In 2.1 we had to back off on some of the automatic transport detection stuff with the advent of NTLM and support for things like Microsoft accounts- try adding
ansible_winrm_transport=kerberos to your inventory... On Thursday, October 20, 2016 at 10:01:29 AM UTC-7, [email protected] wrote: > > > > > I am new to Ansible, so please bear with me.... I am trying to bring up an > Ansible test environment whereby I can test config management against a > Windows environment. The environment consists of an Ansible management > server running Linux Red Hat Enterprise Linux Server release 6.7 and a test > Windows 2012 R2 server. I believe I have all the necessary packages > installed to support the WinRM/Kerberos connection from the Ansible > management server to the Windows server. Here are the packages I believe to > have been installed on the Ansible management server to support Windows: > > pywinrm > python-devel > krb5-devel > krb5-libs > krb5-workstation > kerberos > requests-kerberos > > I have updated /etc/krb5.conf file. When I run a "kinit ' > user'@MY.DOMAIN.COM" on the Ansible management server I get the following: > > ansible@servername:/home/ansible # kinit [email protected] > Password for [email protected]: > ansible@servername:/home/ansible # > > I then ran a "klist" to ensure the kerberos connection was made: > > > ansible@servername:/home/ansible # klist > Ticket cache: FILE:/tmp/krb5cc_5000 > Default principal: [email protected] > > Valid starting Expires Service principal > 10/20/16 07:17:28 10/20/16 17:17:58 krbtgt/[email protected] > renew until 10/21/16 07:17:28 > ansible@servername:/home/ansible # > > I then created a /group_vars/windows.yml file consisting of the following: > > ansible_user: [email protected] > ansible_password: xxxxx > ansible_port: 5986 > ansible_connection: winrm > ansible_winrm_server_cert_validation: ignore > > but when I go to run a "ansible winTest -m win_ping -vvvv" it appears the > it is trying an SSL connection instead of a winrm connection, possibly?: > > > ansible@servername:/home/ansible # ansible winTest -m win_ping -vvvvv > Using /home/ansible/.ansible.cfg as config file > Loaded callback minimal of type stdout, v2.0 > <172.31.0.166> ESTABLISH SSH CONNECTION FOR USER: None > <172.31.0.166> SSH: ansible.cfg set ssh_args: > (-o)(ControlMaster=auto)(-o)(ControlPersist=60s) > <172.31.0.166> SSH: ansible_password/ansible_ssh_pass not set: > (-o)(KbdInteractiveAuthentication=no)(-o)(PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey)(-o)(PasswordAuthentication=no) > <172.31.0.166> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10) > <172.31.0.166> SSH: PlayContext set ssh_common_args: () > <172.31.0.166> SSH: PlayContext set ssh_extra_args: () > <172.31.0.166> SSH: found only ControlPersist; added ControlPath: > (-o)(ControlPath=/home/ansible/.ansible/cp/ansible-ssh-%h-%p-%r) > <172.31.0.166> SSH: EXEC ssh -C -vvv -o ControlMaster=auto -o > ControlPersist=60s -o KbdInteractiveAuthentication=no -o > PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey > -o PasswordAuthentication=no -o ConnectTimeout=10 -o > ControlPath=/home/ansible/.ansible/cp/ansible-ssh-%h-%p-%r xxx.xx.x.xxx > '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo > $HOME/.ansible/tmp/ansible-tmp-1476962695.95-263373308192487 `" && echo > ansible-tmp-1476962695.95-263373308192487="` echo > $HOME/.ansible/tmp/ansible-tmp-1476962695.95-263373308192487 `" ) && sleep > 0'"'"'' > xxx.xx.x.xxx | UNREACHABLE! => { > "changed": false, > "msg": "Failed to connect to the host via ssh.", > "unreachable": true > } > ansible@servername:/home/ansible # > > > If I telnet to the windows server it appears the port is open: > > ansibleservername:/home/ansible # telnet xxx.xx.x.xxx 5985 > Trying xxx.xx.x.xxx... > Connected to xxx.xx.x.xxx. > Escape character is '^]'. > > > and if I verify that remoting is working on the windows server it appears > to be working locally: > > PS C:\Users\XXXXXX> $Credential = Get-Credential > > cmdlet Get-Credential at command pipeline position 1 > Supply values for the following parameters: > Credential > PS C:\Users\XXXXXX> $Session = New-PSSession -Credential $Credential > -ComputerName xxx.xx.x.xxx > PS C:\Users\XXXXXX> Invoke-Command -Session $Session -ScriptBlock {gci e:\} > > > Directory: E:\ > > > Mode LastWriteTime Length Name > PSComputerName > ---- ------------- ------ ---- > -------------- > d---- 10/19/2016 1:11 PM Applications > xxx.xx.x.xxx > da--- 10/19/2016 1:06 PM Logs > xxx.xx.x.xxx > d---- 10/19/2016 1:11 PM temp > xxx.xx.x.xxx > > > PS C:\Users\XXXXXX> > > > I also tried to connect to WinRM from another Windows server: > > PS C:\Users\XXXXX> $Credential = Get-Credential > > cmdlet Get-Credential at command pipeline position 1 > Supply values for the following parameters: > Credential > PS C:\Users\XXXXXX> $Session = New-PSSession -Credential $Credential > -ComputerName xxx.xx.x.xxx > PS C:\Users\XXXXXX> Invoke-Command -Session $Session -ScriptBlock {gci e:\} > > > Directory: E:\ > > > Mode LastWriteTime Length Name > PSComputerName > ---- ------------- ------ ---- > -------------- > d---- 10/19/2016 1:11 PM Applications > xxx.xx.x.xxx > da--- 10/19/2016 1:06 PM Logs > xxx.xx.x.xxx > d---- 10/19/2016 1:11 PM temp > xxx.xx.x.xxx > > > PS C:\Users\XXXXXX> > > > > Is there a config step whereby I specify Ansible use a winrm connection > that I missed? Any assitance would be greatly appreciated..... > > > Thanks, > > Bob Wieberdink > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3a93e370-8950-495c-8f2b-6ddac896f38d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
