Thank you for your help.
*win_ping module verbose, without local admin on remote windows hosts:*
[<user>@<servername> winRM]$ ansible windows -i inventory/dev/hosts -m
win_ping -vvvv
<<servernaem>> ESTABLISH WINRM CONNECTION FOR USER: test_user on PORT 5986
TO <servernaem>
<<servernaem>> WINRM CONNECT: transport=plaintext
endpoint=https://<servernaem>:5986/wsman
<<servernaem>> REMOTE_MODULE win_ping
<<servernaem>> EXEC (New-Item -Type Directory -Path $env:temp -Name
"ansible-tmp-1456562221.68-167539675202015").FullName | Write-Host
-Separator '';
<<servernaem>> WINRM EXEC 'PowerShell' ['-NoProfile', '-NonInteractive',
'-EncodedCommand',
'KABOAGUAdwAtAEkAdABlAG0AIAAtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgB0AGUAbQBwACAALQBOAGEAbQBlACAAIgBhAG4AcwBpAGIAbABlAC0AdABtAHAALQAxADQANQA2ADUANgAyADIAMgAxAC4ANgA4AC0AMQA2ADcANQAzADkANgA3ADUAMgAwADIAMAAxADUAIgApAC4ARgB1AGwAbABOAGEAbQBlACAAfAAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAtAFMAZQBwAGEAcgBhAHQAbwByACAAJwAnADsA']
Traceback (most recent call last):
File
"/usr/lib/python2.6/site-packages/ansible/runner/connection_plugins/winrm.py",
line 161, in exec_command
result = self._winrm_exec(cmd_parts[0], cmd_parts[1:], from_exec=True)
File
"/usr/lib/python2.6/site-packages/ansible/runner/connection_plugins/winrm.py",
line 122, in _winrm_exec
self.shell_id = self.protocol.open_shell()
File "/usr/lib/python2.6/site-packages/winrm/protocol.py", line 121, in
open_shell
rs = self.send_message(xmltodict.unparse(rq))
File "/usr/lib/python2.6/site-packages/winrm/protocol.py", line 193, in
send_message
return self.transport.send_message(message)
File "/usr/lib/python2.6/site-packages/winrm/transport.py", line 136, in
send_message
raise WinRMTransportError('http', error_message)
WinRMTransportError: 500 WinRMTransport. Bad HTTP response returned from
server. Code 500
<servernaem> | FAILED => failed to exec cmd PowerShell -NoProfile
-NonInteractive -EncodedCommand
KABOAGUAdwAtAEkAdABlAG0AIAAtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgB0AGUAbQBwACAALQBOAGEAbQBlACAAIgBhAG4AcwBpAGIAbABlAC0AdABtAHAALQAxADQANQA2ADUANgAyADIAMgAxAC4ANgA4AC0AMQA2ADcANQAzADkANgA3ADUAMgAwADIAMAAxADUAIgApAC4ARgB1AGwAbABOAGEAbQBlACAAfAAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAtAFMAZQBwAGEAcgBhAHQAbwByACAAJwAnADsA
*raw module (ipconfig) verbose, without local admin on remote windows
hosts:*
[<user>@<servername> winRM]$ ansible-playbook -i inventory/dev/hosts
playbooks/test_windows.yml -vvvv
PLAY [test script module]
*****************************************************
TASK: [run ipconfig]
**********************************************************
<<servernaem>> ESTABLISH WINRM CONNECTION FOR USER: test_user on PORT 5986
TO <servernaem>
<<servernaem>> WINRM CONNECT: transport=plaintext
endpoint=https://<servernaem>:5986/wsman
<<servernaem>> EXEC ipconfig
<<servernaem>> WINRM EXEC 'ipconfig' []
Traceback (most recent call last):
File
"/usr/lib/python2.6/site-packages/ansible/runner/connection_plugins/winrm.py",
line 161, in exec_command
result = self._winrm_exec(cmd_parts[0], cmd_parts[1:], from_exec=True)
File
"/usr/lib/python2.6/site-packages/ansible/runner/connection_plugins/winrm.py",
line 122, in _winrm_exec
self.shell_id = self.protocol.open_shell()
File "/usr/lib/python2.6/site-packages/winrm/protocol.py", line 121, in
open_shell
rs = self.send_message(xmltodict.unparse(rq))
File "/usr/lib/python2.6/site-packages/winrm/protocol.py", line 193, in
send_message
return self.transport.send_message(message)
File "/usr/lib/python2.6/site-packages/winrm/transport.py", line 136, in
send_message
raise WinRMTransportError('http', error_message)
WinRMTransportError: 500 WinRMTransport. Bad HTTP response returned from
server. Code 500
fatal: [<servernaem>] => failed to exec cmd ipconfig
FATAL: all hosts have already failed -- aborting
I don't see any errors in the numerous windows logs, but I do see a
successful logon:
An account was successfully logged on.
Subject:
Security ID: NETWORK SERVICE
Account Name: <servername>$
Account Domain: MHF
Logon ID: 0x3E4
Logon Type: 3
Impersonation Level: Impersonation
New Logon:
Security ID: <servernaem>\test_user
Account Name: test_user
Account Domain: <servername>
Logon ID: 0x19F85BC2C
Logon GUID: {00000000-0000-0000-0000-000000000000}
*pywinrm:*
The examples use http, which I haven't been using. I therefore included
transport over SSL.
Without admin:
import winrm
s = winrm.Session('<servername>', auth=('test_user',
'**********'),transport='ssl')
r = s.run_cmd('ipconfig', ['/all'])
print r.std_out
Traceback (most recent call last):
File "./process_remote_host.py", line 6, in <module>
r = s.run_cmd('ipconfig', ['/all'])
File "/usr/lib/python2.6/site-packages/winrm/__init__.py", line 29, in
run_cmd
shell_id = self.protocol.open_shell()
File "/usr/lib/python2.6/site-packages/winrm/protocol.py", line 121, in
open_shell
rs = self.send_message(xmltodict.unparse(rq))
File "/usr/lib/python2.6/site-packages/winrm/protocol.py", line 193, in
send_message
return self.transport.send_message(message)
File "/usr/lib/python2.6/site-packages/winrm/transport.py", line 136, in
send_message
raise WinRMTransportError('http', error_message)
winrm.exceptions.WinRMTransportError: 500 WinRMTransport. Bad HTTP response
returned from server. Code 500
With admin:
Windows IP Configuration
Host Name . . . . . . . . . . . . : <servername>
Primary Dns Suffix . . . . . . . : <domain>
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
...
Please note it is an identical error for "Run powershell on remote host"
You can see it's the same error when running via Ansible, as it is when I
run directly from pywinrm.
I can think of a couple more options:
Get pywinrm working without SSL, and see where that takes me. I will need
to make changes on the Windows host for this, because unencrypted traffic
is currently not allowed. This was intended, I wanted to use SSL only.
I tested this from another windows server:
"Message = The WinRM client cannot process the request. Unencrypted traffic
is currently disabled in the client configuration. Change the client
configuration and try the request again."
Or I take a closer look at pywinrm.
I don't have time to do either this weekend. Hopefully I will get some
time next week.
On Friday, 26 February 2016 19:46:40 UTC, J Hawkesworth wrote:
>
> could you try running playbook with -vvvvvv
> this should show a bit more information about how ansible is connecting
>
> also check the event log on the windows host to see if the login request
> is a success.
>
> Something else you could try is to run the python pywinrm example here
> against your host:
>
> https://github.com/diyan/pywinrm
>
> Hopefully this should help isolate the problem.
>
> Jon
>
> On Friday, 26 February 2016 19:14:14 UTC, Julian Saunders wrote:
>>
>> I managed to find the root/CIMV2 namespace, and I set the security
>> permissions of "Execute Methods" and "Remote Enable" and restarted the WMI
>> and WinRM services. Unfortunately I still receive the same error.
>>
>> As I mentioned, I can use WinRM from another Windows server via
>> Powershell session, without having to have an admin account. Once I have
>> connected I'm able to run cmd or ipconfig.
>>
>> I wonder what Ansible is doing?
>>
>> On Monday, 22 February 2016 10:31:33 UTC, J Hawkesworth wrote:
>>>
>>> From here it looks like this is possible, although you would have to
>>> tweak user rights:
>>>
>>>
>>> https://social.technet.microsoft.com/Forums/scriptcenter/en-US/60de5fcd-33e0-479b-9668-fcf683678a2f/winrm-for-nonadministrative-users?forum=ITCG
>>>
>>> I get the impression that the intention for WinRM is for admistrative
>>> access, however. Have a look at the first paragraph of this page:
>>> https://msdn.microsoft.com/en-us/library/windows/desktop/aa384295(v=vs.85).aspx
>>>
>>> Hope this helps.
>>>
>>> Please report back if you are able to get this working - knowing the
>>> minimal set of user rights would be useful for others I think,
>>>
>>> Jon
>>>
>>> On Saturday, 20 February 2016 16:35:17 UTC, Julian Saunders wrote:
>>>>
>>>> Hello,
>>>>
>>>> I use Ansible to manage Linux hosts and just recently had a requirement
>>>> to manage Windows Servers.
>>>>
>>>> I have Ansible working against a Windows 2012 R2 host using an account
>>>> (test_user) that is part of the "administrators" group.
>>>>
>>>> I would like reduce the rights of test_user, so it is no longer in the
>>>> "administrators" group, but can still connect and copy files to its own
>>>> homedrive, and basically run commands that a user that is part of the
>>>> "Users" group can.
>>>>
>>>> On removing the user Ansible provives the following error:
>>>>
>>>> fatal: [servername] => 401 Unauthorized. basic auth failed
>>>>
>>>>
>>>> I did a bit of research and found the user needed to be part of the
>>>> "Remote Management Users", this would allow test_user to run Powershell
>>>> remotely. I tested this from another Windows host, and yes it works.
>>>>
>>>>
>>>> PS> $options=New-PSSessionOption -SkipCACheck -SkipCNCheck
>>>> PS> Enter-PSSession -ComputerName servername -Credential
>>>> servername\test_user -UseSSL -SessionOption $options
>>>>
>>>>
>>>> However via Ansible I get the following error:
>>>>
>>>> fatal: [servername] => failed to exec cmd PowerShell -NoProfile
>>>> -NonInteractive -EncodedCommand...
>>>>
>>>>
>>>> Does anyone know if it's possible to run Ansible against a Windows
>>>> hosts with a non admin user?
>>>>
>>>> Thanks.
>>>>
>>>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/41632ea4-5b2b-48aa-a265-1c7e3d27467f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
