-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to run ansible from linux to deploy on windows machines #15332
Comments
Can your resolve the dns name of your .my.domain.com ? kerberos has to have fully functioning DNS working. Also has been added to the domain previously? |
Yes I can resolve it. I was able to create the kerberos ticket (klist hows my ticket is valid and when it expires) so the domain and credentials work for sure, but when I run ansible, they give me 401 authorization error. What do you mean has been added to the domain previously. What has to be added? I am running all my commands from a virtual ubuntu box on my windows on prem so it has access to the internal network. |
The Windows machine that you are trying to control with Ansible needs to have been joined to the domain before you can connect using Kerberos. If that doesn't make sense to you let me ask something else: Can you make a remote desktop connection to the windows machine that you are trying to control using the same domain user? The message you are seeing implies that the Kerberos controller just doesn't know about the machine you are trying to connect to. If you can connect via remote desktop then my guess would be that you either have some cross domain stuff going on, or there is a domain alias somewhere. I suggest you do a kdestroy and then do a kinit -C user@YOUR.DOMAIN If the domain name you get back is different, you will need to change the krb5.conf and use the (cannonical) domain name, not the alias. Hope this helps. Jon |
The machine is definitely in the domain. By the way does the linux machine have to be in the domain too? Here is what I did, does that look right? (I did a find and replace all to hide sensitive information, otherwise the replacements are 1 to 1 mapping)
Maybe I am using the wrong user in ansible group_vars/windows.yml file?
I tried different ones:
And here are my log events (the 3rd picture is where i login as I usually do using RDP): (FYI - I am trying to use a domain account, not a local) |
Your ansible_user definitely needs to be someuser@MY.DOMAIN.COM If I recall the @ is how ansible knows to try using Kerberos. I am away from somewhere where I can check right now but I think the password needs to be in the group vars as ansible_password: PasswordGoesHere Also check your inventory file and make sure the windows machine you want to manage is in a group called [windows] Hope this helps Jon |
Alrighty, here are my configurations. (By the way I did include the ansible_password, ansible_ssh_pass, tried without password variable too, no luck) /etc/krb5.conf
/etc/ansible/host
/etc/ansible/group_vars/windows.yml
Commands I run: Command:
Output:
Command:
Output:
Command:
Output:
|
Ok, so I decided to do this on a AWS instance inside our internal network (it is all set up with the VPC and DNS configuration and all that good stuff). I used the same configurations, now I am getting a different error, not sure if I am closer or what. The windows log events seem to be registering successful logon attempts and I made sure to set powershell execution policy to unrestricted.
|
Ok, I have a couple of ideas. Do you have pykerberos installed on your ansible controller? Without it, ansible will fall back and attempt ssl connection. The other thing to check is if you have run the ConfigureRemotingForAmsible.ps1 on the windows host. I believe you can use the User Data facility to run the .ps1 when your aws windows host comes up. Not tried this myself, but there is a blog post about it on the ansible blog. One other thing. Make sure your domain user a member of WinRMRemoteWMIUsers__ group. Hope this helps |
Hi! Thanks very much for your interest in Ansible. It sincerely means a lot to us. This appears to be a user question, and we'd like to direct these kinds of things to either the mailing list or the IRC channel.
If you can stop by there, we'd appreciate it. This allows us to keep the issue tracker for bugs, pull requests, RFEs and the like. Thank you once again and we look forward to seeing you on the list or IRC. Thanks! |
Hello, I am having the exact same issue. I have lots of other servers no problem. But a couple of them Yes they are joined, one is windows 7 with powershell4, and the ansible configure has been run. giving funky errors Did you ever solve the problem? |
I solved it by adding the FQDN in /etc/hosts on ansible server. That solved the problem. |
Here is what I have after setting kerberos according to ansible:
http://docs.ansible.com/ansible/intro_windows.html
I was able to create a kerberos ticket, here is my output:
So what I am trying to do is run ansible playbook or even a simple command on . But I am getting this error which I am pretty sure have nothing to do with ansible:
I even went ahead and created the keytab file:
But then I get different error:
The text was updated successfully, but these errors were encountered: