Ansible - win_get_url copy file from network share

Archives Ansible Project
,
1

Hi,

I was able to connect to a windows 7 box from a RHEL 5, ping it and also changed the authentication to kerberos. Thank you, @Trond for the wonderful script. Both the machines are on the same domain. When I use the win_get_url module to copy a file from a network share, it fails. I turned on the traces, got hold of the scripts on the remote win machine using ANSIBLE_KEEP_FILES=1. When i execute the script on remote win machine using the arguments file created by ansible, it executes successfully and copies the file from a network share. But the script fails when run via ansible. Even when i map the network share and try to use the assigned drive letter, the script fails when executed from the ansible linux controller.

Any help on this is appreciated!!

2

win_get_url was originally implemented to only support http://, though I’m a bit surprised it doesn’t do a bit more.

http://docs.ansible.com/win_get_url_module.html

We should note this in the docs, or better, upgrade it to support network resources as well.

https://github.com/ansible/ansible/blob/devel/library/windows/win_get_url.ps1

So it’s using Powershell DownloadFile here:

http://msdn.microsoft.com/en-us/library/ez801hhe(v=vs.110).aspx

Thoughts?

I’ll clearly admit to mostly be, ahem, orchestrating, the development of modules in this space :slight_smile:

3

Michael,

Thank you for looking into this. How do i find how to make this work? The same script runs clean and copies the share when i execute via powershell. with ansible, I am able to copy files from local drives on the win machine. Does authentication mechanism has anything to do with this? say if NTLM was used instead of basic or keberos?

4

I actually don’t know this question as I’m not enough of a powershell expert.

Anyone else want to try and field this one?

5

Another interesting thing is, while the script by itself executes in powershell. the encoded command fails.

The following command runs successfully.

PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -File “C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1407796059.19-71256379326746\win_get_url.ps1” “C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1407796059.19-71256379326746\arguments”

This one passing the encoded command fails.

PowerShell -NoProfile -NonInteractive -EncodedCommand ‘UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARgBpAGwAZQAgACIAQwAAAAAAAAA6AAAAAAAAAFwAAAAAAAAAVQAAAAAAAABzAAAAAAAAAGUAAAAAAAAAcgAAAAAAAABzAAAAAAAAAFwAAAAAAAAAQQAAAAAAAABkAAAAAAAAAG0AAAAAAAAAaQAAAAAAAABuAAAAAAAAAGkAAAAAAAAAcwAAAAAAAAB0AAAAAAAAAHIAAAAAAAAAYQAAAAAAAAB0AAAAAAAAAG8AAAAAAAAAcgAAAAAAAABcAAAAAAAAAEEAAAAAAAAAcAAAAAAAAABwAAAAAAAAAEQAAAAAAAAAYQAAAAAAAAB0AAAAAAAAAGEAAAAAAAAAXAAAAAAAAABMAAAAAAAAAG8AAAAAAAAAYwAAAAAAAABhAAAAAAAAAGwAAAAAAAAAXAAAAAAAAABUAAAAAAAAAGUAAAAAAAAAbQAAAAAAAABwAAAAAAAAAFwAAAAAAAAAYQAAAAAAAABuAAAAAAAAAHMAAAAAAAAAaQAAAAAAAABiAAAAAAAAAGwAAAAAAAAAZQAAAAAAAAAtAAAAAAAAAHQAAAAAAAAAbQAAAAAAAABwAAAAAAAAAC0AAAAAAAAAMQAAAAAAAAA0AAAAAAAAADAAAAAAAAAANwAAAAAAAAA3AAAAAAAAADkAAAAAAAAANgAAAAAAAAAwAAAAAAAAADUAAAAAAAAAOQAAAAAAAAAuAAAAAAAAADEAAAAAAAAAOQAAAAAAAAAtAAAAAAAAADcAAAAAAAAAMQAAAAAAAAAyAAAAAAAAADUAAAAAAAAANgAAAAAAAAAzAAAAAAAAADcAAAAAAAAAOQAAAAAAAAAzAAAAAAAAADIAAAAAAAAANgAAAAAAAAA3AAAAAAAAADQAAAAAAAAANgAAAAAAAABcAAAAAAAAAFwAAAAAAAAAdwAAAAAAAABpAAAAAAAAAG4AAAAAAAAAXwAAAAAAAABnAAAAAAAAAGUAAAAAAAAAdAAAAAAAAABfAAAAAAAAAHUAAAAAAAAAcgAAAAAAAABsAAAAAAAAAC4AcABzADEAIgAgACIAAAAAAAAAQwAAAAAAAAA6AAAAAAAAAFwAAAAAAAAAVQAAAAAAAABzAAAAAAAAAGUAAAAAAAAAcgAAAAAAAABzAAAAAAAAAFwAAAAAAAAAQQAAAAAAAABkAAAAAAAAAG0AAAAAAAAAaQAAAAAAAABuAAAAAAAAAGkAAAAAAAAAcwAAAAAAAAB0AAAAAAAAAHIAAAAAAAAAYQAAAAAAAAB0AAAAAAAAAG8AAAAAAAAAcgAAAAAAAABcAAAAAAAAAEEAAAAAAAAAcAAAAAAAAABwAAAAAAAAAEQAAAAAAAAAYQAAAAAAAAB0AAAAAAAAAGEAAAAAAAAAXAAAAAAAAABMAAAAAAAAAG8AAAAAAAAAYwAAAAAAAABhAAAAAAAAAGwAAAAAAAAAXAAAAAAAAABUAAAAAAAAAGUAAAAAAAAAbQAAAAAAAABwAAAAAAAAAFwAAAAAAAAAYQAAAAAAAABuAAAAAAAAAHMAAAAAAAAAaQAAAAAAAABiAAAAAAAAAGwAAAAAAAAAZQAAAAAAAAAtAAAAAAAAAHQAAAAAAAAAbQAAAAAAAABwAAAAAAAAAC0AAAAAAAAAMQAAAAAAAAA0AAAAAAAAADAAAAAAAAAANwAAAAAAAAA3AAAAAAAAADkAAAAAAAAANgAAAAAAAAAwAAAAAAAAADUAAAAAAAAAOQAAAAAAAAAuAAAAAAAAADEAAAAAAAAAOQAAAAAAAAAtAAAAAAAAADcAAAAAAAAAMQAAAAAAAAAyAAAAAAAAADUAAAAAAAAANgAAAAAAAAAzAAAAAAAAADcAAAAAAAAAOQAAAAAAAAAzAAAAAAAAADIAAAAAAAAANgAAAAAAAAA3AAAAAAAAADQAAAAAAAAANgAAAAAAAABcAAAAAAAAAFwAAAAAAAAAYQAAAAAAAAByAAAAAAAAAGcAAAAAAAAAdQAAAAAAAABtAAAAAAAAAGUAAAAAAAAAbgAAAAAAAAB0AAAAAAAAAHMAAAAAAAAAIgA=’

When decoded to base64, the string is same as the above command.

6

I have not had the same issue as you but I found I had to add the domain user I was using into the remote management group that is created on the windows hosts at the time that you run Trond’s setup script. I’m away from the machine right now so can’t remember the exact name of the group but it was something like __RemoteManagement.

Can you run other windows tasks ok, such as win_ping and setup?

Jon

7

Hi,

I think you may have hit this issue: https://github.com/ansible/ansible/issues/8588

The name of the group I mentioned in previous post is WinRMRemoteWMIUsers__

on the windows host you want to manage, you need to run the following:
net localgroup WinRMRemoteWMIUsers__ /add DOMAINNAME\domainusername
(where DOMAINNAME is the name of your domain and domainusername is the domain user you want to be able to use WinRM)

Hope this helps,

Jon

8

There are two things that come into play here:

  1. Kerberos. By default, you’re not able to perform double-hop using Kerberos. So, if you have setup Ansible using kinit and the kerberos changes that are in a PR, you’re basically connecting from the control node to the managed windows node using Kerberos. You will not be able to use those same credentials to authenticate against a file server to pick up a file (this would be double-hop). There are ways around this: You can set the managed node to be trusted for delegation (which is set on the computer object in AD).

  2. The actual Windows Account you’ve setup Ansible with: If this is a local account, that account only has the local windows computer (managed node) as its realm, and is not able to authenticate against a file server.

If you’re using a domain account but not Kerberos in Ansible, and that account actually has access to the file, then it should work (given that win_Get_url actually supports file servers, I’m as confused as Michael on that).

What we need to build, is a module for copying files and folders from file servers onto the managed node, and have that module take arguments for forming a credential (these could be stored as encrypted variables in Ansible).

My “upcoming” win_package has support for file servers, I just haven’t “activated” the credentials support yet. Maybe I should do that before I PR it.

I hope that sheds some light on it. I’ll do some testing on this on my own and report back.

I wouldnt start mucking with the WinRM group. Administrators already have the required winrm access, and most of what you would do thru Ansible requires Administrative access anyways, since we’re deploying/configuring/installing stuff on the systems. The user Ansible uses to connect to the managed windows node needs to be member of the “Administrators” local group on the target computer (either directly or indirectly), its as simple as that.

-Trond