Hi,
I have started trying to replicate some of the things that we are currently doing with Chef, but with Ansible. One of these is installing Microsoft Sharepoint (on Windows 2008 R2).
In Chef, I do this using some Powershell scripting, so I am trying to do that with Ansible.
I am using this simple Playbook which I found and modified to run a Powershell script:
Hi,
It seems like when the .ps1 is run under Ansible, the two lines with “Start-Process” are not executing. The first one, which runs setup.exe is supposed to cause copying the Sharepoint files, etc. and then the second is supposed to run psconfig.exe.
I’ve also tried modifying the ps1 file to eliminate the “Start-Process” and then run the playbook again, but it seems to hang. I can tell because when this script runs normally (not with Ansible) it creates some directories and files on E:, but when i run under Ansible, nothing is being created on E:.
Thanks,
Jim
Hi,
FYI, I’ve also tried changing from using Start-Process to Invoke-Command, but it still seems to do the same thing (hangs) when I try to run the ps1 via Ansible. I don’t know if this’ll help, but here’s the output with -vvvv:
Enter code here...
[root@centos65 ansible_test]# ansible windows -i host -m installit -vvvv
<ansibleclient1.whatever.com> ESTABLISH WINRM CONNECTION FOR USER: administrator on PORT 5985 TO ansibleclient1.whatever.com
<ansibleclient1.whatever.com> WINRM CONNECT: transport=plaintext endpoint=http://ansibleclient1.whatever.com:5985/wsman
<ansibleclient1.whatever.com> REMOTE_MODULE installit
<ansibleclient1.whatever.com> EXEC (New-Item -Type Directory -Path $env:temp -Name “ansible-tmp-1438288265.32-170673722533874”).FullName | Write-Host -Separator ‘’;
<ansibleclient1.whatever.com> WINRM EXEC ‘PowerShell’ [‘-NoProfile’, ‘-NonInteractive’, ‘-EncodedCommand’, ‘KABOAGUAdwAtAEkAdABlAG0AIAAtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgB0AGUAbQBwACAALQBOAGEAbQBlACAAIgBhAG4AcwBpAGIAbABlAC0AdABtAHAALQAxADQAMwA4ADIAOAA4ADIANgA1AC4AMwAyAC0AMQA3ADAANgA3ADMANwAyADIANQAzADMAOAA3ADQAIgApAC4ARgB1AGwAbABOAGEAbQBlACAAfAAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAtAFMAZQBwAGEAcgBhAHQAbwByACAAJwAnADsA’]
<ansibleclient1.whatever.com> WINRM RESULT <Response code 0, out “C:\Users\Administrat”, err “”>
<ansibleclient1.whatever.com> PUT /tmp/tmpJaC2C3 TO C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\installit
<ansibleclient1.whatever.com> WINRM PUT /tmp/tmpJaC2C3 to C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\installit.ps1 (offset=0 size=2030)
<ansibleclient1.whatever.com> WINRM PUT /tmp/tmpJaC2C3 to C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\installit.ps1 (offset=2030 size=2030)
<ansibleclient1.whatever.com> WINRM PUT /tmp/tmpJaC2C3 to C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\installit.ps1 (offset=4060 size=2030)
<ansibleclient1.whatever.com> WINRM PUT /tmp/tmpJaC2C3 to C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\installit.ps1 (offset=6090 size=2008)
<ansibleclient1.whatever.com> PUT /tmp/tmputTM97 TO C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\arguments
<ansibleclient1.whatever.com> WINRM PUT /tmp/tmputTM97 to C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\arguments (offset=0 size=2)
<ansibleclient1.whatever.com> EXEC PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -File C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\installit.ps1 C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874\arguments; Remove-Item "C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1438288265.32-170673722533874" -Force -Recurse;
<ansibleclient1.whatever.com> WINRM EXEC ‘PowerShell’ [‘-NoProfile’, ‘-NonInteractive’, ‘-EncodedCommand’, ‘UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARgBpAGwAZQAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAAzADgAMgA4ADgAMgA2ADUALgAzADIALQAxADcAMAA2ADcAMwA3ADIAMgA1ADMAMwA4ADcANABcAFwAaQBuAHMAdABhAGwAbABpAHQALgBwAHMAMQAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAAzADgAMgA4ADgAMgA2ADUALgAzADIALQAxADcAMAA2ADcAMwA3ADIAMgA1ADMAMwA4ADcANABcAFwAYQByAGcAdQBtAGUAbgB0AHMAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgACIAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADMAOAAyADgAOAAyADYANQAuADMAMgAtADEANwAwADYANwAzADcAMgAyADUAMwAzADgANwA0AFwAIgAgAC0ARgBvAHIAYwBlACAALQBSAGUAYwB1AHIAcwBlADsA’]
What ansible version are you using? If I recall we had a problem in the past with execution policy being set differently under some circumstances, which I speculate might be causing your problems.
As a ‘get-you-going’ suggestion, you could try running the problematic commands (without the start-process) using the ‘raw’ module.
Hope this helps, let us know how you get on.
Jon
I’m running Ansible 1.9.2, which is I think the latest (just downloaded it a couple of days ago).
I’ve tried running the setup.exe and psconfig.exe without Start-Process but within the .ps1 still, and that has the same problem.
I’ll try to break out setup.exe and psconfig.exe and run them with raw in playbook task and see if that works differently. I think that’s what you’re suggesting, right?
BTW, it’s really hard to understand what is actually happening? From logging from the setup.exe, it looks like it is running but only partially. Logging looks strange. I can see that it starts running but then the logging just ends, with no errors. Then, I suspect because setup.exe is stopping/ending, the psconfig.exe can’t run because the files haven’t been fully laid down.
Thanks,
Jim
Hi,
I tried using raw and got this:
`
TASK: [raw ./setup.exe -ArgumentList “xxxxxx” -Wait] **************
failed: [ansibleclient1.whatever.com] => {“rc”: 1}
stderr: ‘.’ is not recognized as an internal or external command,
operable program or batch file.
FATAL: all hosts have already failed – aborting
`
Hi,
I realized that the “-Wait” param was left over from when I was using Start-Process, so I got rid of the “-Wait” and tested again, but still got exactly the same error.
Jim
Hi,
The same comment about the “-ArgumentList”, but I got rid of that and have simply:
./setup.exe xxxxx
and still get the same error…
Jim
I was doing “cd” to set the current directory and then running the ./setup.exe, but it didn’t work, so I use /setup.exe instead and that seems to have worked.
However, now, I am encountering a problem:
<ansibleclient1.whatever.com> ESTABLISH WINRM CONNECTION FOR USER: domain2\administrator on PORT 5985 TO ansibleclient1.whatever.com
<ansibleclient1.whatever.com> WINRM CONNECT: transport=plaintext endpoint=http://ansibleclient1.whatever.com:5985/wsman
<ansibleclient1.whatever.com> WINRM CONNECTION ERROR: 401 Unauthorized. basic auth failed
<ansibleclient1.whatever.com> WINRM CONNECT: transport=plaintext endpoint=https://ansibleclient1.whatever.com:5985/wsman
<ansibleclient1.whatever.com> WINRM CONNECTION ERROR: 500 WinRMTransport. [Errno 1] _ssl.c:492: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
fatal: [ansibleclient1.whatever.com] => 500 WinRMTransport. [Errno 1] _ssl.c:492: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
FATAL: all hosts have already failed – aborting
PLAY RECAP ********************************************************************
to retry, use: --limit @/root/install-3parts.retry
ansibleclient1.whatever.com : ok=0 changed=0 unreachable=1 failed=0
As I mentioned, I am trying to install Sharepoint, which uses AD, so when I do the installation, I have to be logged into the target machine as a domain administrator. However, when I try to use “domain2\administrator” in the group_vars/windows.yml I get the above error.
I don’t know if it’s possible to get past this, but even if I can, I’ve just realized that there may be another problem. As I said, I have to be able to log into the machine as a domain admin. When I did the Chef implementation, I found that I could only do that if I did the log in from a domain member machine. However, since Ansible controller only runs on Linux, that seems to mean that this is all going to be impossible (or can a Linux machine be a domain member?)?
Since our use case is heavily Windows-based, that is leading me to think that Ansible may not be suitable for us?
Thanks,
Jim
A linux machine can function as a domain member. Or you can set things up so that your ansible machine can authenticate against the domain as needed and then ansible can connect as a domain user (and a domain administrator).
There are extra steps if you need to connect as a domain user - see this page: http://docs.ansible.com/ansible/intro_windows.html#installing-on-the-control-machine
Probably just need to install kerberos - have you installed this?
Jon
Hi,
Yes, I think that I already did that (it was in my notes):
[root@centos65 ~]# pip install kerberos
Requirement already satisfied (use --upgrade to upgrade): kerberos in /usr/lib64/python2.6/site-packages
[root@centos65 ~]#
So why would I be getting the errors I posted in the earlier post now?
Thanks,
Jim
I think maybe you need to connect on 5986 to use kerberos - different version of ansible but likely the same - as mentioned here: https://groups.google.com/forum/#!topic/ansible-devel/CpZ0c7na9cI
If that’s not it… can you share your current playbook and group_vars/windows settings (minus passwords of course)? - Its easier to get an idea of what might be happening.
Also, looking at your messages above I am surprised you can treat your powershell script as if it is an ansible module so instead of
ansible windows -i host -m installit -vvvv
try
ansible windows -i host -m script -a installit.ps1 -vvvv
Hope this helps,
Jon
Hi,
FYI, the target Windows machine is not listening on 5986 at all, just on 5985.
Here’s my current playbook:
`
`
and here’s groups_var/windows.yml:
`
ansible_ssh_user: domain2\administrator
ansible_ssh_pass: XXXXXX
ansible_ssh_port: 5985
ansible_connection: winrm
`
Also, to be clear, I’ve been running:
ansible-playbook install-3parts.yml
Jim
Hi,
Just some comments:
It looks to me like if the user name in group_vars\windows.yml has format “\username”, then Ansible tries to connect to port 5985 using httpS/SSL and I get the SSL errors, but if username has format “username” and I don’t get SSL error.
As I said, the target machine is only listening on 5985 and not listening on 5986 at all.
Am I supposed to do something (other than pip kerberos above) to enable SSL at the node? is the node supposed to be listening on 5986?
Thanks,
Jim
P.S. And BTW, yes, I am still a little confused above what a module is vs. what a playbook is in Ansible, especially a Powershell module vs. a Playbook that runs Powershell scripts.
Hi,
It was very painful, but I think that I’ve been able to enable port 5986 for SSL. I had to:
Now, using “netstat -an” I can see 5986 listening and I can “openssl s_client” to port 5986 from the Ansible server.
If I put “administrator” as the username in the group_var/windows.yml, and port 5986, and then do ansible:
`
[root@centos65 ansible_test]# ansible windows -i host -m win_ping
ansible1.domain2.whatever.com | success >> {
“changed”: false,
“ping”: “pong”
}
`
However, if I change the username in windows.yml to \administrator, and do “ansible windows -i host -m win_ping” it fails with a 401 error (not authorized).
`
`
[root@centos65 ansible_test]# ansible windows -i host -m win_ping -vvvv
<ansible1.domain2.whatever.com> ESTABLISH WINRM CONNECTION FOR USER: domain2\administrator on PORT 5986 TO ansible1.domain2.whatever.com
<ansible1.domain2.whatever.com> WINRM CONNECT: transport=plaintext endpoint=https://ansible1.domain2.whatever.com:5986/wsman
<ansible1.domain2.whatever.com> WINRM CONNECTION ERROR: 401 Unauthorized. basic auth failed
ansible1.domain2.whatever.com | FAILED => 401 Unauthorized. basic auth failed
[root@centos65 ansible_test]#
`
`
I’m not sure where to go from here. I mean 5986 seems to be working, and is SSL-enabled, so shouldn’t the authentication work now?
Jim
The painful process of setting up the self-signed cert and all that is why we created the boostrap script which sets up your windows node for Ansible. That process is documented here:
http://docs.ansible.com/ansible/intro_windows.html#windows-system-prep
Regarding domain authentication, I created a blog post about that which you’ll find here:
http://hindenes.com/trondsworking/2015/07/27/ansible-and-windows-configuring-kerberosactive-directory-authentication/
Hopefully using that you should be able to get it working.
Once that’s done you’ll probably see another problem, which is around kerberos and double-hop remoting. Basically if you use Kerberos to authenticate from your ansible controller to your windows node you can’t use the same kerberos “session” to authenticate from the windows node to a third windows node (such as a database with integrated auth or whatever). This problem relates to Kerberos in general and doesn’t have anything to do with Ansible. People are working on tweaking Ansible to better support different auth schemes so that it’s possible to authenticate from Ansible using basic auth via domain creds, but that support isn’t currently there.
Hi,
I’ll take a look at that, but, and I know that this is jumping around a bit, but… going back to earlier in the thread: Any idea why when I was using scripts it was failing, whereas going to raw and individual commands was necessary (and also Start-Process didn’t seem to work even under raw)?
As I said, I’m basically trying to replicate some things that we already have working with Chef, but with Ansible, and so far, there are a number of significant issues like these.
I understand these issues are with Windows targets, but unfortunately, that (Windows) is a large part of our infrastructure.
Thanks,
Jim
Hi,
Well, thanks for your page, I’ve made some progress. I am able to authenticate with the domain admin user now. I even have an “echo $(whoami)” that I run in the playbook as raw and that is outputting the domain admin username (\administrator).
However still have the following problems:
When the setup.exe is run (raw) it doesn’t seem to complete. It just kind of sits there until I kill it.
When I run the Sharepoint psconfig.exe, it’s giving me this error:
TASK: [raw C:/Progra~1/Common~1/Micros~1/WebSer~1/12/BIN/psconfig.exe -cmd evalprovision provision] ***
failed: [ansible1.domain2.whatever.com] => {“rc”: 4294967295}
Copyright (C) Microsoft Corporation 2005. All rights reserved.ard version 12.0.6413.1000
Performing configuration task 1 of 3
Initializing SharePoint Products and Technologies configuration…
Successfully initialized the SharePoint Products and Technologies configuration.
Performing configuration task 2 of 3
Creating sample data…
Failed to create sample data.
An exception of type Microsoft.SharePoint.PostSetupConfiguration.PostSetupConfigurationTaskException was thrown. Additional exception information: The evalprovision command is invalid or a failure has been encountered.
Cannot create sample data because this computer is not part of a server farm. Run this configuration wizard again to create or join a server farm.
I think I’ve seen that before, when I was originally doing the Chef implementation, and if I recall, it occurs because I’m not logged into the Sharepoint machine as the right user, so it can’t “join the farm”.
Is this the double-hop problem you mentioned? So there is no way to get this working with Ansible?
Thanks,
Jim
Hi,
At this point, I am pretty sure that:
commands that are run inside a powershell script/ps1 using the “script” module are running under the user that I have in the group_vars/windows.yml, but
commands that get run under “raw” are not being run as that user.
the setup.exe and psconfig.exe are being run and the returned immediately when they are in a script/ps1 file
I don’t know WHAT user is used for the ‘raw’ commands though, as I’ve tried “echo $(whoami)” redirecting the output to a file, but when I do that I get access denied:
`
TASK [raw] **********************************************************************
fatal: [ansible1.domain2.whatever.com]: FAILED! => {“changed”: false, “failed”: true, “rc”: 1, “stderr”: “#< CLIXML\r\n<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04\”><S S="Error">out-file : Access to the path ‘E:\’ is denied.x000D__x000A<S S="Error">At line:1 char:1_x000D__x000A_<S S="Error">+ echo "About to run setup…" >> e: emp_x000C_oo_x000D__x000A_<S S="Error">+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~x000D__x000A<S S="Error"> + CategoryInfo : OpenError: (
[Out-File], UnauthorizedAccessExc x000D__x000A<S S="Error"> eption_x000D__x000A_<S S="Error"> + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.Ou x000D__x000A<S S="Error"> tFileCommand_x000D__x000A_<S S="Error"> x000D__x000A", “stdout”: “”, “stdout_lines”: }
`
Jim
Remember that you need to use single quotation marks around params which contain the dollar sign. This works fine on my box:
ansible -m raw -a ‘echo $(whoami)’ windows_web
It’s difficult to try and help you as there seems to be so much going on. I would advise you to test this using powershell remoting from another windows box. Might be easier to track down errors that way, and then move to ansible when you have everything working. As for the double-hop problem a normal way to solve it is to have a script which sets up a scheduled job where the installer is run.