
> <ansible1.domain2.whatever.com> WINRM CONNECT: transport=plaintext
> endpoint=https://ansible1.domain2.whatever.com:5986/wsman
> <ansible1.domain2.whatever.com> WINRM CONNECTION ERROR: 401 Unauthorized.
> basic auth failed
> ansible1.domain2.whatever.com | FAILED => 401 Unauthorized. basic auth
> failed
> [root@centos65 ansible_test]#
>
>
>
>
>
>
>
> I'm not sure where to go from here. I mean 5986 seems to be working, and
> is SSL-enabled, so shouldn't the authentication work now?
>
> Jim
>
>
>
>
> On Friday, July 31, 2015 at 3:51:42 PM UTC-4, O haya wrote:
>
> Hi,
>
> Just some comments:
>
> - It looks to me like if the user name in group_vars\windows.yml has
> format "<domain>\username", then Ansible tries to connect to port 5985
> using httpS/SSL and I get the SSL errors, but if username has format
> "username" and I don't get SSL error.
>
> - As I said, the target machine is only listening on 5985 and not
> listening on 5986 at all.
>
>
> Am I supposed to do something (other than pip kerberos above) to enable
> SSL at the node? is the node supposed to be listening on 5986?
>
> Thanks,
> Jim
>
>
> P.S. And BTW, yes, I am still a little confused above what a module is
> vs. what a playbook is in Ansible, especially a Powershell module vs. a
> Playbook that runs Powershell scripts.
>
>
>
>
> On Friday, July 31, 2015 at 3:34:05 PM UTC-4, O haya wrote:
>
> Hi,
>
> FYI, the target Windows machine is not listening on 5986 at all, just on
> 5985.
>
> Here's my current playbook:
>
> # This playbook tests the script module on Windows hosts
>
> - name: Run powershell script
> hosts: windows
> gather_facts: false
> tasks:
> - name: Run powershell script-1
> script: scripts/install-1.ps1
> - pause: prompt="press ENTER"
> - raw: cd c:/Sharepoint2007SP2files
> - raw: c:/Sharepoint2007SP2files/setup.exe /config config.xml
> - pause: prompt="press ENTER AGAIN"
> - raw: cd "C:/Progra~1/Common~1/Micros~1/WebSer~1/12/BIN/"
> - raw: C:/Progra~1/Common~1/Micros~1/WebSer~1/12/BIN/psconfig.exe -cmd
> evalprovision provision
>
>
> and here's groups_var/windows.yml:
>
> ansible_ssh_user: domain2\administrator
> ansible_ssh_pass: XXXXXX
> ansible_ssh_port: 5985
> ansible_connection: winrm
>
>
> Also, to be clear, I've been running:
>
> ansible-playbook install-3parts.yml
>
> Jim
>
>
>
> On Friday, July 31, 2015 at 1:28:40 PM UTC-4, J Hawkesworth wrote:
>
> I think maybe you need to connect on 5986 to use kerberos - different
> version of ansible but likely the same - as mentioned here:
> https://groups.google.com/forum/#!topic/ansible-devel/CpZ0c7na9cI
>
> If that's not it.... can you share your current playbook and
> group_vars/windows settings (minus passwords of course)? - Its easier to
> get an idea of what might be happening.
>
> Also, looking at your messages above I am surprised you can treat your
> powershell script as if it is an ansible module so instead of
>
> ansible windows -i host -m installit -vvvv
>
> try
>
> ansible windows -i host -m script -a installit.ps1 -vvvv
>
> Hope this helps,
>
> Jon
>
> On Friday, July 31, 2015 at 4:29:42 PM UTC+1, O haya wrote:
>
> Hi,
>
> Yes, I think that I already did that (it was in my notes):
>
> [root@centos65 ~]# pip install kerberos
> Requirement already satisfied (use --upgrade to upgrade): kerberos in
> /usr/lib64/python2.6/site-packages
> [root@centos65 ~]#
>
>
> So why would I be getting the errors I posted in the earlier post now?
>
> Thanks,
> Jim
>
>
>
> On Friday, July 31, 2015 at 9:13:06 AM UTC-4, J Hawkesworth wrote:
>
> A linux machine can function as a domain member. Or you can set things up
> so that your ansible machine can authenticate against the domain as needed
> and then ansible can connect as a domain user (and a domain administrator).
>
> There are extra steps if you need to connect as a domain user - see this
> page:
> http://docs.ansible.com/ansible/intro_windows.html#installing-on-the-control-machine
>
> Probably just need to install kerberos - have you installed this?
>
> Jon
>
>
>
> On Friday, July 31, 2015 at 1:50:53 PM UTC+1, O haya wrote:
>
> I was doing "cd" to set the current directory and then running the
> ./setup.exe, but it didn't work, so I use <path>/setup.exe instead and that
> seems to have worked.
>
> However, now, I am encountering a problem:
>
> <ansibleclient1.whatever.com> ESTABLISH WINRM CONNECTION FOR USER:
> domain2\administrator on PORT 5985 TO ansibleclient1.whatever.com
> <ansibleclient1.whatever.com> WINRM CONNECT: transport=plaintext endpoint=
> http://ansibleclient1.whatever.com:5985/wsman
> <ansibleclient1.whatever.com> WINRM CONNECTION ERROR: 401 Unauthorized.
> basic auth failed
> <ansibleclient1.whatever.com> WINRM CONNECT: transport=plaintext endpoint=
> https://ansibleclient1.whatever.com:5985/wsman
> <ansibleclient1.whatever.com> WINRM CONNECTION ERROR: 500 WinRMTransport.
> [Errno 1] _ssl.c:492: error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown protocol
> fatal: [ansibleclient1.whatever.com] => 500 WinRMTransport. [Errno 1]
> _ssl.c:492: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol
>
> FATAL: all hosts have already failed -- aborting
>
> PLAY RECAP
> ********************************************************************
> to retry, use: --limit @/root/install-3parts.retry
>
> ansibleclient1.whatever.com : ok=0 changed=0 unreachable=1
> failed=0
>
>
> As I mentioned, I am trying to install Sharepoint, which uses AD, so when
> I do the installation, I have to be logged into the target machine as a
> domain administrator. However, when I try to use "domain2\administrator"
> in the group_vars/windows.yml I get the above error.
>
> I don't know if it's possible to get past this, but even if I can, I've
> just realized that there may be another problem. As I said, I have to be
> able to log into the machine as a domain admin. When I did the Chef
> implementation, I found that I could only do that if I did the log in from
> a domain member machine. However, since Ansible controller only runs on
> Linux, that seems to mean that this is all going to be impossible (or can a
> Linux machine be a domain member?)?
>
> Since our use case is heavily Windows-based, that is leading me to think
> that Ansible may not be suitable for us?
>
> Thanks,
> Jim
>
>
> On Friday, July 31, 2015 at 8:06:55 AM UTC-4, O haya wrote:
>
> Hi,
>
> The same comment about the "-ArgumentList", but I got rid of that and have
> simply:
>
> ./setup.exe xxxxx
>
> and still get the same error...
>
> Jim
>
>
>
> On Friday, July 31, 2015 at 8:03:40 AM UTC-4, O haya wrote:
>
> Hi,
>
> I realized that the "-Wait" param was left over from when I was using
> Start-Process, so I got rid of the "-Wait" and tested again, but still got
> exactly the same error.
>
> Jim
>
>
> On Friday, July 31, 2015 at 7:56:20 AM UTC-4, O haya wrote:
>
> Hi,
>
> I tried using raw and got this:
>
>
> TASK: [raw ./setup.exe -ArgumentList "xxxxxx" -Wait] **************
> failed: [ansibleclient1.whatever.com] => {"rc": 1}
> stderr: '.' is not recognized as an internal or external command,
> operable program or batch file.
>
>
> FATAL: all hosts have already failed -- aborting
>
>
>
>
>
>
> On Friday, July 31, 2015 at 7:36:07 AM UTC-4, O haya wrote:
>
> I'm running Ansible 1.9.2, which is I think the latest (just downloaded it
> a couple of days ago).
>
>
> I've tried running the setup.exe and psconfig.exe without Start-Process
> but within the .ps1 still, and that has the same problem.
>
> I'll try to break out setup.exe and psconfig.exe and run them with raw in
> playbook task and see if that works differently. I think that's what
> you're suggesting, right?
>
>
> BTW, it's really hard to understand what is actually happening? From
> logging from the setup.exe, it looks like it is running but only partially.
> Logging looks strange. I can see that it starts running but then the
> logging just ends, with no errors. Then, I suspect because setup.exe is
> stopping/ending, the psconfig.exe can't run because the files haven't been
> fully laid down.
>
>
>
> Thanks,
> Jim
>
>
>
> On Friday, July 31, 2015 at 1:23:38 AM UTC-4, J Hawkesworth wrote:
>
> What ansible version are you using? If I recall we had a problem in the
> past with execution policy being set differently under some circumstances,
> which I speculate might be causing your problems.
>
> As a 'get-you-going' suggestion, you could try running the problematic
> commands (without the start-process) using the 'raw' module.
>
> Hope this helps, let us know how you get on.
>
> Jon
>
> On Thursday, July 30, 2015 at 9:36:42 PM UTC+1, O haya wrote:
>
> Hi,
>
> FYI, I've also tried changing from using Start-Process to Invoke-Command,
> but it still seems to do the same thing (hangs) when I try to run the ps1
> via Ansible. I don't know if this'll help, but here's the output with
> -vvvv:
>
> Enter code here...
> [root@centos65 ansible_test]# ansible windows -i host -m installit -vvvv
> <ansibleclient1.whatever.com> ESTABLISH WINRM CONNECTION FOR USER:
> administrator on PORT 5985 TO ansibleclient1.whatever.com
> <ansibleclient1.whatever.com> WINRM CONNECT: transport=plaintext endpoint=
> http://ansibleclient1.whatever.com:5985/wsman
> <ansibleclient1.whatever.com> REMOTE_MODULE installit
> <ansibleclient1.whatever.com> EXEC (New-Item -Type Directory -Path
> $env:temp -Name "ansible-tmp-1438288265.32-170673722533874").FullName |
> Write-Host -Separator '';
> <ansibleclient1.whatever.com> WINRM EXEC 'PowerShell' ['-NoProfile',
> '-NonInteractive', '-EncodedCommand',
> 'KABOAGUAdwAtAEkAdABlAG0AIAAtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgB0AGUAbQBwACAALQBOAGEAbQBlACAAIgBhAG4AcwBpAGIAbABlAC0AdABtAHAALQAxADQAMwA4ADIAOAA4ADIANgA1AC4AMwAyAC0AMQA3ADAANgA3ADMANwAyADIANQAzADMAOAA3ADQAIgApAC4ARgB1AGwAbABOAGEAbQBlACAAfAAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAtAFMAZQBwAGEAcgBhAHQAbwByACAAJwAnADsA']
> <ansibleclient1.whatever.com> WINRM RESULT <Response code 0, out
> "C:\Users\Administrat", err "">
> <ansibleclient1.whatever.com> PUT /tmp/tmpJaC2C3 TO
> C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\\installit
> <
>
> ...
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/076a7aa4-2399-4b40-a90d-c680ef393b8b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
