Hi,
Thanks for the comments/suggestions.
Re. the "echo" problem, I think that I wasn't being clear. What I wanted
to do was to do the "echo $(whoami)" and have the output of that
re-directed to a file, somewhere, in order to try to test/understand what
user the commands that are being run under the "raw" module are running.
As I said, I'm guessing that they are not running under the same user as
the commands that are run under the script module. But then, when I tried
the echo, running under raw module, outputting to the filesystem, it failed
with "access denied", even if I tried outputting to the E: drive somewhere.
So, it's a "catch-22" situation: It seems like commands running under the
raw module are running under a different (maybe "no") user than commands
running inside a ps1 running under a script module, but my test to try to
find out which user that is is failing.
Re. your comments in your last paragraph: I agree that there's a lot going
on, but if you recall, I already had these same set of commands (script)
running Chef previously, and am trying to see how far I could get with
replicating what I was able to do with Chef but using Ansible instead, as I
think that Ansible's push model fits our use case better.
Thanks again,
Jim
On Monday, August 3, 2015 at 5:33:54 AM UTC-4, Trond Hindenes wrote:
>
> Remember that you need to use single quotation marks around params which
> contain the dollar sign. This works fine on my box:
> ansible -m raw -a 'echo $(whoami)' windows_web
>
> It's difficult to try and help you as there seems to be so much going on.
> I would advise you to test this using powershell remoting from another
> windows box. Might be easier to track down errors that way, and then move
> to ansible when you have everything working. As for the double-hop problem
> a normal way to solve it is to have a script which sets up a scheduled job
> where the installer is run.
>
> On Sunday, August 2, 2015 at 9:06:26 PM UTC+2, O haya wrote:
>
> Hi,
>
> At this point, I am pretty sure that:
>
> - commands that are run inside a powershell script/ps1 using the "script"
> module are running under the user that I have in the
> group_vars/windows.yml, but
> - commands that get run under "raw" are not being run as that user.
>
> - the setup.exe and psconfig.exe are being run and the returned
> immediately when they are in a script/ps1 file
>
> I don't know WHAT user is used for the 'raw' commands though, as I've
> tried "echo $(whoami)" redirecting the output to a file, but when I do that
> I get access denied:
>
> TASK [raw]
> **********************************************************************
> fatal: [ansible1.domain2.whatever.com]: FAILED! => {"changed": false,
> "failed": true, "rc": 1, "stderr": "#< CLIXML\r\n<Objs Version=\"1.1.0.1\"
> xmlns=\"http://schemas.microsoft.com/powershell/2004/04\";><S
> S=\"Error\">out-file : Access to the path 'E:\\' is
> denied._x000D__x000A_</S><S S=\"Error\">At line:1
> char:1_x000D__x000A_</S><S S=\"Error\">+ echo \"About to run setup...\"
> >> e: emp_x000C_oo_x000D__x000A_</S><S S=\"Error\">+
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~_x000D__x000A_</S><S S=\"Error\">
> + CategoryInfo : OpenError: (:) [Out-File],
> UnauthorizedAccessExc _x000D__x000A_</S><S S=\"Error\">
> eption_x000D__x000A_</S><S S=\"Error\"> + FullyQualifiedErrorId :
> FileOpenFailure,Microsoft.PowerShell.Commands.Ou _x000D__x000A_</S><S
> S=\"Error\"> tFileCommand_x000D__x000A_</S><S S=\"Error\">
> _x000D__x000A_</S></Objs>", "stdout": "", "stdout_lines": []}
>
>
>
>
> Jim
>
>
>
> On Saturday, August 1, 2015 at 4:31:10 PM UTC-4, O haya wrote:
>
> Hi,
>
> Well, thanks for your page, I've made some progress. I am able to
> authenticate with the domain admin user now. I even have an "echo
> $(whoami)" that I run in the playbook as raw and that is outputting the
> domain admin username (<domain>\administrator).
>
>
> However still have the following problems:
>
> - When the setup.exe is run (raw) it doesn't seem to complete. It just
> kind of sits there until I kill it.
>
> - When I run the Sharepoint psconfig.exe, it's giving me this error:
>
> TASK: [raw C:/Progra~1/Common~1/Micros~1/WebSer~1/12/BIN/psconfig.exe -cmd
> evalprovision provision] ***
> failed: [ansible1.domain2.whatever.com] => {"rc": 4294967295}
> Copyright (C) Microsoft Corporation 2005. All rights reserved.ard version
> 12.0.6413.1000
>
> Performing configuration task 1 of 3
> Initializing SharePoint Products and Technologies configuration...
>
> Successfully initialized the SharePoint Products and Technologies
> configuration.
>
> Performing configuration task 2 of 3
> Creating sample data...
>
> Failed to create sample data.
>
> An exception of type
> Microsoft.SharePoint.PostSetupConfiguration.PostSetupConfigurationTaskException
>
> was thrown. Additional exception information: The evalprovision command is
> invalid or a failure has been encountered.
> Cannot create sample data because this computer is not part of a server
> farm. Run this configuration wizard again to create or join a server farm.
>
>
> I think I've seen that before, when I was originally doing the Chef
> implementation, and if I recall, it occurs because I'm not logged into the
> Sharepoint machine as the right user, so it can't "join the farm".
>
> Is this the double-hop problem you mentioned? So there is no way to get
> this working with Ansible?
>
> Thanks,
> Jim
>
>
>
> On Saturday, August 1, 2015 at 8:51:48 AM UTC-4, O haya wrote:
>
> Hi,
>
> I'll take a look at that, but, and I know that this is jumping around a
> bit, but... going back to earlier in the thread: Any idea why when I was
> using scripts it was failing, whereas going to raw and individual commands
> was necessary (and also Start-Process didn't seem to work even under raw)?
>
> As I said, I'm basically trying to replicate some things that we already
> have working with Chef, but with Ansible, and so far, there are a number of
> significant issues like these.
>
> I understand these issues are with Windows targets, but unfortunately,
> that (Windows) is a large part of our infrastructure.
>
> Thanks,
> Jim
>
>
>
> On Saturday, August 1, 2015 at 6:37:18 AM UTC-4, Trond Hindenes wrote:
>
> The painful process of setting up the self-signed cert and all that is why
> we created the boostrap script which sets up your windows node for Ansible.
> That process is documented here:
> http://docs.ansible.com/ansible/intro_windows.html#windows-system-prep
>
> Regarding domain authentication, I created a blog post about that which
> you'll find here:
>
> http://hindenes.com/trondsworking/2015/07/27/ansible-and-windows-configuring-kerberosactive-directory-authentication/
>
> Hopefully using that you should be able to get it working.
> Once that's done you'll probably see another problem, which is around
> kerberos and double-hop remoting. Basically if you use Kerberos to
> authenticate from your ansible controller to your windows node you can't
> use the same kerberos "session" to authenticate from the windows node to a
> third windows node (such as a database with integrated auth or whatever).
> This problem relates to Kerberos in general and doesn't have anything to do
> with Ansible. People are working on tweaking Ansible to better support
> different auth schemes so that it's possible to authenticate from Ansible
> using basic auth via domain creds, but that support isn't currently there.
>
>
> On Saturday, August 1, 2015 at 1:20:03 AM UTC+2, O haya wrote:
>
> Hi,
>
> It was very painful, but I think that I've been able to enable port 5986
> for SSL. I had to:
>
> - Create a self-signed cert for the Ansible node machine using
> makecert.exe from the .NET 3.5 SDK for Windows
> - Enable the WinRM listener
> - Open incoming port # 5986 on the firewall
>
> Now, using "netstat -an" I can see 5986 listening and I can "openssl
> s_client" to port 5986 from the Ansible server.
>
> If I put "administrator" as the username in the group_var/windows.yml, and
> port 5986, and then do ansible:
>
> [root@centos65 ansible_test]# ansible windows -i host -m win_ping
> ansible1.domain2.whatever.com | success >> {
> "changed": false,
> "ping": "pong"
> }
>
>
> However, if I change the username in windows.yml to
> <domain>\administrator, and do "ansible windows -i host -m win_ping" it
> fails with a 401 error (not authorized).
>
>
> [root@centos65 ansible_test]# ansible windows -i host -m win_ping -vvvv
> <ansible1.domain2.whatever.com> ESTABLISH WINRM CONNECTION FOR USER:
> domain2\administrator on PORT 5986 TO ansible1.domain2.whatever.com
> <ansible1.domain2.whatever.com> WINRM CONNECT: transport=plaintext
> endpoint=https://ansible1.domain2.whatever.com:5986/wsman
> <ansible1.domain2.whatever.com> WINRM CONNECTION ERROR: 401 Unauthorized.
> basic auth failed
> ansible1.domain2.whatever.com | FAILED => 401 Unauthorized. basic auth
> failed
> [root@centos65 ansible_test]#
>
>
>
>
>
>
>
> I'm not sure where to go from here. I mean 5986 seems to be working, and
> is SSL-enabled, so shouldn't the authentication work now?
>
> Jim
>
>
>
>
> On Friday, July 31, 2015 at 3:51:42 PM UTC-4, O haya wrote:
>
> Hi,
>
> Just some comments:
>
> - It looks to me like if the user name in group_vars\windows.yml has
> format "<domain>\username", then Ansible tries to connect to port 5985
> using httpS/SSL and I get the SSL errors, but if username has format
> "username" and I don't get SSL error.
>
> - As I said, the target machine is only listening on 5985 and not
> listening on 5986 at all.
>
>
> Am I supposed to do something (other than pip kerberos above) to enable
> SSL at the node? is the node supposed to be listening on 5986?
>
> Thanks,
> Jim
>
>
> P.S. And BTW, yes, I am still a little confused above what a module is
> vs. what a playbook is in Ansible, especially a Powershell module vs. a
> Playbook that runs Powershell scripts.
>
>
>
>
> On Friday, July 31, 2015 at 3:34:05 PM UTC-4, O haya wrote:
>
> Hi,
>
> FYI, the target Windows machine is not listening on 5986 at all, just on
> 5985.
>
> Here's my current playbook:
>
> # This playbook tests the script module on Windows hosts
>
> - name: Run powershell script
> hosts: windows
> gather_facts: false
> tasks:
> - name: Run powershell script-1
> script: scripts/install-1.ps1
> - pause: prompt="press ENTER"
> - raw: cd c:/Sharepoint2007SP2files
> - raw: c:/Sharepoint2007SP2files/setup.exe /config config.xml
> - pause: prompt="press ENTER AGAIN"
> - raw: cd "C:/Progra~1/Common~1/Micros~1/WebSer~1/12/BIN/"
> - raw: C:/Progra~1/Common~1/Micros~1/WebSer~1/12/BIN/psconfig.exe -cmd
> evalprovision provision
>
>
> and here's groups_var/windows.yml:
>
> ansible_ssh_user: domain2\administrator
> ansible_ssh_pass: XXXXXX
> ansible_ssh_port: 5985
> ansible_connection: winrm
>
>
> Also, to be clear, I've been running:
>
> ansible-playbook install-3parts.yml
>
> Jim
>
>
>
> On Friday, July 31, 2015 at 1:28:40 PM UTC-4, J Hawkesworth wrote:
>
> I think maybe you need to connect on 5986 to use kerberos - different
> version of ansible but likely the same - as mentioned here:
> https://groups.google.com/forum/#!topic/ansible-devel/CpZ0c7na9cI
>
> If that's not it.... can you share your current playbook and
> group_vars/windows settings (minus passwords of course)? - Its easier to
> get an idea of what might be happening.
>
> Also, looking at your messages above I am surprised you can treat your
> powershell script as if it is an ansible module so instead of
>
> ansible windows -i host -m installit -vvvv
>
> try
>
> ansible windows -i host -m script -a installit.ps1 -vvvv
>
> Hope this helps,
>
> Jon
>
> On Friday, July 31, 2015 at 4:29:42 PM UTC+1, O haya wrote:
>
> Hi,
>
> Yes, I think that I already did that (it was in my notes):
>
> [root@centos65 ~]# pip install kerberos
> Requirement already satisfied (use --upgrade to upgrade): kerberos in
> /usr/lib64/python2.6/site-packages
> [root@centos65 ~]#
>
>
> So why would I be getting the errors I posted in the earlier post now?
>
> Thanks,
> Jim
>
>
>
> On Friday, July 31, 2015 at 9:13:06 AM UTC-4, J Hawkesworth wrote:
>
> A linux machine can function as a domain member. Or you can set things up
> so that your ansible machine can authenticate against the domain as needed
> and then ansible can connect as a domain user (and a domain administrator).
>
> There are extra steps if you need to connect as a domain user - see this
> page:
> http://docs.ansible.com/ansible/intro_windows.html#installing-on-the-control-machine
>
> Probably just need to install kerberos - have you installed this?
>
> Jon
>
>
>
> On Friday, July 31, 2015 at 1:50:53 PM UTC+1, O haya wrote:
>
> I was doing "cd" to set the current directory and then running the
> ./setup.exe, but it didn't work, so I use <path>/setup.exe instead and that
> seems to have worked.
>
> However, now, I am encountering a problem:
>
> <ansibleclient1.whatever.com> ESTABLISH WINRM CONNECTION FOR USER:
> domain2\administrator on PORT 5985 TO ansibleclient1.whatever.com
> <ansibleclient1.whatever.com> WINRM CONNECT: transport=plaintext endpoint=
> http://ansibleclient1.whatever.com:5985/wsman
> <ansibleclient1.whatever.com> WINRM CONNECTION ERROR: 401 Unauthorized.
> basic auth failed
> <ansibleclient1.whatever.com> WINRM CONNECT: transport=plaintext endpoint=
> https://ansibleclient1.whatever.com:5985/wsman
> <ansibleclient1.whatever.com> WINRM CONNECTION ERROR: 500 WinRMTransport.
> [Errno 1] _ssl.c:492: error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown protocol
> fatal: [ansibleclient1.whatever.com] => 500 WinRMTransport. [Errno 1]
> _ssl.c:492: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol
>
> FATAL: all hosts have already failed -- aborting
>
> PLAY RECAP
> ********************************************************************
> to retry, use: --limit @/root/install-3parts.retry
>
> ansibleclient1.whatever.com : ok=0 changed=0 unreachable=1
> failed=0
>
>
> As I mentioned, I am trying to install Sharepoint, which uses AD, so when
> I do the installation, I have to be logged into the target machine as a
> domain administrator. However, when I try to use "domain2\administrator"
> in the group_vars/windows.yml I get the above error.
>
> I don't know if it's possible to get past this, but even if I can, I've
> just realized that there may be another problem. As I said, I have to be
> able to log into the machine as a domain admin. When I did the Chef
> implementation, I found that I could only do that if I did the log in from
> a domain member machine. However, since Ansible controller only runs on
> Linux, that seems to mean that this is all going to be impossible (or can a
> Linux machine be a domain member?)?
>
> Since our use case is heavily Windows-based, that is leading me to think
> that Ansible may not be suitable for us?
>
> Thanks,
> Jim
>
>
> On Friday, July 31, 2015 at 8:06:55 AM UTC-4, O haya wrote:
>
> Hi,
>
> The same comment about the "-ArgumentList", but I got rid of that and have
> simply:
>
> ./setup.exe xxxxx
>
> and still get the same error...
>
> Jim
>
>
>
> On Friday, July 31, 2015 at 8:03:40 AM UTC-4, O haya wrote:
>
> Hi,
>
> I realized that the "-Wait" param was left over from when I was using
> Start-Process, so I got rid of the "-Wait" and tested again, but still got
> exactly the same error.
>
> Jim
>
>
> On Friday, July 31, 2015 at 7:56:20 AM UTC-4, O haya wrote:
>
> Hi,
>
> I tried using raw and got this:
>
>
> TASK: [raw ./setup.exe -ArgumentList "xxxxxx" -Wait] **************
> failed: [ansibleclient1.whatever.com] => {"rc": 1}
> stderr: '.' is not recognized as an internal or external command,
> operable program or batch file.
>
>
> FATAL: all hosts have already failed -- aborting
>
>
>
>
>
>
> On Friday, July 31, 2015 at 7:36:07 AM UTC-4, O haya wrote:
>
> I'm running Ansible 1.9.2, which is I think the latest (just downloaded it
> a couple of days ago).
>
>
> I've tried running the setup.exe and psconfig.exe without Start-Process
> but within the .ps1 still, and that has the same problem.
>
> I'll try to break out setup.exe and psconfig.exe and run them with raw in
> playbook task and see if that works differently. I think that's what
> you're suggesting, right?
>
>
> BTW, it's really hard to understand what is actually happening? From
> logging from the setup.exe, it looks like it is running but only partially.
> Logging looks strange. I can see that it starts running but then the
> logging just ends, with no errors. Then, I suspect because setup.exe is
> stopping/ending, the psconfig.exe can't run because the files haven't been
> fully laid down.
>
>
>
> Thanks,
> Jim
>
>
>
> On Friday, July 31, 2015 at 1:23:38 AM UTC-4, J Hawkesworth wrote:
>
> What ansible version are you using? If I recall we had a problem in the
> past with execution policy being set differently under some circumstances,
> which I speculate might be causing your problems.
>
> As a 'get-you-going' suggestion, you could try running the problematic
> commands (without the start-process) using the 'raw' module.
>
> Hope this helps, let us know how you get on.
>
> Jon
>
> On Thursday, July 30, 2015 at 9:36:42 PM UTC+1, O haya wrote:
>
> Hi,
>
> FYI, I've also tried changing from using Start-Process to Invoke-Command,
> but it still seems to do the same thing (hangs) when I try to run the ps1
> via Ansible. I don't know if this'll help, but here's the output with
> -vvvv:
>
> Enter code here...
> [root@centos65 ansible_test]# ansible windows -i host -m installit -vvvv
> <ansibleclient1.whatever.com> ESTABLISH WINRM CONNECTION FOR USER:
> administrator on PORT 5985 TO ansibleclient1.whatever.com
> <ansibleclient1.whatever.com> WINRM CONNECT: transport=plaintext endpoint=
> http://ansibleclient1.whatever.com:5985/wsman
> <ansibleclient1.whatever.com> REMOTE_MODULE installit
> <ansibleclient1.whatever.com> EXEC (New-Item -Type Directory -Path
> $env:temp -Name "ansible-tmp-1438288265.32-170673722533874").FullName |
> Write-Host -Separator '';
> <ansibleclient1.whatever.com> WINRM EXEC 'PowerShell' ['-NoProfile',
> '-NonInteractive', '-EncodedCommand',
> 'KABOAGUAdwAtAEkAdABlAG0AIAAtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgB0AGUAbQBwACAALQBOAGEAbQBlACAAIgBhAG4AcwBpAGIAbABlAC0AdABtAHAALQAxADQAMwA4ADIAOAA4ADIANgA1AC4AMwAyAC0AMQA3ADAANgA3ADMANwAyADIANQAz
>
> ...
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/9872d98b-2c5c-495b-91aa-72507aa81184%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
