Hi all,
Has anyone had any luck using the new in 2.3 feature of win_copy (remote_src) to copy files to/from a mapped network drive?
essentially I’m trying to do this:
- name: copy from share
win_copy:
src: w:\foo
dest: c:
remote_src: True
and I get a message saying the src path doesn’t exist. I tried using a UNC path instead of the drive letter also.
The way I’ve been getting around this is to use a bat file that maps the drive and then does the copy, but I’d like to be able to do it with only the playbook and no bat file.
Thanks for any input!
Not tried it yet myself but can you establish if it works for a file that isn’t on a mapped drive first?
If so then its possible you are getting into a second hop authentication scenario (by default windows doesn’t allow more than a single hop (ansible controller → windows box, but you may have 2 hops here (ansible → windows box → mapped drive on another windows box). There are ways around this (either by using a domain user or credssp). If you are already connecting as a domain user, make sure you are using pywinrm==0.2.0 or later, and add ansible_winrm_kerberos_delegation=true
to the inventory vars for the Windows host in question.
If CredSSP is an option for you, you’ll need to check your systems meet the requirements (see http://docs.ansible.com/ansible/intro_windows.html#credssp ) install the requests-credssp library on your ansible controller and run the ConfigureForRemoting… script with the EnableCredSSP option as described here: http://docs.ansible.com/ansible/intro_windows.html#windows-system-prep
Please let us know how you get on.
(oh and thanks for testing 2.3 Release candidate).
Jon
Hi Jon,
Thanks for the input. You’re correct about the number of authentication hops- the client machine is not on a domain, but uses domain credentials to map the network share. So in the group_vars file there are only the non-domain credentials. I was able to use win_copy to copy a local file to another local file, but even after upgrading pywinrm to 0.2.0 and installing the credssp and re-running the ConfigureRemotingForAnsible.ps1 script on the client with the credssp argument it still doesn’t work. I’m thinking it’s because I need to figure out how to pass it the credentials for the second-hop authentication.
thanks again!
pat
Hmm. Is adding the client machine to the domain an option then? That way you could use Kerberos authentication delegation.
Or. Here's a different idea...
Use smbclient to collect whatever files you want from the share onto your ansible controller and then you can just win_copy them onto the windows targets.
Smbclient will happily work with the domain login for the share, just specify -U username -W domainName
I do something like the above once builds are signed off I collect them onto an ansible controller and then use synchronize to rsync files to ansibles running in other datacenters.
Hope this helps,
Jon
The new Windows become stuff in 2.3 creates an “interactive” type logon session, so credential caches and transparent multi-hop works- it should take care of the auth issue (so it behaves like it would if you were sitting in front of the machine). There’s currently a bug that only allows it to work under Basic and CredSSP (not NTLM/Kerb), but I’m hoping to have that nailed down by 2.3RC2.
Just do:
- win_copy:
… (whatever args to win_copy)
become: yes
become_method: runas
become_user: “{{ ansible_user }}”
become_password: “{{ ansible_password }}”
This should take care of it for you…
-Matt
Sorry, that should’ve been:
- win_copy:
… (whatever args to win_copy)
become: yes
become_method: runas
become_user: “{{ ansible_user }}”
vars:
ansible_become_password: “{{ ansible_password }}”