[ansible-project] Re: Weird Kerberos Issues with WinRM and a new host spun up from vmware_guest
Yep - I am joining the domain as part of the customization in vmware_guest. I do that locally from the tower box. After vmware_guest I have a wait_for port 5985 with a 360 timeout. I guess I was trying to avoid the 600 second sleep but I guess if it works, it works. Thanks for the insight, glad to know someone else is seeing something similar. :) On Tuesday, March 10, 2020 at 2:02:58 PM UTC-7, J Hawkesworth wrote: > > Just to be clear, are you joining the host to the domain as part of the > vmware_guest call? > > I have playbooks that do something similar to what you describe but with > some differences. > I like to drive everything from inventory so I add the host details to > (static) inventory and then run the playbook with the vmware_guest task > delegated to localhost. This means I don't have to add_host and can clone > multiple vms in parallel (if I am feeling lucky/patient). > > After vmware_guest has completed I put in a fairly huge wait iirc 600 > seconds, then I do a `wait_for_connection` again with a long timeout - i > think around 600 seconds again. > The domain join seems to take a long time and there is a reboot of the > target involved I think. I have definitely seen the winrm service 'jitter' > i.e start and then become unavailable for a while before becoming available > again as other services come up on startup, hence the big long wait and > then polling with wait_for_connection before attempting to run main > playbook content. > > Its not infallible - sometimes it fails to respond before the > wait_for_connection has timed out but it depends on what else is going on > in vpshere, but I think you might be experiencing the winrm 'jitter' so > adding a wait and then polling till winrm becomes available might get you > to the point where you can at least set it running and let the playbook run > through. > > Hope this helps, > > Jon > > > On Tuesday, March 10, 2020 at 8:01:35 PM UTC, David Foley wrote: >> >> Did you Configure the WinRM ? for CredSSP ? >> >> runonce: >> - powershell.exe -ExecutionPolicy Unrestricted wget >> https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 >> >> -OutFile C:\Windows\Temp\ConfigureRemotingForAnsible.ps1 >> - powershell.exe -ExecutionPolicy Unrestricted -File >> C:\Windows\Temp\ConfigureRemotingForAnsible.ps1 -EnableCredSSP >> -DisableBasicAuth -Verbose >> >> >> [win] >> SERVER_IP >> >> [win:vars] >> ansible_user=".\Administrator" >> ansible_password= >> ansible_connection=winrm >> ansible_winrm_transport=credssp >> ansible_winrm_server_cert_validation=ignore >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8de51aca-4e10-4072-affd-5129bc7cd1a8%40googlegroups.com.
[ansible-project] Re: Weird Kerberos Issues with WinRM and a new host spun up from vmware_guest
Thanks David - I've been trying to use Kerberos, and it should be enabled. I'm only connecting as a domain admin so Kerberos should work (or so I gather): Auth Basic = false Kerberos = true Negotiate = true Certificate = false CredSSP = false CbtHardeningLevel = Relaxed On Tuesday, March 10, 2020 at 1:01:35 PM UTC-7, David Foley wrote: > > Did you Configure the WinRM ? for CredSSP ? > > runonce: > - powershell.exe -ExecutionPolicy Unrestricted wget > https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 > > -OutFile C:\Windows\Temp\ConfigureRemotingForAnsible.ps1 > - powershell.exe -ExecutionPolicy Unrestricted -File > C:\Windows\Temp\ConfigureRemotingForAnsible.ps1 -EnableCredSSP > -DisableBasicAuth -Verbose > > > [win] > SERVER_IP > > [win:vars] > ansible_user=".\Administrator" > ansible_password= > ansible_connection=winrm > ansible_winrm_transport=credssp > ansible_winrm_server_cert_validation=ignore > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4e1d2d4a-1a04-4a06-8587-45943b87bef6%40googlegroups.com.
[ansible-project] Re: Weird Kerberos Issues with WinRM and a new host spun up from vmware_guest
Just to be clear, are you joining the host to the domain as part of the vmware_guest call? I have playbooks that do something similar to what you describe but with some differences. I like to drive everything from inventory so I add the host details to (static) inventory and then run the playbook with the vmware_guest task delegated to localhost. This means I don't have to add_host and can clone multiple vms in parallel (if I am feeling lucky/patient). After vmware_guest has completed I put in a fairly huge wait iirc 600 seconds, then I do a `wait_for_connection` again with a long timeout - i think around 600 seconds again. The domain join seems to take a long time and there is a reboot of the target involved I think. I have definitely seen the winrm service 'jitter' i.e start and then become unavailable for a while before becoming available again as other services come up on startup, hence the big long wait and then polling with wait_for_connection before attempting to run main playbook content. Its not infallible - sometimes it fails to respond before the wait_for_connection has timed out but it depends on what else is going on in vpshere, but I think you might be experiencing the winrm 'jitter' so adding a wait and then polling till winrm becomes available might get you to the point where you can at least set it running and let the playbook run through. Hope this helps, Jon On Tuesday, March 10, 2020 at 8:01:35 PM UTC, David Foley wrote: > > Did you Configure the WinRM ? for CredSSP ? > > runonce: > - powershell.exe -ExecutionPolicy Unrestricted wget > https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 > > -OutFile C:\Windows\Temp\ConfigureRemotingForAnsible.ps1 > - powershell.exe -ExecutionPolicy Unrestricted -File > C:\Windows\Temp\ConfigureRemotingForAnsible.ps1 -EnableCredSSP > -DisableBasicAuth -Verbose > > > [win] > SERVER_IP > > [win:vars] > ansible_user=".\Administrator" > ansible_password= > ansible_connection=winrm > ansible_winrm_transport=credssp > ansible_winrm_server_cert_validation=ignore > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/746a3824-18c2-454f-9164-6494b5f79487%40googlegroups.com.
[ansible-project] Re: Weird Kerberos Issues with WinRM and a new host spun up from vmware_guest
Did you Configure the WinRM ? for CredSSP ? runonce: - powershell.exe -ExecutionPolicy Unrestricted wget https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 -OutFile C:\Windows\Temp\ConfigureRemotingForAnsible.ps1 - powershell.exe -ExecutionPolicy Unrestricted -File C:\Windows\Temp\ConfigureRemotingForAnsible.ps1 -EnableCredSSP -DisableBasicAuth -Verbose [win] SERVER_IP [win:vars] ansible_user=".\Administrator" ansible_password= ansible_connection=winrm ansible_winrm_transport=credssp ansible_winrm_server_cert_validation=ignore -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8f29eadc-4389-4cfd-b203-4e3b133c5293%40googlegroups.com.