Re: [ansible-project] Idempotency in amazon..aws.ec2

[Dave York]

That... makes sense.  I should have ctrl-f 'idempotency' on the module 
documentation.  I'll give it a try, thanks for the help!

On Wednesday, May 5, 2021 at 11:49:18 PM UTC-7 dick@geant.org wrote:

> You should supply an 'id' parameter:
>
>
> https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-id
>
>
> On Thu, 6 May 2021 at 00:22, Dave York  wrote:
>
>> Hi ansible squad!
>>
>> I've been using amazon.aws.ec2 (or community.aws.ec2_instance - ive been 
>> switching back and forth) to ensure there is an ec2 instance created for 
>> each {{ inventory_hostname }} by using tags.  It doesn't seem to work.  
>>
>> Every time I run the playbook with the below play, it just creates a new 
>> ec2 instance?  How can I make it more idempotent? If the instance already 
>> exists, dont create a new one?
>>
>> Preferably without other plays? 
>>
>>   - name: Ensure EC2 instance exists
>> amazon.aws.ec2:
>>   aws_access_key: '{{ aws_access_key }}'
>>   aws_secret_key: '{{ aws_secret_key }}'
>>   region: '{{ aws_region }}'
>>   image: '{{ aws_ec2_ami }}'
>>   instance_type: '{{ aws_instance_type_web }}'
>>   vpc_subnet_id: '{{ aws_subnet_id }}'
>>   group: 'SG-{{ environment_designator }}'
>>   key_name: 'Keypair-{{ environment_designator }}'
>>   instance_tags:
>> Mytag.MyEnvironment: ""
>> Mytag.MyEnvironment.Environment: '{{ environment_designator }}'
>> Mytag.MyEnvironment.Roles: web1
>> Mytag.MyEnvironment.Hostname: '{{ inventory_hostname }}'
>>   wait: yes
>>   assign_public_ip: no
>> register: ec2_instances
>> delegate_to: localhost
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ansible-proje...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ansible-project/d8aedb06-f63e-4ebc-8dd6-8134b72a1a07n%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/ansible-project/d8aedb06-f63e-4ebc-8dd6-8134b72a1a07n%40googlegroups.com?utm_medium=email_source=footer>
>> .
>>
> -- 
> Sent from a mobile device - please excuse the brevity, spelling and 
> punctuation.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/12b90a50-7649-4929-8d19-97ec221907d8n%40googlegroups.com.

[ansible-project] Idempotency in amazon..aws.ec2

[Dave York]

Hi ansible squad!

I've been using amazon.aws.ec2 (or community.aws.ec2_instance - ive been 
switching back and forth) to ensure there is an ec2 instance created for 
each {{ inventory_hostname }} by using tags.  It doesn't seem to work.  

Every time I run the playbook with the below play, it just creates a new 
ec2 instance?  How can I make it more idempotent? If the instance already 
exists, dont create a new one?

Preferably without other plays? 

  - name: Ensure EC2 instance exists
amazon.aws.ec2:
  aws_access_key: '{{ aws_access_key }}'
  aws_secret_key: '{{ aws_secret_key }}'
  region: '{{ aws_region }}'
  image: '{{ aws_ec2_ami }}'
  instance_type: '{{ aws_instance_type_web }}'
  vpc_subnet_id: '{{ aws_subnet_id }}'
  group: 'SG-{{ environment_designator }}'
  key_name: 'Keypair-{{ environment_designator }}'
  instance_tags:
Mytag.MyEnvironment: ""
Mytag.MyEnvironment.Environment: '{{ environment_designator }}'
Mytag.MyEnvironment.Roles: web1
Mytag.MyEnvironment.Hostname: '{{ inventory_hostname }}'
  wait: yes
  assign_public_ip: no
register: ec2_instances
delegate_to: localhost

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/d8aedb06-f63e-4ebc-8dd6-8134b72a1a07n%40googlegroups.com.

[ansible-project] python 'requests' module installed but ansible doesnt think it is

[Dave York]

Hi all - 

Im trying to get community.vmware.plugins.inventory.vmware_vm_inventory 
working, but when I try to parse a yml inventory referencing the plugin I 
get the following error:

*[WARNING]:  * Failed to parse /home/user/hosts.vmware.yml with*
*ansible_collections.community.vmware.plugins.inventory.vmware_vm_inventory 
plugin: Please install "requests" Python module as this is required for 
VMware Guest dynamic inventory plugin.*

However, pip3 list shows requests is installed:

*$ pip3 list*
*...*
*requests   2.25.1*
*...*

I've tried uninstalling / reinstalling, and I initially had everything 
installed via pip3 as --user but then uninstalled and reinstalled 
everything as root.

Any ideas? I've googled around but I feel like im missing something
Thanks in advance if anyone can assist.



-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/743239d7-490b-45c1-bef0-15926d087566n%40googlegroups.com.

[ansible-project] Re: trying to enable winrm over https on new VM

[Dave York]

If you're building from a template, you could bake the winrm changes into 
the template - you could also use the vmware customization to run the 
COnfigureRemotingForAnsible.ps1 script I link below

See this page for some in depth on setting things up:
https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html

And here's a script that configures remoting for 
Ansible:https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1



On Wednesday, June 17, 2020 at 6:30:41 AM UTC-7, Tony Wong wrote:
>
> I am clining VM with the vmware_guest module.
>
> it works fine and join domain.
>
> but I need to enable winrm over https.
>
> is there way to do this from the runonce or predeployment tasks?
>
> I cant even copy a script over since winrm over https is not enabled
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/e5f49610-8faf-4354-9bc9-9fe589a8a423o%40googlegroups.com.

[ansible-project] Re: Windows Domain/Ansible Kerberos Auth Issues Still

[Dave York]

The machines being managed here are windows machines - but the ansible 
tower server itself is linux (obviously) - I wonder if the kerberos 
configuration on the tower machine may be running into a flavor of what 
you're suggesting - but im not sure exactly how I would point the tower 
server directly to just one DC for authentication

On Thursday, June 11, 2020 at 4:01:46 AM UTC-7, David Foley wrote:
>
> Are these Linux Machines? 
> how many Domain Controllers are in your Environment if you have more then 
> one it may be doing a round-robin on the Kerberos and failing on one Domain 
> and not on the other.: you need to start restricting down to only allow 
> your Linux Server to Connect to one AD.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/01aa821e-afb8-45fb-8bd0-3baec466e97co%40googlegroups.com.

Re: [ansible-project] deploy VM from template and customize guest

[Dave York]

I'm not using a customization template, but it may be possible - I think 
that's what David Foley was referencing.

Check out customization_spec within the vmware_guest module 
https://docs.ansible.com/ansible/latest/modules/vmware_guest_module.html

You can use the method im using OR you can call customization_spec

On Monday, June 8, 2020 at 10:06:57 AM UTC-7, Tony Wong wrote:
>
> Thank you. So for the customization part, i didnt see a mention of the 
> name of the customization template in vcenter. 
>
> so ansible does not use that ?
>
> On Mon, Jun 8, 2020 at 9:46 AM Dave York > 
> wrote:
>
>> These are the two plays I use to do what you were asking about:
>>
>> - name: Ensure Computer Object exists in AD
>> win_domain_computer:
>>   name: '{{ inventory_hostname_short }}'
>>   dns_hostname: '{{ inventory_hostname }}'
>>   domain_server: domaincontroller.fqdn
>>   sam_account_name: '{{ inventory_hostname_short }}$'
>>   ou: '{{ AD_OU }}'
>>   description: '{{ owner_email }}'
>>   enabled: yes
>>   state: present
>> delegate_to: utilityserver.fqdn
>>
>>   - name: Clone to VM from Template
>> vmware_guest:
>>   hostname: '{{ vsphere_hostname }}' 
>>   username: '{{ lookup("env", "VMWARE_USER") }}'
>>   password: '{{ lookup("env", "VMWARE_PASSWORD") }}'
>>   validate_certs: no
>>   folder: '{{ vmware_folder }}'
>>   annotation: "{{ owner_email }}"
>>   datacenter: '{{ vmware_datacenter }}'
>>   name: '{{ inventory_hostname_short }}'
>>   cluster: '{{ vmware_cluster }}'
>>   state: poweredon
>>   template: '{{ vmware_template }}'
>>   datastore: '{{ vmware_datastore }}'
>>   customization:
>> domainadmin: '{{ lookup("env", "ANSIBLE_NET_USERNAME") }}'
>> domainadminpassword: 
>> '{{ lookup("env", "ANSIBLE_NET_PASSWORD") }}'
>> joindomain: domain.fqdn
>> password: '{{ templatepwd }}'
>> timezone: 004
>>   disk:
>>   - size_gb: 100
>> type: thin
>>   - size_gb: 100
>> type: thin
>>   hardware:
>> memory_mb: '{{ vmware_mem }}'
>> num_cpus: '{{ vmware_cpu }}'
>> scsi: paravirtual
>> hotadd_cpu: True
>> hotremove_cpu: True
>> hotadd_memory: True
>> boot_firmware: "efi"
>>   networks:
>>   - name: '{{ vmware_network }}'
>> ip: '{{ ipv4 }}'
>> netmask: '255.255.255.0'
>> gateway: '{{ ipv4_gateway }}'
>> device_type: vmxnet3
>> dns_servers: 
>> - '{{ dns_primary }}'
>> - '{{ dns_secondary }}'
>>   wait_for_ip_address: yes
>>   wait_for_customization: yes
>> delegate_to: localhost
>> register: deploy
>>
>>
>> On Monday, June 8, 2020 at 7:15:11 AM UTC-7, Tony Wong wrote:
>>>
>>> for ansible, is there a reverse order to detroy the vms after the vm 
>>> playbook has been run like terraform? Or do I need to create another 
>>> playbook to destroy the vms?
>>>
>>> On Mon, Jun 8, 2020 at 6:59 AM Tony Wong  wrote:
>>>
>>>> I got a customization template in vcenter. how do I specify using that 
>>>> template. Also the template looks like will override my static IP settings 
>>>> on my Vms. 
>>>>
>>>> On Sun, Jun 7, 2020 at 3:31 PM Dave York  wrote:
>>>>
>>>>> Ive done this by using the customization argument of the vmware_guest 
>>>>> module to join the domain. but prior to vmware_guest i use a 
>>>>> win_domain_computer delegated to a windows utility box to prestage the 
>>>>> computer object in the right ou 
>>>>>
>>>>> Sent from Outlook Mobile <https://aka.ms/blhgte>
>>>>>
>>>>> -- 
>>>>> You received this message because you are subscribed to the Google 
>>>>> Groups "Ansible Project" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>>> an email to ansible...@googlegroups.com.
>>>>> To view this discussion on the web visit 
>>>>> https://groups.google.com/d/msgid/ansible-project/BY5PR11MB389625F705684B8C33E6891EA1840%40BY5PR11MB3896.namprd11.prod.outlook.com
>>>>>  
>>>>> <https://groups.google

[ansible-project] Windows Domain/Ansible Kerberos Auth Issues Still

[Dave York]

(I've posted a bit about this before, but I want to revisit it because its 
frustrating as I try to optimize my playbooks)

I have a playbook where I build servers from vmware templates using 
vmware_guest and I join the domain using that module.  Once the servers are 
built I have an extremely long "wait_for_connection":

  - name: Wait until server becomes available to connect
wait_for_connection:
  delay: 900 #Wait 10 minutes before trying
  sleep: 30 #After 10 minutes, try every 30 seconds
  timeout: 1200 #Maximum amount of time to wait

After this wait, I start running tasks on the new hosts.  Initially, those 
tasks will run fine, but one-by-one, randomly, the servers will start 
failing with Kerberos errors.  During this time I can confirm im able to 
login to these servers using the same credentials, so the authentication 
doesn't seem to be failing outside of ansible, but it fails within ansible 
for some reason.

The longer I wait after building the servers, the less likely this issue 
occurs.  It just seems insane that I have to keep adding more wait time.  

Here's me running the playbook against 4 servers.  Each task runs against 
all four servers but the red lines highlighed show the kerberos failures 
and the eventual atrophy of the playbook entirely because of the kerberos 
errors:

TASK [Registry fix to enable solution for CVE-2017-8529 Part 1] 

Monday 08 June 2020  16:32:22 + (0:00:09.368)   0:33:29.081 
*** 
changed: [server4.fqdn] => {"changed": true, "data_changed": false, 
"data_type_changed": false}
changed: [server1.fqdn] => {"changed": true, "data_changed": false, 
"data_type_changed": false}
changed: [server3.fqdn] => {"changed": true, "data_changed": false, 
"data_type_changed": false}
changed: [server2.fqdn] => {"changed": true, "data_changed": false, 
"data_type_changed": false}
TASK [Registry fix to enable solution for CVE-2017-8529 Part 2] 

Monday 08 June 2020  16:32:25 + (0:00:03.635)   0:33:32.717 
*** 
changed: [server1.fqdn] => {"changed": true, "data_changed": false, 
"data_type_changed": false}
changed: [server4.fqdn] => {"changed": true, "data_changed": false, 
"data_type_changed": false}
changed: [server2.fqdn] => {"changed": true, "data_changed": false, 
"data_type_changed": false}
changed: [server3.fqdn] => {"changed": true, "data_changed": false, 
"data_type_changed": false}
TASK Configure UAC] 
*
Monday 08 June 2020  16:32:29 + (0:00:03.388)   0:33:36.105 
*** 
fatal: [server3.fqdn]: UNREACHABLE! => {"changed": false, "msg": "kerberos: 
the specified credentials were rejected by the server", "unreachable": true}
changed: [server1.fqdn] => {"changed": true, "data_changed": true, 
"data_type_changed": false}
changed: [server2.fqdn] => {"changed": true, "data_changed": true, 
"data_type_changed": false}
changed: [server4.fqdn] => {"changed": true, "data_changed": true, 
"data_type_changed": false}
TASK [Initialize Disk 1] 
***
Monday 08 June 2020  16:32:32 + (0:00:03.335)   0:33:39.440 
*** 
changed: [server4.fqdn] => {"changed": true, "cmd": "Initialize-Disk 
-Number 1", "delta": "0:00:04.105311", "end": "2020-06-08 04:32:39.137372", 
"rc": 0, "start": "2020-06-08 04:32:35.032060", "stderr": "", 
"stderr_lines": [], "stdout": "", "stdout_lines": []}
changed: [server1.fqdn] => {"changed": true, "cmd": "Initialize-Disk 
-Number 1", "delta": "0:00:03.903042", "end": "2020-06-08 04:32:39.527549", 
"rc": 0, "start": "2020-06-08 04:32:35.624506", "stderr": "", 
"stderr_lines": [], "stdout": "", "stdout_lines": []}
changed: [server2.fqdn] => {"changed": true, "cmd": "Initialize-Disk 
-Number 1", "delta": "0:00:05.007749", "end": "2020-06-08 04:32:40.903429", 
"rc": 0, "start": "2020-06-08 04:32:35.895680", "stderr": "", 
"stderr_lines": [], "stdout": "", "stdout_lines": []}
TASK [Wait 15 seconds for disk initilization] 
**
Monday 08 June 2020  16:32:41 + (0:00:08.457)   0:33:47.898 
*** 
Pausing for 15 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
ok: [server1.fqdn] => {"changed": false, "delta": 15, "echo": true, "rc": 
0, "start": "2020-06-08 16:32:41.126472", "stderr": "", "stdout": "Paused 
for 15.0 seconds", "stop": "2020-06-08 16:32:56.126843", "user_input": ""}
TASK [Partition Disk 1] 

Monday 08 June 2020  16:32:56 + (0:00:15.051)   0:34:02.949 
*** 
changed: [server4.fqdn] => {"changed": true}
changed: [server1.fqdn] => {"changed": true}
changed: [server2.fqdn] => {"changed": true}
TASK [Format Disk 1 as E drive] 

Monday 08 June 2020  16:33:03 + (0:00:06.888)   0:34:09.838 
*** 
changed: [server4.fqdn] => {"changed": true}
changed: 

Re: [ansible-project] deploy VM from template and customize guest

[Dave York]

These are the two plays I use to do what you were asking about:

- name: Ensure Computer Object exists in AD
win_domain_computer:
  name: '{{ inventory_hostname_short }}'
  dns_hostname: '{{ inventory_hostname }}'
  domain_server: domaincontroller.fqdn
  sam_account_name: '{{ inventory_hostname_short }}$'
  ou: '{{ AD_OU }}'
  description: '{{ owner_email }}'
  enabled: yes
  state: present
delegate_to: utilityserver.fqdn

  - name: Clone to VM from Template
vmware_guest:
  hostname: '{{ vsphere_hostname }}' 
  username: '{{ lookup("env", "VMWARE_USER") }}'
  password: '{{ lookup("env", "VMWARE_PASSWORD") }}'
  validate_certs: no
  folder: '{{ vmware_folder }}'
  annotation: "{{ owner_email }}"
  datacenter: '{{ vmware_datacenter }}'
  name: '{{ inventory_hostname_short }}'
  cluster: '{{ vmware_cluster }}'
  state: poweredon
  template: '{{ vmware_template }}'
  datastore: '{{ vmware_datastore }}'
  customization:
domainadmin: '{{ lookup("env", "ANSIBLE_NET_USERNAME") }}'
domainadminpassword: '{{ lookup("env", "ANSIBLE_NET_PASSWORD") }}'
joindomain: domain.fqdn
password: '{{ templatepwd }}'
timezone: 004
  disk:
  - size_gb: 100
type: thin
  - size_gb: 100
type: thin
  hardware:
memory_mb: '{{ vmware_mem }}'
num_cpus: '{{ vmware_cpu }}'
scsi: paravirtual
hotadd_cpu: True
hotremove_cpu: True
hotadd_memory: True
boot_firmware: "efi"
  networks:
  - name: '{{ vmware_network }}'
ip: '{{ ipv4 }}'
netmask: '255.255.255.0'
gateway: '{{ ipv4_gateway }}'
device_type: vmxnet3
dns_servers: 
- '{{ dns_primary }}'
- '{{ dns_secondary }}'
  wait_for_ip_address: yes
  wait_for_customization: yes
delegate_to: localhost
register: deploy


On Monday, June 8, 2020 at 7:15:11 AM UTC-7, Tony Wong wrote:
>
> for ansible, is there a reverse order to detroy the vms after the vm 
> playbook has been run like terraform? Or do I need to create another 
> playbook to destroy the vms?
>
> On Mon, Jun 8, 2020 at 6:59 AM Tony Wong > 
> wrote:
>
>> I got a customization template in vcenter. how do I specify using that 
>> template. Also the template looks like will override my static IP settings 
>> on my Vms. 
>>
>> On Sun, Jun 7, 2020 at 3:31 PM Dave York > 
>> wrote:
>>
>>> Ive done this by using the customization argument of the vmware_guest 
>>> module to join the domain. but prior to vmware_guest i use a 
>>> win_domain_computer delegated to a windows utility box to prestage the 
>>> computer object in the right ou 
>>>
>>> Sent from Outlook Mobile <https://aka.ms/blhgte>
>>>
>>> -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "Ansible Project" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ansible...@googlegroups.com .
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/ansible-project/BY5PR11MB389625F705684B8C33E6891EA1840%40BY5PR11MB3896.namprd11.prod.outlook.com
>>>  
>>> <https://groups.google.com/d/msgid/ansible-project/BY5PR11MB389625F705684B8C33E6891EA1840%40BY5PR11MB3896.namprd11.prod.outlook.com?utm_medium=email_source=footer>
>>> .
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/a6389e24-f428-4922-b2a2-e5dc8489cbc6o%40googlegroups.com.

Re: [ansible-project] deploy VM from template and customize guest

[Dave York]

These are the two plays I use to do what you're talking about:

- name: Ensure Computer Object exists in AD
win_domain_computer:
  name: '{{ inventory_hostname_short }}'
  dns_hostname: '{{ inventory_hostname }}'
  domain_server: DC you want to run the prestage computer object on 
  sam_account_name: '{{ inventory_hostname_short }}$'
  ou: '{{ AD_OU }}'
  description: '{{ environment_owner_email }}'
  enabled: yes
  state: present
delegate_to: WINDOWS UTILITY SERVER FQDN

  - name: Clone to VM from Template
vmware_guest:
  hostname: '{{ vsphere_hostname }}' 
  username: '{{ lookup("env", "VMWARE_USER") }}'
  password: '{{ lookup("env", "VMWARE_PASSWORD") }}'
  validate_certs: no
  folder: '{{ vmware_folder }}'
  annotation: "{{ apollo_environment_owner_email }}"
  datacenter: '{{ vmware_datacenter }}'
  name: '{{ inventory_hostname_short }}'
  cluster: '{{ vmware_cluster }}'
  state: poweredon
  template: '{{ vmware_template }}'
  datastore: '{{ vmware_datastore }}'
  customization:
domainadmin: '{{ lookup("env", "ANSIBLE_NET_USERNAME") }}'
domainadminpassword: '{{ lookup("env", "ANSIBLE_NET_PASSWORD") }}'
joindomain: internal.mcmcg.com
password: '{{ templatepwd }}'
timezone: 004
  disk:
  - size_gb: 100
type: thin
  - size_gb: 100
type: thin
  hardware:
memory_mb: '{{ vmware_mem }}'
num_cpus: '{{ vmware_cpu }}'
scsi: paravirtual
hotadd_cpu: True
hotremove_cpu: True
hotadd_memory: True
boot_firmware: "efi"
  networks:
  - name: '{{ vmware_network }}'
ip: '{{ ipv4 }}'
netmask: '255.255.255.0'
gateway: '{{ ipv4_gateway }}'
device_type: vmxnet3
dns_servers: 
- '{{ dns_primary }}'
- '{{ dns_secondary }}'
  wait_for_ip_address: yes
  wait_for_customization: yes
delegate_to: localhost
register: deploy


On Monday, June 8, 2020 at 7:15:11 AM UTC-7, Tony Wong wrote:
>
> for ansible, is there a reverse order to detroy the vms after the vm 
> playbook has been run like terraform? Or do I need to create another 
> playbook to destroy the vms?
>
> On Mon, Jun 8, 2020 at 6:59 AM Tony Wong > 
> wrote:
>
>> I got a customization template in vcenter. how do I specify using that 
>> template. Also the template looks like will override my static IP settings 
>> on my Vms. 
>>
>> On Sun, Jun 7, 2020 at 3:31 PM Dave York > 
>> wrote:
>>
>>> Ive done this by using the customization argument of the vmware_guest 
>>> module to join the domain. but prior to vmware_guest i use a 
>>> win_domain_computer delegated to a windows utility box to prestage the 
>>> computer object in the right ou 
>>>
>>> Sent from Outlook Mobile <https://aka.ms/blhgte>
>>>
>>> -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "Ansible Project" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ansible...@googlegroups.com .
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/ansible-project/BY5PR11MB389625F705684B8C33E6891EA1840%40BY5PR11MB3896.namprd11.prod.outlook.com
>>>  
>>> <https://groups.google.com/d/msgid/ansible-project/BY5PR11MB389625F705684B8C33E6891EA1840%40BY5PR11MB3896.namprd11.prod.outlook.com?utm_medium=email_source=footer>
>>> .
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/cf631a6f-1064-4869-a34d-b0e8ab54a67bo%40googlegroups.com.

Re: [ansible-project] deploy VM from template and customize guest

[Dave York]

Ive done this by using the customization argument of the vmware_guest module to 
join the domain. but prior to vmware_guest i use a win_domain_computer 
delegated to a windows utility box to prestage the computer object in the right 
ou

Sent from Outlook Mobile

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/BY5PR11MB389625F705684B8C33E6891EA1840%40BY5PR11MB3896.namprd11.prod.outlook.com.

Re: [ansible-project] jinja template not evaluating conditional as expected

[Dave York]

That worked! Thanks Stefan! 

I swear the other way worked for me once, but I like your solution is more 
graceful.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/63644e6c-a6eb-4e8c-b9bb-28ce98440256%40googlegroups.com.

[ansible-project] jinja template not evaluating conditional as expected

[Dave York]

I have a playbook that calls win_template:
  - name: Template domain.xml
win_template:
  src: 'domain.xml.jinja'
  dest: 'e:\domain.xml'

Within the template I have this section below.  I have confirmed (with a 
debug statement in the play above) that enable_target is set to 'true'.  

{% if enable_agent == 'true' %}





{% endif %}

However, after running the play, the jvm-options lines dont appear in the 
XML file as I would expect.  Anyone have any ideas?

Thanks community!

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/eb5f10f9-ea76-49b9-90df-e7f6fbb4eb25%40googlegroups.com.

[ansible-project] Re: win_xml module 'cannot call a method on a null-valued expression'

[Dave York]

I figured this out.  Turned out that my xml was using a different 
namespace? I had to follow guidance I found on stackoverflow:
https://stackoverflow.com/questions/5239685/xml-namespace-breaking-my-xpath

So my play now looks like this (and works):
  tasks:
  - name: Test modifying XML
win_xml:
  path: e:\jboss-eap-6.4\X\configuration\domain.xml
  xpath: 
'/*[local-name()="domain"]/*[local-name()="server-groups"]/*[local-name()="server-group"]/*[local-name()="jvm"]/*[local-name()="heap"]'
  attribute: 'size'
  fragment: '123m'
  type: attribute

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/4c0d8605-8923-4346-bb06-e252c1a18142%40googlegroups.com.

[ansible-project] Re: win_xml module 'cannot call a method on a null-valued expression'

[Dave York]

I forgot to add, the domain tag is:



not just 



if that's relevant.  



On Tuesday, March 31, 2020 at 3:15:35 PM UTC-7, Dave York wrote:
>
> I have an JBoss domain.xml file im trying to manipulate with win_xml:
>
> 
> ...
> 
> 
> 
> 
> 
> 
> 
> 
>  "XXX.ear"/>
> 
> 
> 
>
>
> 
>
>
> When I try to modify the heap size attribute above using win_xml with this 
> play:
>   - name: Test modifying XML
> win_xml:
>   path: e:\jboss-eap-6.4\XXX\configuration\domain.xml
>   xpath: '/domain/server-groups/server-group/jvm/heap'
>   attribute: 'size'
>   fragment: '123m'
>   type: attribute
>
>
> However, I get an exception that looks like its coming from powershell 
> "You cannot call a method on a null-valued expression
> "exception": "You cannot call a method on a null-valued expression.\r\nAt 
> line:204 char:5\r\n+ [bool]$add = !$node.HasAttribute($attribute) -Or 
> ($node.$attribut ...\r\n+ 
> ~\r\n+ 
> CategoryInfo  : InvalidOperation: (:) [], 
> ParentContainsErrorRecordException\r\n+ FullyQualifiedErrorId : 
> InvokeMethodOnNull\r\n\r\nScriptStackTrace:\r\nat , : 
> line 204\r\n",
>
> "msg": "Unhandled exception while executing module: You cannot call a 
> method on a null-valued expression.",
> "_ansible_no_log": false,
> "changed": false
>
> }
>
>
> Anyone see my problem? I checked the xpath using Notepad++ xml tools 
> plugin and it seems correct.  Scratchin my head
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/178c8aed-886a-4b1d-9f95-96e429efc59c%40googlegroups.com.

[ansible-project] win_xml module 'cannot call a method on a null-valued expression'

[Dave York]

I have an JBoss domain.xml file im trying to manipulate with win_xml:


...

















When I try to modify the heap size attribute above using win_xml with this 
play:
  - name: Test modifying XML
win_xml:
  path: e:\jboss-eap-6.4\XXX\configuration\domain.xml
  xpath: '/domain/server-groups/server-group/jvm/heap'
  attribute: 'size'
  fragment: '123m'
  type: attribute


However, I get an exception that looks like its coming from powershell "You 
cannot call a method on a null-valued expression
"exception": "You cannot call a method on a null-valued expression.\r\nAt 
line:204 char:5\r\n+ [bool]$add = !$node.HasAttribute($attribute) -Or 
($node.$attribut ...\r\n+ 
~\r\n+ 
CategoryInfo  : InvalidOperation: (:) [], 
ParentContainsErrorRecordException\r\n+ FullyQualifiedErrorId : 
InvokeMethodOnNull\r\n\r\nScriptStackTrace:\r\nat , : 
line 204\r\n",

"msg": "Unhandled exception while executing module: You cannot call a 
method on a null-valued expression.",
"_ansible_no_log": false,
"changed": false

}


Anyone see my problem? I checked the xpath using Notepad++ xml tools plugin 
and it seems correct.  Scratchin my head

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/2f64b3f1-ae5b-4a5b-8281-c78981ece725%40googlegroups.com.

[ansible-project] Re: Weird Kerberos Issues with WinRM and a new host spun up from vmware_guest

[Dave York]

Yep - I am joining the domain as part of the customization in 
vmware_guest.  I do that locally from the tower box.  After vmware_guest I 
have a wait_for port 5985 with a 360 timeout.  I guess I was trying to 
avoid the 600 second sleep but I guess if it works, it works.  

Thanks for the insight, glad to know someone else is seeing something 
similar. :)

On Tuesday, March 10, 2020 at 2:02:58 PM UTC-7, J Hawkesworth wrote:
>
> Just to be clear, are you joining the host to the domain as part of the 
> vmware_guest call?
>
> I have playbooks that do something similar to what you describe but with 
> some differences.
> I like to drive everything from inventory so I add the host details to 
> (static) inventory and then run the playbook with the vmware_guest task 
> delegated to localhost.  This means I don't have to add_host and can clone 
> multiple vms in parallel (if I am feeling lucky/patient).
>
> After vmware_guest has completed I put in a fairly huge wait iirc 600 
> seconds, then I do a `wait_for_connection` again with a long timeout - i 
> think around 600 seconds again.
> The domain join seems to take a long time and there is a reboot of the 
> target involved I think.  I have definitely seen the winrm service 'jitter' 
> i.e start and then become unavailable for a while before becoming available 
> again as other services come up on startup, hence the big long wait and 
> then polling with wait_for_connection before attempting to run main 
> playbook content.
>
> Its not infallible - sometimes it fails to respond before the 
> wait_for_connection has timed out but it depends on what else is going on 
> in vpshere, but I think you might be experiencing the winrm 'jitter' so 
> adding a wait and then polling till winrm becomes available might get you 
> to the point where you can at least set it running and let the playbook run 
> through.
>
> Hope this helps,
>
> Jon
>
>
> On Tuesday, March 10, 2020 at 8:01:35 PM UTC, David Foley wrote:
>>
>> Did you Configure the WinRM ? for CredSSP ? 
>>
>>   runonce:
>> - powershell.exe -ExecutionPolicy Unrestricted wget 
>> https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1
>>  
>> -OutFile C:\Windows\Temp\ConfigureRemotingForAnsible.ps1
>> - powershell.exe -ExecutionPolicy Unrestricted -File 
>> C:\Windows\Temp\ConfigureRemotingForAnsible.ps1 -EnableCredSSP 
>> -DisableBasicAuth -Verbose
>>
>>
>> [win]
>>   SERVER_IP
>>
>>   [win:vars]
>>   ansible_user=".\Administrator"
>>   ansible_password=
>>   ansible_connection=winrm
>>   ansible_winrm_transport=credssp
>>   ansible_winrm_server_cert_validation=ignore
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/8de51aca-4e10-4072-affd-5129bc7cd1a8%40googlegroups.com.

[ansible-project] Re: Weird Kerberos Issues with WinRM and a new host spun up from vmware_guest

[Dave York]

Thanks David - I've been trying to use Kerberos, and it should be enabled.  
I'm only connecting as a domain admin so Kerberos should work (or so I 
gather):

Auth

Basic = false

Kerberos = true

Negotiate = true

Certificate = false

CredSSP = false

CbtHardeningLevel = Relaxed

On Tuesday, March 10, 2020 at 1:01:35 PM UTC-7, David Foley wrote:
>
> Did you Configure the WinRM ? for CredSSP ? 
>
>   runonce:
> - powershell.exe -ExecutionPolicy Unrestricted wget 
> https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1
>  
> -OutFile C:\Windows\Temp\ConfigureRemotingForAnsible.ps1
> - powershell.exe -ExecutionPolicy Unrestricted -File 
> C:\Windows\Temp\ConfigureRemotingForAnsible.ps1 -EnableCredSSP 
> -DisableBasicAuth -Verbose
>
>
> [win]
>   SERVER_IP
>
>   [win:vars]
>   ansible_user=".\Administrator"
>   ansible_password=
>   ansible_connection=winrm
>   ansible_winrm_transport=credssp
>   ansible_winrm_server_cert_validation=ignore
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/4e1d2d4a-1a04-4a06-8587-45943b87bef6%40googlegroups.com.

[ansible-project] Weird Kerberos Issues with WinRM and a new host spun up from vmware_guest

[Dave York]

Hi Ansible Community.  I've been struggling with an issue I've actually 
posted about here before.  It's more of an annoyance than anything but I'd 
really love to get past it, as I'm trying to demo Infrastructure-as-code to 
my org.  

I have a playbook that spins up a new vm using vmware_guest, and afterwards 
it adds the new host to a staging group.  The playbook machine credentials 
are using a username that is part of the domain admin group.  

*The weird part*: The first time the playbook runs, the first step after 
the vmware_guest module that actually connects to the new host fails with a 
kerberos error:

fatal: [webserver.internal.domain.com]: UNREACHABLE! => {"changed": false, 
"msg": "kerberos: the specified credentials were rejected by the server", 
"unreachable": true}

*The even weirder part:* If I go to run the playbook again, it will 
actually perform a few of the plays it got the above error on, but then it 
will again fail a few plays in.  By the 3rd or 4th run, eventually I can 
run the playbook in its entirety without error.

I've done a LOT of troubleshooting on this and I can't seem to figure out 
why it's not working on the first play.

*Here are some things I've checked:*
- I am able to RDP into the server with the same domain admin credentials 
the playbook is using right around the time we get a kerberos failure in 
ansible
- I am able to Enter-PSSession at the same time the playbook gets the 
kerberos failure
- I've confirmed that the SPN for WSMan is on the computer object in AD and 
replicated at the time the Kerberos issue happens
- I've checked the RootSDDL and plugin SDDL's on the win2016 template im 
using using winrm e winrm/config/plugin -format:pretty and winrm get 
winrm/config - builtin/administrators group seems to have full access to 
rootSDDL and the powershell plugins
- I've confirmed that a reverse and forward DNS entry exists in 
 DNS for kerberos
- I've checked that krb5.conf on the tower machine has rdns set to false
- I've confirmed that time is in sync between the new host, and the tower 
host, and the domain controllers
- I've reviewed any GPO's affecting the new host and ruled out any settings 
that may interfere with Kerberos/WinRM

I did notice my krb5.conf in my tower box is configured to be part of 
IDM.internal.domain.com whereas my domain is actually just 
internal.domain.com.  As my linux team is in the process of getting 
centralized auth going with IdM.  I'm not sure if that has something to do 
with it, but auth *does* seem to be working once the 'weird' issues above 
go away.  

If anyone has any other ideas, they would be greatly appreciated.









-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/c0c74735-eaeb-4710-8a02-8caae1f4db57%40googlegroups.com.

[ansible-project] Re: Swapping credentials

[Dave York]

I think you got it figured out Jordan.

I tried with a object that didn't previously exist and it worked.

I've been manually deleting the old computer objects beforehand, but I dont 
think I've been giving it enough time to replicate (our AD structure is 
messy/slow right now)

I'll probably work a 'delete computer object' and 'wait 5 minutes' into my 
vm provisioning script (the one we've been working with here)

Appreciate the help once again!

On Sunday, March 1, 2020 at 9:02:41 PM UTC-8, Jordan Borean wrote:
>
> If you have multiple DCs then potentially it could be replication at fault 
> here but usually if a host is missing from the domain controller it queries 
> then a different error is shown (service not found in the database).
>
> Is the host you are connecting to sharing the same hostname as an older 
> host that it's potentially replacing? If so the SPN could be registered 
> under the newer host on 1 DC but still not been replicated to another DC 
> where it still thinks hostname is another host. Each host would technically 
> have it's own unique key and when the server goes to check the credentials 
> it is unable to decrypt the secret because it's using a different key than 
> the one the DC thought it had (older host) and thus think the credentials 
> were bad.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/9244a1a2-714f-46f3-a055-caf18780b3ff%40googlegroups.com.

[ansible-project] Re: Swapping credentials

[Dave York]

I've taken to just brute-force running the same playbook over and over 
again until the issue goes away.  I still suspect GPO or replication or 
time... or something

However - one clue - When the kerberos error happens, I see this generated 
in the log files:

 Log Name:  System
Source:Microsoft-Windows-WinRM
Date:  3/1/2020 6:16:34 PM
Event ID:  10154
Task Category: None
Level: Warning
Keywords:  Classic
User:  N/A
Computer:  hostname.internal.domain
Description:
The WinRM service failed to create the following SPNs: 
WSMAN/hostname.internal.domain; WSMAN/hostname. 

 Additional Data 
 The error received was 1355: %%1355.

 User Action 
 The SPNs can be created by an administrator using setspn.exe utility.

On Sunday, March 1, 2020 at 2:58:06 PM UTC-8, Dave York wrote:
>
> Second Run (from failure) gets further (?!?!)
>
> [image: ansible-krb3.png]
>
>
>
>
> On Sunday, March 1, 2020 at 2:57:18 PM UTC-8, Dave York wrote:
>>
>> First run looks the same:
>>
>> [image: ansible-krb2.png]
>>
>>
>>
>>
>>
>>
>>
>>
>> On Sunday, March 1, 2020 at 2:38:29 PM UTC-8, Dave York wrote:
>>>
>>> Thanks again for the help on this.
>>>
>>> I double verified the machine credential is a domain admin, and verified 
>>> that time is in-sync between the ansible tower host and the domain.
>>>
>>> I'll try setting ansible_winrm_transport: kerberos and 
>>> ansible_winrm_message_encryption: always and see what happens
>>>
>>> On Sunday, March 1, 2020 at 2:31:12 PM UTC-8, Jordan Borean wrote:
>>>>
>>>> The fact that you were able to get a Kerberos ticket showed that your 
>>>> host is set up to get the tickets correctly. Some things you should check
>>>>
>>>>- The domain account is a local admin, non admins can technically 
>>>>connect through WinRM but not by default. In any case Ansible is very 
>>>>limited with what it can do when connecting as a non-admin account so 
>>>> it's 
>>>>not something we usually document
>>>>- The time is synced between your Ansible controller and the 
>>>>Windows server
>>>>- You aren't using message encryption. This should be done 
>>>>automatically but some older libraries that Ansible uses may not have 
>>>> it 
>>>>available. To check set 'ansible_winrm_message_encryption: always' just 
>>>> to 
>>>>double check message encryption is available and works
>>>>
>>>>
>>>> Also you should set `ansible_winrm_transport: kerberos' to stop the 
>>>> fallback to Basic auth. Unfortunately this is also another backwards 
>>>> compatibility issue which we can't take away but isn't something that is 
>>>> really optimal.
>>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/542fd015-2e39-44b6-bbd8-d5a93ff4fa2c%40googlegroups.com.

[ansible-project] Re: Swapping credentials

[Dave York]

Second Run (from failure) gets further (?!?!)

[image: ansible-krb3.png]




On Sunday, March 1, 2020 at 2:57:18 PM UTC-8, Dave York wrote:
>
> First run looks the same:
>
> [image: ansible-krb2.png]
>
>
>
>
>
>
>
>
> On Sunday, March 1, 2020 at 2:38:29 PM UTC-8, Dave York wrote:
>>
>> Thanks again for the help on this.
>>
>> I double verified the machine credential is a domain admin, and verified 
>> that time is in-sync between the ansible tower host and the domain.
>>
>> I'll try setting ansible_winrm_transport: kerberos and 
>> ansible_winrm_message_encryption: always and see what happens
>>
>> On Sunday, March 1, 2020 at 2:31:12 PM UTC-8, Jordan Borean wrote:
>>>
>>> The fact that you were able to get a Kerberos ticket showed that your 
>>> host is set up to get the tickets correctly. Some things you should check
>>>
>>>- The domain account is a local admin, non admins can technically 
>>>connect through WinRM but not by default. In any case Ansible is very 
>>>limited with what it can do when connecting as a non-admin account so 
>>> it's 
>>>not something we usually document
>>>- The time is synced between your Ansible controller and the Windows 
>>>server
>>>- You aren't using message encryption. This should be done 
>>>automatically but some older libraries that Ansible uses may not have it 
>>>available. To check set 'ansible_winrm_message_encryption: always' just 
>>> to 
>>>double check message encryption is available and works
>>>
>>>
>>> Also you should set `ansible_winrm_transport: kerberos' to stop the 
>>> fallback to Basic auth. Unfortunately this is also another backwards 
>>> compatibility issue which we can't take away but isn't something that is 
>>> really optimal.
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/acc7b4a5-2ada-43bf-a7d7-3befc7879dc6%40googlegroups.com.

[ansible-project] Re: Swapping credentials

[Dave York]

First run looks the same:

[image: ansible-krb2.png] 








On Sunday, March 1, 2020 at 2:38:29 PM UTC-8, Dave York wrote:
>
> Thanks again for the help on this.
>
> I double verified the machine credential is a domain admin, and verified 
> that time is in-sync between the ansible tower host and the domain.
>
> I'll try setting ansible_winrm_transport: kerberos and 
> ansible_winrm_message_encryption: always and see what happens
>
> On Sunday, March 1, 2020 at 2:31:12 PM UTC-8, Jordan Borean wrote:
>>
>> The fact that you were able to get a Kerberos ticket showed that your 
>> host is set up to get the tickets correctly. Some things you should check
>>
>>- The domain account is a local admin, non admins can technically 
>>connect through WinRM but not by default. In any case Ansible is very 
>>limited with what it can do when connecting as a non-admin account so 
>> it's 
>>not something we usually document
>>- The time is synced between your Ansible controller and the Windows 
>>server
>>- You aren't using message encryption. This should be done 
>>automatically but some older libraries that Ansible uses may not have it 
>>available. To check set 'ansible_winrm_message_encryption: always' just 
>> to 
>>double check message encryption is available and works
>>
>>
>> Also you should set `ansible_winrm_transport: kerberos' to stop the 
>> fallback to Basic auth. Unfortunately this is also another backwards 
>> compatibility issue which we can't take away but isn't something that is 
>> really optimal.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/45cab21d-e7d6-4bfd-a2ac-6aee5ac2ea33%40googlegroups.com.

[ansible-project] Re: Swapping credentials

[Dave York]

Thanks again for the help on this.

I double verified the machine credential is a domain admin, and verified 
that time is in-sync between the ansible tower host and the domain.

I'll try setting ansible_winrm_transport: kerberos and 
ansible_winrm_message_encryption: always and see what happens

On Sunday, March 1, 2020 at 2:31:12 PM UTC-8, Jordan Borean wrote:
>
> The fact that you were able to get a Kerberos ticket showed that your host 
> is set up to get the tickets correctly. Some things you should check
>
>- The domain account is a local admin, non admins can technically 
>connect through WinRM but not by default. In any case Ansible is very 
>limited with what it can do when connecting as a non-admin account so it's 
>not something we usually document
>- The time is synced between your Ansible controller and the Windows 
>server
>- You aren't using message encryption. This should be done 
>automatically but some older libraries that Ansible uses may not have it 
>available. To check set 'ansible_winrm_message_encryption: always' just to 
>double check message encryption is available and works
>
>
> Also you should set `ansible_winrm_transport: kerberos' to stop the 
> fallback to Basic auth. Unfortunately this is also another backwards 
> compatibility issue which we can't take away but isn't something that is 
> really optimal.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/16952791-a257-4a6c-b6ea-72c70e504a9f%40googlegroups.com.

[ansible-project] Re: Swapping credentials

[Dave York]

You can actually see kerberos failing within the same play... It will run 
various commands then just randomly run into one that it gets the kerberos 
error on.

[image: ansible-krb.png]

This is what that play looks like in yaml:
 tasks: 
  - name: Ensure SMBv1 is disabled
win_optional_feature:
  name: smb1protocol
  state: absent  
  
  - name: Initialize Disk 1
win_shell: Initialize-Disk -Number 1
ignore_errors: yes

  - name: Wait 15 seconds for disk initilization
pause: 
  seconds: 15
  
  - name: Partition Disk 1
win_partition:
  drive_letter: E
  partition_size: -1
  disk_number: 1
  state: present
ignore_errors: yes 
#Ignore errors because this module doesn't handle idempotency well

  - name: Format Disk 1 as E drive
win_format:
  drive_letter: E
  file_system: NTFS
  new_label: DATA
ignore_errors: yes 
#Ignore errors because this module doesn't handle idempotency well

  - name: Ensure SMBv1 is disabled
win_optional_feature:
  name: smb1protocol
  state: absent



On Sunday, March 1, 2020 at 2:47:01 AM UTC-8, Jordan Borean wrote:
>
> Plaintext means basic auth over http which is rejected by windows because 
> it is not encrypted. Basic auth also does not work for domain accounts but 
> unfortunately it is the default for backwards compatibility reasons when 
> the username specified is not in the UPN format.
>
> If you are connecting to a domain account you can set 
> ansible_winrm_transport: ntlm to get you going but I highly recommend you 
> get Kerberos auth working for domain accounts.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/0cf004c8-ee3d-47de-92ec-7b5e160e638a%40googlegroups.com.

[ansible-project] Re: Swapping credentials

[Dave York]

Acknowledged.  I've been trying to stick with Kerberos now, but STILL 
having issues..

The machine credentials I use are serviceaccount@ALLUPPERCASE.DOMAIN and 
right after vmware_guest builds the VM, I try to continue on but now I get:

kerberos: the specified credentials were rejected by the server, plaintext: 
the specified credentials were rejected by the server

However, I still see the same behavior..  I get that error, and minutes 
later I can run the job again and get past it.  I'm able to logon to the 
server right after vwmare_guest finishes with the service account..  

pullin my hair out here, not sure whats going on


On Friday, February 28, 2020 at 10:13:52 AM UTC-8, Dave York wrote:
>
> Hi Ansible Community!
>
> I have a playbook running against windows servers.  I have one play where 
> I'm connecting as the local administrator, then a second play where I'm 
> connecting as a domain user.  I'm confused on how to do this.  I'm running 
> from Ansible Tower so I have the domain user as the machine credentials 
> applied.  
>
> How do I tell the  second play to use the domain account (machine 
> credentials) after telling the first play to use the local admin account?  
> Any help appreciated, im pretty new to Ansible.
>
> - hosts: serverA.internal.domain
>   vars: 
> ansible_user: Administrator
> ansible_password: 
>   gather_facts: no
>   connection: winrm
>   port: 5985
>
>   tasks:
>   - debug:
>   var: hostvars[inventory_hostname]
>   verbosity: 1
>
>
> - hosts: serverA.internal.domain
>   vars: 
> ansible_user: ??machine credential??
> ansible_password: 
>   gather_facts: no
>   connection: winrm
>   port: 5985
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/d31230f2-047b-45d5-84c9-b099887b50ea%40googlegroups.com.

[ansible-project] Re: Swapping credentials

[Dave York]

I can't tell what changes, but while ansible is trying to connect, it 
throws this error in the event log:

Log Name: System
Event ID: 10111
Level: Warning
Source: Microsoft-Windows-WinRM
Description:

User authentication using Basic Authentication scheme failed.

Unexpected error received from LogonUser 1326: %%1326



On Saturday, February 29, 2020 at 9:13:20 PM UTC-8, Dave York wrote:
>
> Further troubleshooting makes this seem like it has something to do with 
> time (GPO applying maybe?) 
>
> I can run another job with the same connection to staging_domain and 
> eventually it starts working.
>
> I'm still trying to figure it out, ill post back here if I find anything 
>
> On Saturday, February 29, 2020 at 7:33:38 PM UTC-8, Dave York wrote:
>>
>> Thanks Jordan, I think you kicked me in the right direction, but still 
>> missing something.  I'm following your guidance somewhat, but I'm adding 
>> the inventory within the playbook instead of in the inventory:
>>
>>   - name: add new host staging_domain to inventory
>> add_host: 
>>   name: staging_domain
>>   ansible_host: serverA.internal.domain
>>   ansible_user: '{{ ansible_user }}'
>>   ansible_password: '{{ ansible_password }}'
>>   ansible_connection: winrm
>>   ansible_port: 5985
>>
>>   - name: add new host staging_localadmin to inventory
>> add_host: 
>>   name: staging_localadmin
>>   ansible_host: serverA.internal.domain
>>   ansible_user: Administrator
>>   ansible_password: '{{ randopass }}'
>>   ansible_connection: winrm
>>   ansible_port: 5985
>>
>> The above works when I connect to staging_localadmin, but does NOT when I 
>> connect to staging_domain.  
>>
>> When connecting to staging_domain, I get:
>>
>> plaintext: the specified credentials were rejected by the server
>>
>> I'm running this from tower, so the {{ ansible_user }} and {{ 
>> ansible_password }} I'm passing staging_domain should be the machine 
>> credentials.  I verified this with some debug statements.  
>>
>>
>> On Friday, February 28, 2020 at 4:48:20 PM UTC-8, Jordan Borean wrote:
>>>
>>> What you have there is one way but by default WinRM only allows local 
>>> administrators to connect to the host so you need to make sure you either 
>>> the domain user is also a local admin or adjust the WinRM security to allow 
>>> non-admins to connect.
>>>
>>> Another option is to define the host twice in your inventory like so
>>>
>>> [windows]
>>> serverA_local  ansible_host=serverA.internal.domain 
>>> ansible_user=administrator 
>>> ansible_password=pass
>>> serverA_domain  ansible_host=serverA.internal.domain ansible_user=DOMAIN
>>> \user ansible_password=pass
>>>
>>> [windows:vars]
>>> ansible_connection=winrm
>>> ansible_port=5985
>>>
>>> In your play you would set hosts: serverA_local for the local inventory 
>>> entry and hosts: serverA_domain for the domain inventory.
>>>
>>> Thanks
>>>
>>> Jordan
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/ad525c9b-def1-45a8-9f6f-5de733d8bc38%40googlegroups.com.

[ansible-project] Re: Swapping credentials

[Dave York]

Further troubleshooting makes this seem like it has something to do with 
time (GPO applying maybe?) 

I can run another job with the same connection to staging_domain and 
eventually it starts working.

I'm still trying to figure it out, ill post back here if I find anything 

On Saturday, February 29, 2020 at 7:33:38 PM UTC-8, Dave York wrote:
>
> Thanks Jordan, I think you kicked me in the right direction, but still 
> missing something.  I'm following your guidance somewhat, but I'm adding 
> the inventory within the playbook instead of in the inventory:
>
>   - name: add new host staging_domain to inventory
> add_host: 
>   name: staging_domain
>   ansible_host: serverA.internal.domain
>   ansible_user: '{{ ansible_user }}'
>   ansible_password: '{{ ansible_password }}'
>   ansible_connection: winrm
>   ansible_port: 5985
>
>   - name: add new host staging_localadmin to inventory
> add_host: 
>   name: staging_localadmin
>   ansible_host: serverA.internal.domain
>   ansible_user: Administrator
>   ansible_password: '{{ randopass }}'
>   ansible_connection: winrm
>   ansible_port: 5985
>
> The above works when I connect to staging_localadmin, but does NOT when I 
> connect to staging_domain.  
>
> When connecting to staging_domain, I get:
>
> plaintext: the specified credentials were rejected by the server
>
> I'm running this from tower, so the {{ ansible_user }} and {{ 
> ansible_password }} I'm passing staging_domain should be the machine 
> credentials.  I verified this with some debug statements.  
>
>
> On Friday, February 28, 2020 at 4:48:20 PM UTC-8, Jordan Borean wrote:
>>
>> What you have there is one way but by default WinRM only allows local 
>> administrators to connect to the host so you need to make sure you either 
>> the domain user is also a local admin or adjust the WinRM security to allow 
>> non-admins to connect.
>>
>> Another option is to define the host twice in your inventory like so
>>
>> [windows]
>> serverA_local  ansible_host=serverA.internal.domain 
>> ansible_user=administrator 
>> ansible_password=pass
>> serverA_domain  ansible_host=serverA.internal.domain 
>> ansible_user=DOMAIN\user 
>> ansible_password=pass
>>
>> [windows:vars]
>> ansible_connection=winrm
>> ansible_port=5985
>>
>> In your play you would set hosts: serverA_local for the local inventory 
>> entry and hosts: serverA_domain for the domain inventory.
>>
>> Thanks
>>
>> Jordan
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/5d2a7197-2530-4031-a5dc-0f13194fed4b%40googlegroups.com.

[ansible-project] Re: Swapping credentials

[Dave York]

Thanks Jordan, I think you kicked me in the right direction, but still 
missing something.  I'm following your guidance somewhat, but I'm adding 
the inventory within the playbook instead of in the inventory:

  - name: add new host staging_domain to inventory
add_host: 
  name: staging_domain
  ansible_host: serverA.internal.domain
  ansible_user: '{{ ansible_user }}'
  ansible_password: '{{ ansible_password }}'
  ansible_connection: winrm
  ansible_port: 5985

  - name: add new host staging_localadmin to inventory
add_host: 
  name: staging_localadmin
  ansible_host: serverA.internal.domain
  ansible_user: Administrator
  ansible_password: '{{ randopass }}'
  ansible_connection: winrm
  ansible_port: 5985

The above works when I connect to staging_localadmin, but does NOT when I 
connect to staging_domain.  

When connecting to staging_domain, I get:

plaintext: the specified credentials were rejected by the server

I'm running this from tower, so the {{ ansible_user }} and {{ 
ansible_password }} I'm passing staging_domain should be the machine 
credentials.  I verified this with some debug statements.  


On Friday, February 28, 2020 at 4:48:20 PM UTC-8, Jordan Borean wrote:
>
> What you have there is one way but by default WinRM only allows local 
> administrators to connect to the host so you need to make sure you either 
> the domain user is also a local admin or adjust the WinRM security to allow 
> non-admins to connect.
>
> Another option is to define the host twice in your inventory like so
>
> [windows]
> serverA_local  ansible_host=serverA.internal.domain 
> ansible_user=administrator 
> ansible_password=pass
> serverA_domain  ansible_host=serverA.internal.domain ansible_user=DOMAIN\user 
> ansible_password=pass
>
> [windows:vars]
> ansible_connection=winrm
> ansible_port=5985
>
> In your play you would set hosts: serverA_local for the local inventory 
> entry and hosts: serverA_domain for the domain inventory.
>
> Thanks
>
> Jordan
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/a1032a8c-b24d-455b-8162-58948bc3b7cc%40googlegroups.com.

[ansible-project] variable undefined?

[Dave York]

I'm confused why I'm getting a 'variable undefined' error with this 
playbook, anyone have any idea?

- hosts: localhost
  connection: local
  gather_facts: yes

  tasks:
  - name: Generate a temporary random password for template/os customization
set_fact: 
  randopass: 
"{{ lookup('password', '/dev/null length=24 chars=ascii_letters') }}"
  
... I use '{{ randopass }}' somewhere else in this play and its fine... but 
then I get to this part:

- hosts: staging
  vars:
  ansible_user: Administrator
  ansible_password: '{{ randopass }}'
  gather_facts: yes

ERROR:
The field 'password' has an invalid value, which includes an undefined 
variable. The error was: 'randopass' is undefined

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/1a0e91d7-88fe-4d3f-96b4-115de45f29f6%40googlegroups.com.

[ansible-project] Swapping credentials

[Dave York]

Hi Ansible Community!

I have a playbook running against windows servers.  I have one play where 
I'm connecting as the local administrator, then a second play where I'm 
connecting as a domain user.  I'm confused on how to do this.  I'm running 
from Ansible Tower so I have the domain user as the machine credentials 
applied.  

How do I tell the  second play to use the domain account (machine 
credentials) after telling the first play to use the local admin account?  
Any help appreciated, im pretty new to Ansible.

- hosts: serverA.internal.domain
  vars: 
ansible_user: Administrator
ansible_password: 
  gather_facts: no
  connection: winrm
  port: 5985

  tasks:
  - debug:
  var: hostvars[inventory_hostname]
  verbosity: 1


- hosts: serverA.internal.domain
  vars: 
ansible_user: ??machine credential??
ansible_password: 
  gather_facts: no
  connection: winrm
  port: 5985


-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/5ae87da7-2dbf-42ab-88a4-084a0373bd44%40googlegroups.com.

Re: [ansible-project] Connecting to a WinRM host with different credentials?

[Dave York]

That was what I was looking for.  Thanks Jordan/Tom

On Sunday, February 23, 2020 at 10:52:47 AM UTC-8, Jordan Borean wrote:
>
> Further to the above, those are variables and not attributes you can set 
> on a play. You need to set them under your the vars key or just add them 
> using add_host in the previous play.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/e78cfdc3-2d6f-4b64-8762-8e511d363b4e%40googlegroups.com.

[ansible-project] Connecting to a WinRM host with different credentials?

[Dave York]

I have a playbook in which I want to create a random password and use it 
later to connect to a windows box over WinRM

I've generated a random password like this:
  - name: Generate a temporary random password for new host
set_fact: 
  randopass: 
"{{ lookup('password', '/dev/null length=15 chars=ascii_letters') }}"

I set the admin password with vmware_guest os customization:
  customization:
password: '{{ randopass }}'
timezone: 004

Then - I'm trying to use:
- hosts: 'hostname.internal.domain.com'
  connection: winrm
  port: 5985
  remote_user: Administrator
  remote_pass: '{{ randopass }}'
  gather_facts: yes

I've tried "remote_password, remote_pass, ansible_pass, ansible_password" 
and I get an error message like this:

ERROR! 'remote_pass' is not a valid attribute for a Play


What can I use for this part of the play to connect as a different 
user/password?

I'm using ansible tower if it matters

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/4aa02718-fd41-4efa-9023-01b53d77ec3a%40googlegroups.com.