winrm inventory ansible_user masked by prior ansible_ssh_user setting

[tonykay]

ISSUE TYPE

• Bug Report

COMPONENT NAME

ansible windows -m win_ping

ANSIBLE VERSION

2.5.2 but had seen this with 2.4 without realizing the cause

CONFIGURATION

OS / ENVIRONMENT

[root@bastion ~]# uname -a
Linux bastion.64f7.example.opentlc.com 3.10.0-693.el7.x86_64 #1 SMP Thu Jul 6 19:56:57 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@bastion ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.4 (Maipo)
[root@bastion ~]#

ansible 2.5.2
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /bin/ansible
python version = 2.7.5 (default, May 3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)]

SUMMARY

STEPS TO REPRODUCE

Inventory file:

[GenericExample:vars]

###########################################################################

Ansible Vars

###########################################################################
timeout=60
ansible_become=yes
ansible_ssh_user=ec2-user

[GenericExample:children]
towers
windows
support

[towers]

These are the towers

tower1.64f7.internal public_host_name=tower1.64f7.example.opentlc.com ssh_host=ec2-18-206-6-9.compute-1.amazonaws.com
tower2.64f7.internal public_host_name=tower2.64f7.example.opentlc.com ssh_host=ec2-18-206-63-217.compute-1.amazonaws.com
tower3.64f7.internal public_host_name=tower3.64f7.example.opentlc.com ssh_host=ec2-34-196-43-6.compute-1.amazonaws.com

[windows]

These are the activedirectory servers

ad1.64f7.internal ssh_host=ad1.64f7.example.opentlc.com ansible_password=jVMijRwLbI02gFCo2xkjlZ9lxEA7bm7zgg==

These are the supporthosts

[support]
support1.64f7.internal ssh_host=ec2-35-173-156-182.compute-1.amazonaws.com
support2.64f7.internal ssh_host=ec2-34-233-234-242.compute-1.amazonaws.com

[windows:vars]
ansible_connection=winrm
ansible_port=5986
ansible_ssh_port=5986
ansible_user=Administrator
ansible_winrm_server_cert_validation=ignore
ansible_winrm_transport=basic
ansible_become=false

Command: ansible windows -m win_ping

EXPECTED RESULTS

Succesful ping

ACTUAL RESULTS

ansible windows -m win_ping
ad1.64f7.internal | UNREACHABLE! => {
    "changed": false,
    "msg": "basic: the specified credentials were rejected by the server",
    "unreachable": true
}

If the inventory file is edited to change the (depreciated) [all:vars] ansible_ssh_user to ansible_user command completes successfully.

Suggests that the [all]ansible_ssh_user masks the {windows]ansible_user

[ansibot]

Files identified in the description:

• lib/ansible/modules/windows/win_ping.py

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibot]

cc @cchurch @dagwieers @jborean93 @jhawkesworth @nitzmahone
click here for bot help

[jborean93]

Hey @tonykay, this is a troublesome bug as it is based on historical behaviour where ansible_ssh_user was the var to set when defining a user. I believe 2.0 introduced ansible_user but a lot of people had (and unfortunately still have) ansible_ssh_user defined for their connection user. Currently ansible_ssh_user/host/port/pass is used as a global fallback when building the play context and winrm sources the host/user/port from this context.

I'm wary of muddying the waters even more than it is without properly fixing it but I think I have a solution that fixes this and another problem I just came across. I'll bring this across the dev team and see what they come back with.

In the meantime what you can do is either set the global var as ansible_user and the group will override that, or set the WinRM user as ansible_ssh_user to override the global var there. The latter probably isn't preferable as hopefully we will fix this issue so that ansible_ssh_user is scoped only for the ssh connections.