Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added info on ntlm and credssp, updated configure script for credssp #21175

Merged
merged 1 commit into from
Feb 9, 2017
Merged

Added info on ntlm and credssp, updated configure script for credssp #21175

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
81 changes: 70 additions & 11 deletions docs/docsite/rst/intro_windows.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,14 +26,42 @@ Installing on the Control Machine

On a Linux control machine::

pip install "pywinrm>=0.1.1"
pip install "pywinrm>=0.2.2"

Note:: on distributions with multiple python versions, use pip2 or pip2.x, where x matches the python minor version Ansible is running under.

Active Directory Support
++++++++++++++++++++++++

If you wish to connect to domain accounts published through Active Directory (as opposed to local accounts created on the remote host), you will need to install the "python-kerberos" module on the Ansible control host (and the MIT krb5 libraries it depends on). The Ansible control host also requires a properly configured computer account in Active Directory.
Authentication Options
``````````````````````

When connecting to a Windows host there are different authentication options that can be used. The options and the features they support are:

+-------------+----------------+---------------------------+-----------------------+
| Option | Local Accounts | Active Directory Accounts | Credential Delegation |
+=============+================+===========================+=======================+
| Basic | Yes | No | No |
+-------------+----------------+---------------------------+-----------------------+
| Certificate | Yes | No | No |
+-------------+----------------+---------------------------+-----------------------+
| Kerberos | No | Yes | Yes |
+-------------+----------------+---------------------------+-----------------------+
| NTLM | Yes | Yes | No |
+-------------+----------------+---------------------------+-----------------------+
| CredSSP | Yes | Yes | Yes |
+-------------+----------------+---------------------------+-----------------------+

You can specify which authentication option you wish to use by setting it to the ``ansible_winrm_transport`` variable.

Certificate
+++++++++++

Certificate authentication is similar to SSH where a certificate is assigned to a local user and instead of using a password to authenticate a certificate is used instead.


Kerberos
++++++++

Kerberos is the preferred option compared to NTLM to use when using an Active Directory account but it requires a few extra steps to set up on the Ansible control host. You will need to install the "python-kerberos" module on the Ansible control host (and the MIT krb5 libraries it depends on). The Ansible control host also requires a properly configured computer account in Active Directory.

Installing python-kerberos dependencies
---------------------------------------
Expand Down Expand Up @@ -68,7 +96,7 @@ Once you've installed the necessary dependencies, the python-kerberos wrapper ca

.. code-block:: bash

pip install kerberos requests_kerberos
pip install pywinrm[kerberos]

Kerberos is installed and configured by default on OS X and many Linux distributions. If your control machine has not already done this for you, you will need to.

Expand Down Expand Up @@ -121,7 +149,6 @@ To see what tickets if any you have acquired, use the command klist

klist


Troubleshooting kerberos connections
------------------------------------

Expand Down Expand Up @@ -149,6 +176,34 @@ If the domain name returned by klist is different from the domain name you reque

.. _windows_inventory:


CredSSP
+++++++

CredSSP authentication can be used to authenticate with both domain and local accounts. It allows credential delegation to do second hop authentication on a remote host by sending an encrypted form of the credentials to the remote host using the CredSSP protocol.

Installing requests-credssp
---------------------------

To install credssp you can use pip to install the requests-credssp library:

.. code-block:: bash

pip install pywinrm[credssp]

CredSSP and TLS 1.2
-------------------

CredSSP requires the remote host to have TLS 1.2 configured or else the connection will fail. TLS 1.2 is installed by default from Server 2012 and Windows 8 onwards. For Server 2008, 2008 R2 and Windows 7 you can add TLS 1.2 support by:

* Installing the `TLS 1.2 update from Microsoft <https://support.microsoft.com/en-us/help/3080079/update-to-add-rds-support-for-tls-1.1-and-tls-1.2-in-windows-7-or-windows-server-2008-r2>`_
* Adding the TLS 1.2 registry keys as shown on this `page <https://technet.microsoft.com/en-us/library/dn786418.aspx#BKMK_SchannelTR_TLS12>`_

Credential Delegation
+++++++++++++++++++++

If you need to interact with a remote resource or run a process that requires the credentials to be stored in the current session like a certreq.exe then an authentication protocol that supports credential delegation needs to be used.

Inventory
`````````

Expand Down Expand Up @@ -223,6 +278,10 @@ Pass the -ForceNewSSLCert switch to force a new SSL certificate to be attached t

powershell.exe -File ConfigureRemotingForAnsible.ps1 -ForceNewSSLCert

Pass the -EnableCredSSP switch to enable CredSSP as an authentication option::

powershell.exe -File ConfigureRemotingForAnsible.ps1 -EnableCredSSP

To troubleshoot the ``ConfigureRemotingForAnsible.ps1`` writes every change it makes to the Windows EventLog (useful when run unattendedly). Additionally the ``-Verbose`` option can be used to get more information on screen about what it is doing.

.. note::
Expand Down Expand Up @@ -343,13 +402,13 @@ Here is an example of pushing and running a PowerShell script::
- name: run test script
script: files/test_script.ps1

Running individual commands uses the 'raw' module, as opposed to the shell or command module as is common on Linux/Unix operating systems::
Running individual commands uses the 'win_command <https://docs.ansible.com/ansible/win_command_module.html>' or 'win_shell <https://docs.ansible.com/ansible/win_shell_module.html>' module, as opposed to the shell or command module as is common on Linux/Unix operating systems::

- name: test raw module
hosts: windows
tasks:
- name: run ipconfig
raw: ipconfig
win_command: ipconfig
register: ipconfig
- debug: var=ipconfig

Expand All @@ -359,17 +418,17 @@ Running common DOS commands like 'del", 'move', or 'copy" is unlikely to work on
hosts: windows
tasks:
- name: Move file on remote Windows Server from one location to another
raw: CMD /C "MOVE /Y C:\teststuff\myfile.conf C:\builds\smtp.conf"
win_command: CMD /C "MOVE /Y C:\teststuff\myfile.conf C:\builds\smtp.conf"

You may wind up with a more readable playbook by using the PowerShell equivalents of DOS commands. For example, to achieve the same effect as the example above, you could use::

- name: another raw module example demonstrating powershell one liner
hosts: windows
tasks:
- name: Move file on remote Windows Server from one location to another
raw: Move-Item C:\teststuff\myfile.conf C:\builds\smtp.conf
win_command: Powershell.exe "Move-Item C:\teststuff\myfile.conf C:\builds\smtp.conf"

Bear in mind that using C(raw) will always report "changed", and it is your responsiblity to ensure PowerShell will need to handle idempotency as appropriate (the move examples above are inherently not idempotent), so where possible use (or write) a module.
Bear in mind that using C(win_command) or C(win_shell) will always report "changed", and it is your responsiblity to ensure PowerShell will need to handle idempotency as appropriate (the move examples above are inherently not idempotent), so where possible use (or write) a module.

Here's an example of how to use the win_stat module to test for file existence. Note that the data returned by the win_stat module is slightly different than what is provided by the Linux equivalent::

Expand Down
18 changes: 17 additions & 1 deletion examples/scripts/ConfigureRemotingForAnsible.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,12 +32,14 @@
# Updated by Michael Crilly <mike@autologic.cm>
# Updated by Anton Ouzounov <Anton.Ouzounov@careerbuilder.com>
# Updated by Dag Wieërs <dag@wieers.com>
# Updated by Jordan Borean <jborean93@gmail.com>
#
# Version 1.0 - 2014-07-06
# Version 1.1 - 2014-11-11
# Version 1.2 - 2015-05-15
# Version 1.3 - 2016-04-04
# Version 1.4 - 2017-01-05
# Version 1.5 - 2017-02-09

# Support -Verbose option
[CmdletBinding()]
Expand All @@ -47,7 +49,8 @@ Param (
[int]$CertValidityDays = 365,
[switch]$SkipNetworkProfileCheck,
$CreateSelfSignedCert = $true,
[switch]$ForceNewSSLCert
[switch]$ForceNewSSLCert,
[switch]$EnableCredSSP
)

Function Write-Log
Expand Down Expand Up @@ -258,6 +261,19 @@ Else
Write-Verbose "Basic auth is already enabled."
}

# If EnableCredSSP if set to true
If ($EnableCredSSP)
{
# Check for CredSSP authentication
$credsspAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where {$_.Name -eq "CredSSP"}
If (($credsspAuthSetting.Value) -eq $false)
{
Write-Verbose "Enabling CredSSP auth support."
Enable-WSManCredSSP -role server -Force
Write-Log "Enabled CredSSP auth support."
}
}

# Configure firewall to allow WinRM HTTPS connections.
$fwtest1 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS"
$fwtest2 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" profile=any
Expand Down