I’ve been trying to get a new server to work without luck. This windows 2008R2 server has the local Administrator account and an account called AnsibleControlAdmin, member of the Administrators group.
In group_vars, I have a variable called ansible_user=AnsibleControlAdmin.
On the command line I have been trying:
[noel.verhoeven@ansible ansible]$ ansible mx01 -m win_ping -u Administrator -k -vvvv
Using /home/noel.verhoeven/work/ivv-test/ansible/ansible.cfg as config file
SSH password:
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/init.pyc
Using module file /usr/lib/python2.7/site-packages/ansible/modules/core/windows/win_ping.ps1le
<192.168.1.12> ESTABLISH WINRM CONNECTION FOR USER: AnsibleControlAdmin on PORT 5985 TO 192.168.1.12
mx01 | UNREACHABLE! => {
“changed”: false,
“msg”: “plaintext: the specified credentials were rejected by the server”,
“unreachable”: true
}
[noel.verhoeven@ansible ansible]$
After a lot of tries, and headscratching I finally notice that the call was made for AnsibleControlAdmin instead of Administrator. Somehow the command line option does not override the group_var definitions.
Googling I see lots of references to this issue, all finally saying that it "*works as designed"* and *"works as intended*". I sort of cannot disagree, but I guess most people intent to use this differently. Therefore the design is rubbish. I agree that it works as designed. But, who uses ansible without some user defined in the variables?
However, this design decision has been very very expensive, costing lots of hours of wasted time. The difference between command line options, and extra vars is far from clear or intuitive. This should be at least somewhere in the documentation page for variable precedence with a big warning. Ansible is a really nice tool, but these simple things make it seem rather unprofessional.
First, let me explain why, hosts are considered 'more specific' than
config or command line options. HostA can have an Administrator
account, HostB an admin one, the rest of the hosts can have
multiple/none configured, as such the command line and config can set
a 'default' account with which to try to connect, but specific hosts
are allowed to override it.
This is a common problem with heterogeneous environments, but it does
trip up those that have a homogeneous one as Ansible tries to serve
both.
Hi Brian,
thanks for the explanation. It is clear to me now. I’m currently running a heterogeneous environment so I do have multiple user accounts/passwords for various hosts in the configuration files/vault. But I was experimenting and thought I could override all with the command line.
I was not familiar with the piece of text you reference, below the footnotes / notes. That explains things clearly. I guess sometimes the documentation can be overwhelming.
One thing I’d like to do is add to the documentation (explaining the ansible command line options) that these command line options do not override theses user settings and maybe reference the piece of doc you pointed to. However, I cannot find an explanation of the command line options in the documentation. Only when you run ansible without arguments you get this list.
Am I missing this in the documentation?
One final clarification, you CAN override the inventory from the
command line, but not via the specific switches, through extra-vars
ansible -e 'ansible_user=xyz' ...
Connection vars follow normal variable precedence, so extra_vars
always have the highest precedence and override all other sources. The
command line switches override the configs, but not the
directives/connection variables as those are considered 'more
specific'.
It can be a bit confusing, but the system is designed to allow for
very complex environments, as such it does assume some of that
complexity itself.
One final clarification, you CAN override the inventory from the
command line, but not via the specific switches, through
extra-vars
ansible -e 'ansible_user=xyz' ...
I think this bit is missing in the docs. Or rather, many people might
be confused what "extra vars" are. Or they might not know the
difference between "-e 'ansible_user=foo'" and "-u foo".
This may also be true for other items in the variable precedence list.
I guess not that many people have used a "play vars_prompt".
Connection vars follow normal variable precedence, so extra_vars
always have the highest precedence and override all other sources.
The command line switches override the configs, but not the
directives/connection variables as those are considered 'more
specific'.
Hi,
I hadn’t looked at the “man ansible” pages yet. When I do I see for the -u option: “Use this username to login to the target host, instead of the current user.”
I guess that is a bit simplistic, and in other than the most basic circumstances not true. I think some more explanation is needed here,
And to my opinion, a new entry in the online docs should be present in the basics/introduction part about the “ansible -help” CLI options with a bit more explanation and perhaps examples.
I’ll be glad to help here, since I’m going to dive in deep the coming months…
