Problems Connecting To Windows 2012 R2

Archives Ansible Project
1

I am new to Ansible, so please bear with me… I am trying to bring up an Ansible test environment whereby I can test config management against a Windows environment. The environment consists of an Ansible management server running Linux Red Hat Enterprise Linux Server release 6.7 and a test Windows 2012 R2 server. I believe I have all the necessary packages installed to support the WinRM/Kerberos connection from the Ansible management server to the Windows server. Here are the packages I believe to have been installed on the Ansible management server to support Windows:

pywinrm
python-devel
krb5-devel
krb5-libs
krb5-workstation
kerberos
requests-kerberos

I have updated /etc/krb5.conf file. When I run a “kinit ‘user’@MY.DOMAIN.COM” on the Ansible management server I get the following:

ansible@servername:/home/ansible # kinit xxxxxx@MY.DOMAIN.COM
Password for xxxxxxx@MY.DOMAIN.COM:
ansible@servername:/home/ansible #

I then ran a “klist” to ensure the kerberos connection was made:

ansible@servername:/home/ansible # klist
Ticket cache: FILE:/tmp/krb5cc_5000
Default principal: xxxxxx@MY.DOMAIN.COM

Valid starting Expires Service principal
10/20/16 07:17:28 10/20/16 17:17:58 krbtgt/MY.DOMAIN.COM@MY.DOMAIN.COM
renew until 10/21/16 07:17:28
ansible@servername:/home/ansible #

I then created a /group_vars/windows.yml file consisting of the following:

ansible_user: xxxxxx@MY.DOMAIN.COM
ansible_password: xxxxx
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore

but when I go to run a “ansible winTest -m win_ping -vvvv” it appears the it is trying an SSL connection instead of a winrm connection, possibly?:

ansible@servername:/home/ansible # ansible winTest -m win_ping -vvvvv
Using /home/ansible/.ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<172.31.0.166> ESTABLISH SSH CONNECTION FOR USER: None
<172.31.0.166> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s)
<172.31.0.166> SSH: ansible_password/ansible_ssh_pass not set: (-o)(KbdInteractiveAuthentication=no)(-o)(PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey)(-o)(PasswordAuthentication=no)
<172.31.0.166> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10)
<172.31.0.166> SSH: PlayContext set ssh_common_args: ()
<172.31.0.166> SSH: PlayContext set ssh_extra_args: ()
<172.31.0.166> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/home/ansible/.ansible/cp/ansible-ssh-%h-%p-%r)
<172.31.0.166> SSH: EXEC ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/ansible-ssh-%h-%p-%r xxx.xx.x.xxx ‘/bin/sh -c ‘"’"’( umask 77 && mkdir -p “echo $HOME/.ansible/tmp/ansible-tmp-1476962695.95-263373308192487” && echo ansible-tmp-1476962695.95-263373308192487=“echo $HOME/.ansible/tmp/ansible-tmp-1476962695.95-263373308192487” ) && sleep 0’“'”‘’
xxx.xx.x.xxx | UNREACHABLE! => {
“changed”: false,
“msg”: “Failed to connect to the host via ssh.”,
“unreachable”: true
}
ansible@servername:/home/ansible #

If I telnet to the windows server it appears the port is open:

ansibleservername:/home/ansible # telnet xxx.xx.x.xxx 5985
Trying xxx.xx.x.xxx…
Connected to xxx.xx.x.xxx.
Escape character is ‘^]’.

and if I verify that remoting is working on the windows server it appears to be working locally:

PS C:\Users\XXXXXX> $Credential = Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS C:\Users\XXXXXX> $Session = New-PSSession -Credential $Credential -ComputerName xxx.xx.x.xxx
PS C:\Users\XXXXXX> Invoke-Command -Session $Session -ScriptBlock {gci e:}

Directory: E:\

Mode LastWriteTime Length Name PSComputerName

d---- 10/19/2016 1:11 PM Applications xxx.xx.x.xxx
da— 10/19/2016 1:06 PM Logs xxx.xx.x.xxx
d---- 10/19/2016 1:11 PM temp xxx.xx.x.xxx

PS C:\Users\XXXXXX>

I also tried to connect to WinRM from another Windows server:

PS C:\Users\XXXXX> $Credential = Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS C:\Users\XXXXXX> $Session = New-PSSession -Credential $Credential -ComputerName xxx.xx.x.xxx
PS C:\Users\XXXXXX> Invoke-Command -Session $Session -ScriptBlock {gci e:}

Directory: E:\

Mode LastWriteTime Length Name PSComputerName

d---- 10/19/2016 1:11 PM Applications xxx.xx.x.xxx
da— 10/19/2016 1:06 PM Logs xxx.xx.x.xxx
d---- 10/19/2016 1:11 PM temp xxx.xx.x.xxx

PS C:\Users\XXXXXX>

Is there a config step whereby I specify Ansible use a winrm connection that I missed? Any assitance would be greatly appreciated…

Thanks,

Bob Wieberdink

2

In 2.1 we had to back off on some of the automatic transport detection stuff with the advent of NTLM and support for things like Microsoft accounts- try adding

ansible_winrm_transport=kerberos

to your inventory…

3

Is ‘winTest’ the hostname or the name of a group of hosts in your inventory?

the windows host(s) that you want to connect to will need to be in a group called ‘windows’ in your inventory.

[windows]
winTest
… other hosts

The name of the group, windows, has to match the name of the file (minus .yml extension) in group_vars. Without this, ansible doesn’t know that the host is a windows box and needs to connect via winrm etc, and just uses default ssh connection type.

So that could be what’s happening here.

Hope that helps,

Jon