Hi,
I’m using ansible on centos 7 guest on virtualBox using a bridged network with a windows host
they can both ping each other. (windows address: 192.168.1.2, centos7 address: 192.168.1.3)
I’m using a basic winrm connection and I’ve already executed configureRemotingForAnsible.ps1 successfuly on the host along with these two commands:
winrm set winrm/config/service/auth ‘@{Basic=“true”}’
winrm set winrm/config/service ‘@{AllowUnencrypted=“true”}’
I’ve also disabled firewall on both sides.
My windows account is not part of any Domain.
ansible version is 2.2.1.0
the inventory file: inv.ini
“the specified credentials were rejected by the server” can often mean the password doesn’t match what’s expected for the user name.
Are you using a domain login? If so you’ll need to set up the kerberos support. If not check the windows event log to see which user it reckons you are logging in as.
I think it’s possible to tweak the winrm service to allow non-admin logins but still - lots of the operations you perform against the server requires administrator proveliges anyways so I don’t see the point in spending time on it.
You definitely can allow a non admin account to run through WinRM but it is definitely not something that is enabled by default and would require some fiddling with the SSDL and endpoint ACLs. This issue has most of the information that is required to add a non admin https://github.com/ansible/ansible/issues/16478. Trond is right though usually you require admin priviledges to do anything in Windows like install applications or change config so I don’t see there being a large case for this in Ansible. Happy to be proven otherwise though.
More interesting would be to use restricted endpoints, which lets you execute stuff as a different user as the one you’re logging in with. That way you’d have one credential that would actually do all the things, and another credential to connect with. Unsure whether pywinrm supports it - maybe Matt would know?
Did you solve this problem? I had the same error message as you. I set up a local service account on a windows server and I can’t ping that server using win_ping. Does that user have to be part of administration group or standard group?
I can’t stress this enough, do not set AllowUnencrypted=“true” on your Windows hosts. This may have been needed a few years ago but today you can easily set up a HTTPS listener with a self signed certificate or use message encryption with NTLM, Kerberos or CredSSP authentication. If you do set this then you could be paying more than just the price of a coffee once a hacker has seen all the WinRM communication in plaintext.
I completely agree.
Yet, this was only a demo environment and this was the easiest way to get the damn winrm working from ansible - of course it is not an option for production.