Ansible windows patch trouble: Need help for Win Patch Automation using Ansible

Archives Ansible Project
,
1

Hello, I am facing some problems in setting up patch automation in my organization.
For a quick walk through: We have 5 domains for the purpose of Production, Staging, Testing and Application.
I am working on machines in Test domain that has windows machines.
I have my Ansible server setup in UAT(staging) domain.

Ansible Jumpstation: RHEL 6 (64 bit)
Windows Hosts: Windows Server 2012 R2, 2008 R2.

Power Shell version 3.0

I have used following reference sources:
Setting up a Windows Host

Unable to run ConfigureRemotingForAnsible.ps1 on windows hosts. The Power Shell window closes after some execution.

Checked services on machine: winrm service running.

According to Sys. Admin: Ansible machine has no firewall restrictions (can communicate to any and listen from any)

I am using following fashion to definemy Hosts file:

#Window’s Servers
[abctst-win]
abc012.abctst.lcl ansible_connection=local ansible_host= ip address

[abctst-win:vars]
ansible_ssh_port= 5985
ansible_connection= winrm

Output 1:

[root@ansiblejmpst ansible]# ansible abctst-win -i hosts -m win_ping

abc012.abctst.lcl | FAILED! => {
“changed”: false,
“module_stderr”: “/bin/sh: powershell: command not found\n”,
“module_stdout”: “”,
“msg”: “MODULE FAILURE”,
“rc”: 127
}

Output 2:

[root@ansiblejmpst ansible]# ansible abctst-win -i hosts -m ping

abc012.abctst.lcl | SUCCESS => {
“changed”: false,
“ping”: “pong”
}

Question:
Where am I doing wrong?
What is that I am doing wrong?
Is my way of defining host file correct? Am I passing all required information in hosts file correct?
Is there something I did wrong in setting up windows machine?

Can I get a help here in this? I have to automate windows and linux patching and I am stuck at start.

2

Any help on this post please.

3

Hey

Here are some brief notes

  • Your host inventory defined ansible_connection twice, once as ansible_connection=local and the other as ansible_connection=winrm. Use local if you want to run things on the Ansible controller and use winrm when you want to run something on the WIndows host
  • Use ansible_port instead of ansible_ssh_port
  • When connecting to WIndows hosts use win_ module, like win_ping instead of ping
  • Your error is because you are trying to run win_ping over the local connection where PowerShell isn’t installed
    Thanks

Jordan

4
  • Removed ansible_connection = local
  • Corrected to ansible_port=5985
    Following error occured

abc012.abctst.lcl | FAILED! => {
“msg”: “winrm or requests is not installed: No module named winrm”
}

But if i check on windows machine (abc012.abctst.lcl) run command “winrm quickconfig”

Output:

WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.

whats wrong now? :frowning:

5

pywinrm is not installed on the controller, run “pip install pywinrm” on the Ansible host to install that.

6

after i ran the “pip install pywinrm” i am getting following error:

Installing collected packages: requests, ntlm-auth, pycparser, cffi, enum34, asn1crypto, cryptography, requests-ntlm, pywinrm
Found existing installation: requests 2.6.0
Cannot uninstall ‘requests’. It is a distutils installed project and thus we cannot accurately determine which files belong to it which would lead to only a partial uninstall.

7

There is a conflict between a system package and pip trying to install another package which in Pip 10 it doesn’t handle properly. You can do either of the following

Thanks

Jordan

8

I have installed and created Virtualenv.
Installed pywinrm and this time with no errors.
I will get back over this to report how things worked ahead later.
I feel blessed reaching out here!

9

Hi Jordan,
Assist me further as I am not able to find content relating to my problem.

I installed a virtualenv.
Did:

10

There seems to a problem in the formatting of your hosts inventory file.
I would recommend reading through http://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html .

11

Update:
Further I went ahead and created a hosts file in my “ansible-virtualenv” and passed the path in the global ansible.cfg file.
Ran the following command in virtualenv and now I have following issue

ansible win -i hosts -m win_ping
[WARNING]: * Failed to parse /root/ansible-virtualenvs/ansible-virtualenv/playbook/hosts with yaml plugin: Syntax
Error while loading YAML. expected ‘’, but found ‘’ The error appears to have been in
‘/root/ansible-virtualenvs/ansible-virtualenv/playbook/hosts’: line 4, column 1, but may be elsewhere in the file
depending on the exact syntax problem. The offending line appears to be: [win] abc012.abctst.lcl
ansible_host=10.12.12.12 ^ here

[WARNING]: * Failed to parse /root/ansible-virtualenvs/ansible-virtualenv/playbook/hosts with ini plugin: /root
/ansible-virtualenvs/ansible-virtualenv/playbook/hosts:11: Expected key=value, got: ansible_user:
ansible.deploy@abctst.lcl

[WARNING]: Unable to parse /root/ansible-virtualenvs/ansible-virtualenv/playbook/hosts as an inventory source

[WARNING]: No inventory was parsed, only implicit localhost is available

[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not
match ‘all’

abc012.ARITST.LCL | UNREACHABLE! => {
“changed”: false,
“msg”: “Failed to connect to the host via ssh: ssh: connect to host 10.12.12.206 port 22: Connection refused\r\n”,
“unreachable”: true

I have mentioned in my hosts file created in “ansible-virtualenv” follwoing vars:

[win:vars]
ansible_user: ansible.deploy@abc.lcl
ansible_password: xxxxxxxxxxx
ansible_port=5985
ansible_connection=winrm
ansible_winrm_server_cert_validation: ignore

Why is it still trying to use port 22?

12

When using an ini inventory you have to define cars like key=value not key: value. Change all your vars to that format and the inventory will be parsable.

13

Now I am getting new error:
My first error was:

VATCS028.ARITST.LCL | UNREACHABLE! => {
“changed”: false,
“msg”: “plaintext: the specified credentials were rejected by the server”,
“unreachable”: true
}
vabcs012.aritst.lcl | UNREACHABLE! => {
“changed”: false,
“msg”: “plaintext: HTTPConnectionPool(host=‘10.12.12.12’, port=5985): Max retries exceeded with url: /wsman (Caused by NewConnectionError(‘<urllib3.connection.HTTPConnection object at 0x7f02859474d0>: Failed to establish a new connection: [Errno 111] Connection refused’,))”,

After which I added a line (noticing that I had forgot to mention that in my vars) in hosts vars:

ansible_winrm_transport: Kerberos

and now I have this error:

VATCS029.ARITST.LCL | UNREACHABLE! => {

“changed”: false,

“msg”: “kerberos: the python kerberos library is not installed”,

“unreachable”: true

Bare with me, I need to resolve this. Its been a month I am trying to fix these thing.
Also I want to ask, if I should do a new ansible server setup on a CentOS and try working from start?

14

http://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html .

What does the entry in the hosts inventory look like? kerberos is generally used when you are using a domain account and need second hop capabilities.

The example below uses NTLM which is older but does also work quite well.

[win:vars]
ansible_user: ansible.deploy@ABC.LCL
ansible_password: xxxxxxxxxxx
ansible_connection=winrm
ansible_winrm_transport: ntlm

ansible_winrm_server_cert_validation: ignore

If you want to use Kerberos then you will need the packages:

yum -y install python-devel krb5-devel krb5-libs krb5-workstation
15

plaintext: the specified credentials were rejected by the server

You are running over HTTP with Basic auth which doesn’t work by default. I recommend you using a HTTPS listener or use an auth setup that supports message encryption over HTTP like NTLM/Kerberos/CredSSP.

plaintext: HTTPConnectionPool(host=‘10.12.12.12’, port=5985): Max retries exceeded with url: /wsman (Caused by NewConnectionError(‘<urllib3.connection.HTTPConnection object at 0x7f02859474d0>: Failed to establish a new connection: [Errno 111] Connection refused’,))",

Usually means there’s a firewall blocking this port, make sure Windows Firewall (or anything else in between) is not blocking it

kerberos: the python kerberos library is not installed

The kerb dependencies are not installed by default as it requires a few system packages, to install run

`

# install the required System packages for requests-kerberos
sudo yum install gcc python-devel krb5-devel krb5-workstation python-devel

# install the requests-kerberos library
pip install pywinrm[kerberos]

`

If I should do a new ansible server setup on a CentOS and try working from start?

Depends on what you need to do, I recommend you push through and get your basic setup done and working. Once it is, make sure you documented your steps on what you did to get to that point and start to automate the steps. Once you have a way to running a script (be it through Ansible or something else), you can easily bring down and recreate your control host easily. First you need to set things up correctly and understand the various components first.

Thanks

Jordan

16

Some success here.
As per Mike suggested I made changed the vars.

Hosts vars as below:

[win:vars]
ansible_user: ansible.deploy@ABC.LCL
ansible_password: xxxxxxxxxxx
ansible_connection=winrm
ansible_winrm_transport: ntlm

ansible_winrm_server_cert_validation: ignore

Output:

vabcs012.aritst.lcl | UNREACHABLE! => {
“changed”: false,
“msg”: “ntlm: HTTPSConnectionPool(host=‘10.12.12.12’, port=5986): Max retries exceeded with url: /wsman (Caused by NewConnectionError(‘<urllib3.connection.VerifiedHTTPSConnection object at 0x7f726abd0250>: Failed to establish a new connection: [Errno 111] Connection refused’,))”,
“unreachable”: true
}
VATCS206.ARITST.LCL | SUCCESS => {
“changed”: false,
“ping”: “pong”
}

With Kerberos:
Following output:

RobotWindowsSer | UNREACHABLE! => {
“changed”: false,
“msg”: “Kerberos auth failure: kinit: Client ‘ansible.deploy@aritst.lcl’ not found in Kerberos database while getting initial credentials”,
“unreachable”: true
}
VATCS028.ARITST.LCL | UNREACHABLE! => {
“changed”: false,
“msg”: “Kerberos auth failure: kinit: KDC reply did not match expectations while getting initial credentials”,
“unreachable”: true
}
VATCS206.ARITST.LCL | UNREACHABLE! => {
“changed”: false,
“msg”: “Kerberos auth failure: kinit: Client ‘ansible.deploy@aritst.lcl’ not found in Kerberos database while getting initial credentials”,
“unreachable”: true
}
vabcs012.aritst.lcl | UNREACHABLE! => {
“changed”: false,
“msg”: “Kerberos auth failure: kinit: KDC reply did not match expectations while getting initial credentials”,
“unreachable”: true
}
VATCS029.ARITST.LCL | UNREACHABLE! => {
“changed”: false,
“msg”: “Kerberos auth failure: kinit: KDC reply did not match expectations while getting initial credentials”,
“unreachable”: true
}

17

To revise what I am trying is:
I am working in an environment where there are 5 domains that run Windows and Linux systems.
The network operators spend weeks and months patching these windows and linux system an it is a pain.
I want to automate this patching task.

Refering Ansible for Windows document.
I believe if I can successfully ping the windows machine i will definitely be able to make my playbook do the rest of the magic.
But here I am stuck at root.

I am having my ansible machine in one domain and the windows hosts that I am trying on are in other domain(test env for me).
If i success here, I can definitely then be able to move in staging and production.

Given this background I am seeking help and looking to automate this painful task that is outdated and get ansible take care.

18

Ok that makes it clearer. I also work with multiple Windows domains, with a single CentOS control node. For your use case ntlm would work as Kerberos adds extra config and also has its own issues.

19

I know I had enabled winrm on the machine 206, thats the reason it pinged back.
I know winrm service is running on other machines but I believe i will have to change execution policy and run the ConfigureRemotingForAnsible.ps1 on each of them to enable it to listen for remoting.
Is there a way I can run the ps1 at once on all the hosts at once?
Ansible will do but for that to happen I think winrm need to be configured.
Is this approach correct?

20

Hi All,