How to run ansible from linux to deploy on windows machines

[alexanderfichel]

Here is what I have after setting kerberos according to ansible:
http://docs.ansible.com/ansible/intro_windows.html

[libdefaults]
        default_realm = MY.DOMAIN.COM
…
[realms]
        MY.DOMAIN.COM = {
                default_domain = my.domain.com
                kdc = <domain-controller-server>.my.domain.com
                kpasswd_server = <domain-controller-server>.my.domain.com
        }
…
[domain_realm]
        .my.domain.com = MY.DOMAIN.COM
…

I was able to create a kerberos ticket, here is my output:

root@alex-VirtualBox:/etc/ansible# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <user_name>@MY.DOMAIN.COM

Valid starting       Expires              Service principal
04/07/2016 13:58:52  04/07/2016 23:58:52  krbtgt/MY.DOMAIN.COM@MY.DOMAIN.COM
       renew until 04/08/2016 13:58:48
04/07/2016 14:02:20  04/07/2016 23:58:52  HTTP/<windows-target-server>.my.domain.com@MY.DOMAIN.COM
       renew until 04/08/2016 13:58:48

So what I am trying to do is run ansible playbook or even a simple command on . But I am getting this error which I am pretty sure have nothing to do with ansible:

root@alex-VirtualBox:/etc/ansible# ansible windows -m win_ping --ask-vault-pass
Vault password: 
<windows-target-server>.my.domain.com | FAILED! => {
        "failed": true, 
        "msg": "kerberos: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377)), plaintext: 401 Unauthorized."
    }

I even went ahead and created the keytab file:

> ktutil
  ktutil:  addent -password -p <user_name>@MY.DOMAIN.COM -k 1 -e rc4-hmac
  provide password
  ktutil:  wkt <user_name>.keytab
  ktutil:  quit

But then I get different error:

root@alex-VirtualBox:/etc/ansible# ansible windows -m win_ping --ask-vault-pass
n2-2wbp-wbsvr01.na.msds.rhi.com | FAILED! => {
    "failed": true, 
    "msg": "kerberos: (('An invalid name was supplied', 131072), ('Success', 100001)), plaintext: 401 Unauthorized."
}

[jhawkesworth]

Can your resolve the dns name of your .my.domain.com ? kerberos has to have fully functioning DNS working.

Also has been added to the domain previously?

[alexanderfichel]

Yes I can resolve it. I was able to create the kerberos ticket (klist hows my ticket is valid and when it expires) so the domain and credentials work for sure, but when I run ansible, they give me 401 authorization error.

What do you mean has been added to the domain previously. What has to be added? I am running all my commands from a virtual ubuntu box on my windows on prem so it has access to the internal network.

[jhawkesworth]

The Windows machine that you are trying to control with Ansible needs to have been joined to the domain before you can connect using Kerberos. If that doesn't make sense to you let me ask something else: Can you make a remote desktop connection to the windows machine that you are trying to control using the same domain user?

The message you are seeing implies that the Kerberos controller just doesn't know about the machine you are trying to connect to.

If you can connect via remote desktop then my guess would be that you either have some cross domain stuff going on, or there is a domain alias somewhere.

I suggest you do a kdestroy and then do a kinit -C user@YOUR.DOMAIN
then do a klist.

If the domain name you get back is different, you will need to change the krb5.conf and use the (cannonical) domain name, not the alias.

Hope this helps.

Jon

[alexanderfichel]

The machine is definitely in the domain.

By the way does the linux machine have to be in the domain too?

Here is what I did, does that look right? (I did a find and replace all to hide sensitive information, otherwise the replacements are 1 to 1 mapping)

root@alex-VirtualBox:/etc/ansible# kinit -C someusername
Password for someusername@MY.DOMAIN.COM: 
root@alex-VirtualBox:/etc/ansible# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: someusername@MY.DOMAIN.COM

Valid starting       Expires              Service principal
04/08/2016 13:17:03  04/08/2016 23:17:03  krbtgt/MY.DOMAIN.COM@MY.DOMAIN.COM
    renew until 04/09/2016 13:16:56
root@alex-VirtualBox:/etc/ansible# 

Maybe I am using the wrong user in ansible group_vars/windows.yml file?

ansible_user: someusername
ansible_ssh_pass: ********
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore

I tried different ones:

   ansible_user: Administrators
   ansible_user: someusername@MY.DOMAIN.COM
   ansible_user: NA\someusername
   ansible_user: NA\someusername@MY.DOMAIN.COM
   ansible_user: someusername

And here are my log events (the 3rd picture is where i login as I usually do using RDP):

(FYI - I am trying to use a domain account, not a local)

[jhawkesworth]

Your ansible_user definitely needs to be someuser@MY.DOMAIN.COM

If I recall the @ is how ansible knows to try using Kerberos.

I am away from somewhere where I can check right now but I think the password needs to be in the group vars as

ansible_password: PasswordGoesHere

Also check your inventory file and make sure the windows machine you want to manage is in a group called [windows]

Hope this helps

Jon

[alexanderfichel]

Alrighty, here are my configurations. (By the way I did include the ansible_password, ansible_ssh_pass, tried without password variable too, no luck)

/etc/krb5.conf

[libdefaults]
    default_realm = NA.ABCD.XYZ.COM
    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

    v4_instance_resolve = false
    v4_name_convert = {
        host = {
            rcmd = host
            ftp = ftp
        }
        plain = {
            something = something-else
        }
    }
    fcc-mit-ticketflags = true

[realms]
        NA.ABCD.XYZ.COM = {                
                kdc = domain-controller.na.abcd.xyz.com
        }

[domain_realm]
        .na.abcd.xyz.com = NA.ABCD.XYZ.COM

[login]
    krb4_convert = true
    krb4_get_tickets = false

/etc/ansible/host

[windows]
my-windows-server.na.msds.rhi.com

/etc/ansible/group_vars/windows.yml

ansible_user: myusername@NA.ABCD.XYZ.COM
ansible_password: mypassword
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore

Commands I run:

Command:

   kinit myusername@NA.ABCD.XYZ.COM

Output:

   Password for myusername@NA.ABCD.XYZ.COM: 

Command:

   klist 

Output:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: myusername@NA.ABCD.XYZ.COM

Valid starting       Expires              Service principal
04/08/2016 15:57:30  04/09/2016 01:57:30  krbtgt/NA.ABCD.XYZ.COM@NA.ABCD.XYZ.COM
    renew until 04/09/2016 15:57:26

Command:

   ansible windows -i host -m win_ping --ask-vault-pass

Output:

    Vault password:
my-windows-server.na.msds.rhi.com | FAILED! => {
    "failed": true, 
    "msg": "ssl: 401 Unauthorized. basic auth failed"
}

[alexanderfichel]

Ok, so I decided to do this on a AWS instance inside our internal network (it is all set up with the VPC and DNS configuration and all that good stuff). I used the same configurations, now I am getting a different error, not sure if I am closer or what. The windows log events seem to be registering successful logon attempts and I made sure to set powershell execution policy to unrestricted.

root@ip-10-231-2-44 ansible]# ansible windows -i host -m setup
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/ansible/plugins/connection/winrm.py", line 240, in exec_command
    result = self._winrm_exec(cmd_parts[0], cmd_parts[1:], from_exec=True)
  File "/usr/lib/python2.7/dist-packages/ansible/plugins/connection/winrm.py", line 173, in _winrm_exec
    self.shell_id = self.protocol.open_shell(codepage=65001) # UTF-8
  File "/usr/local/lib/python2.7/site-packages/winrm/protocol.py", line 121, in open_shell
    rs = self.send_message(xmltodict.unparse(rq))
  File "/usr/local/lib/python2.7/site-packages/winrm/protocol.py", line 193, in send_message
    return self.transport.send_message(message)
  File "/usr/local/lib/python2.7/site-packages/winrm/transport.py", line 298, in send_message
    raise WinRMTransportError('kerberos', error_message)
WinRMTransportError: 500 WinRMTransport. Kerberos-based authentication was failed. Code 500
my-windows-server.na.msds.rhi.com | FAILED! => {
    "failed": true,
    "msg": "failed to exec cmd PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA2ADAAMQA2ADIAOAAyADMALgA4ADgALQA0ADYANAA5ADMANAAxADgANwA5ADAANgA5ACIAKQAuAEYAdQBsAGwATgBhAG0AZQAgAHwAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAALQBTAGUAcABhAHIAYQB0AG8AcgAgACcAJwA7AA=="
}

[jhawkesworth]

Ok, I have a couple of ideas.

Do you have pykerberos installed on your ansible controller?

Without it, ansible will fall back and attempt ssl connection.

The other thing to check is if you have run the ConfigureRemotingForAmsible.ps1 on the windows host.

I believe you can use the User Data facility to run the .ps1 when your aws windows host comes up. Not tried this myself, but there is a blog post about it on the ansible blog.

One other thing. Make sure your domain user a member of WinRMRemoteWMIUsers__ group.

Hope this helps

[jctanner]

Hi!

Thanks very much for your interest in Ansible. It sincerely means a lot to us.

This appears to be a user question, and we'd like to direct these kinds of things to either the mailing list or the IRC channel.

• IRC: #ansible on irc.freenode.net
• mailing list: https://groups.google.com/forum/#!forum/ansible-project

If you can stop by there, we'd appreciate it. This allows us to keep the issue tracker for bugs, pull requests, RFEs and the like.

Thank you once again and we look forward to seeing you on the list or IRC. Thanks!

[Perfect10NickTailor]

Hello,

I am having the exact same issue. I have lots of other servers no problem. But a couple of them

Yes they are joined, one is windows 7 with powershell4, and the ansible configure has been run.

giving funky errors
dev1.home.local | UNREACHABLE! => {
"changed": false,
"msg": "kerberos: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377)), ssl: 401 Unauthorized.",
"unreachable": true
}
dev2.home.local| UNREACHABLE! => {
"changed": false,
"msg": "kerberos: 500 WinRMTransport. [Errno 104] Connection reset by peer, ssl: 500 WinRMTransport. [Errno 104] Connection reset by peer",
"unreachable": true
}

Did you ever solve the problem?

[Perfect10NickTailor]

I solved it by adding the FQDN in /etc/hosts on ansible server. That solved the problem.