The winrm stuff mentioned above seemed promising?
Actually, there are a couple of python winrm clients around.
https://github.com/diyan/pywinrm
There’s even one from dell, that they’ve open sourced.
Then (hopefully) the only bootstrap you need should be “winrm quickconfigure” on the client.
I’ve done this in native powershell before and the only weird bit was transferring files. You end up passing the entire file as an argument to the create file function. Not sure whether this limitation was in winrm or powershell though…
I've been going back and forth on this many times, psexec looked like a
good connection plugin but then you still need python and json on windows
and a way to bootstrap. Getting raw to work didn't seem hard, but remote
installing python ....
psexec doesn't really matter.
The psexec method does not provide an encrypted transport like SSH does.
Cygwin gives us some of the tools (ssh + python + posixyness) but is itself
a pain to setup on scale (unattended?).last thing i was looking at was wmi, with the wmic linux C program, its all
remote and would 'work' (setup/gather facts was very easy) but requires
re-implementing all modules and it becomes more remote and less 'execute at
target'.In all cases most base module have to be redone or at least have major
re-factoring to allow for windows particulars on the user, group, files,
permissions and services levels.At this point I'm considering that the solution is "ansible-win",a
dedicated tool that works mostly the same (probably can use most of the
base api) but needs it's own modules, plugins, etc, that should be able to
use wmi,powershell, cygwin and psexec. Probably using something like
'unattended' as a pkg manager. Unless windows 8 app store adds this, has an
API and has all the apps you'll need (not holding my breath).
Ansible is supposed to be language-neutral. Powershell is a language, if it can
output json you'd be ready. If not, shouldn't be to hard to create some code that does.
I just thought of something, there is WinExe, I've used this once and is
appears to be psexec for Unix.http://sourceforge.net/p/winexe/wiki/Home/
It worked the one time I tried it. Maybe we could use this to execute 0mq
in Python on Windows and then we have our command channel.I guess it might pass the 0mq keys in cleartext which would be a security
hole.
WinExe uses the PsExec method. WinExe is kinda broken, but there are patches
to fix it.
There is a Python implementation of the PsExec method, I've mentioned it on the
mailinglist before, if you'd use that method the Python implemtation
would be a better idea.
But PsExec is cleartext, so it doesn't give you what you'd want for Ansible.
You want to have a SSH equivalant.
I think that remote powershell would be the best way to acheive the
native connection. To my knowledge an out of the box windows machine
handles it this just fine (not certain, but I don't think it needs any
firewall opening either).
One run of quickconfig does handle all bit, which includes opening the firewall.
What is also kind of annoying is you need to set the security policy of Powershell:
Set-ExecutionPolicy
I've been researching sqlcmd and the sqlps module, I should be able to
provide something more detailed this week but my initial thought is
Keep up the good work. 
that a module built over powershell would extend nicely. It's
different for everyone I think because environments that use windows
more heavily, tend to use their full feature set from AD, GPO, WSUS or
WDS.
Yes, I wouldn't be surprised if people use Group Policy (GPO) to bootstrap
some of this stuff.
quickconfig does 4 or 5 things which can probably also be done with GPO.
And setting ExecutionPolicy might also be possible with GPO.
MS priorities imo :
Firewall
MSSQL
Files
IIS
Active directory
You mean what modules for Ansible you'd want to be created ?
I don't think we've gotten that far just yet 
You can invoke powershell on the host one time with:
Powershell.exe -executionpolicy remotesigned yourscript.ps1
I’ve done that before, it changes the execution policy for just that powershell session.
Actually, there are a couple of python winrm clients around.
Yes, there are a few, but I have yet to find a winrm python client that supports sending encrypted messages.
PowerShell is basically SOAP, which is XML over HTTP.
SSH on Linux/Unix gives us these properties:
- authentication
- encryption
- some form of passwordless login
- support for Kerberos if that is really what you want
You can use Kerberos to encrypt the SOAP/XML-messages.
Powershell does support a HTTPS transport, but it's not the default.
It needs more steps to set it up.
So far I've only found one Ruby client that does support encrypted SOAP.
Here is a description of how that works:
https://github.com/zenoss/txwinrm/issues/1
I've extended the pywinrm issue for Kerberos support so the developer has the same information I have.
He is the only Python implementation developer I've seen that has at least looked at it and created some code.
There's even one from dell, that they've open sourced.
They are using the winrm command from openswman.
openwsman only supports Kerberos/GSS encrypted messages on the Linux server at this time.
Then (hopefully) the only bootstrap you need should be "winrm
quickconfigure" on the client.I've done this in native powershell before and the only weird bit was
transferring files. You end up passing the entire file as an argument to
the create file function. Not sure whether this limitation was in winrm or
powershell though...
Yeah, not seen a better solution yet, but I've only been looking at Powershell for a few
days now. And mostly looking at authentication and encryption.
I see a lot of copying of files with \\server5\c$ ( Windows filesharing/SMB )
But that is not encrypted either.
I don't know if supports Linux for encryption for SMB3:
http://blogs.msdn.com/b/openspecification/archive/2012/06/08/encryption-in-smb3.aspx
Even if if it was, it isn't the way to go for now I believe because most deployed implementation don't support SMB3.
And when you use \\server5\c$ there are no garantee it will use SMB3.
Transfering files/code over PowerShell or at least Windows-Remote Management, seems to be the best fit for now.
Al though by what we know now, it isn't great.
Windows Remote Management is larger than just PowerShell. There might be an other way to do it, I don't know yet.
It's just a HTTP server, so hopefully it supports some other method, somehow.
Thanks, that is very useful to know.
Can you do it remotely too ?
Yeah, I posted a link to link to a github repo to this group on a different Ansible windows thread. It’s got my previous attempt to do something like this in windows.
In it I use powershell remoting to create a file, pass the script content over as one massive argument, then remotely execute powershell with execution policy remotesigned and pass it the script I just copied.
Yeah, I posted a link to link to a github repo to this group on a different
Ansible windows thread. It's got my previous attempt to do something like
this in windows.
Yes, I've seen it.
In it I use powershell remoting to create a file, pass the script content
over as one massive argument, then remotely execute powershell with
execution policy remotesigned and pass it the script I just copied.
That seems usable.
I did look at the code before, but I didn't notice it at the time.
> Yeah, I posted a link to link to a github repo to this group on a different
> Ansible windows thread. It's got my previous attempt to do something like
> this in windows.
>Yes, I've seen it.
> In it I use powershell remoting to create a file, pass the script content
> over as one massive argument, then remotely execute powershell with
> execution policy remotesigned and pass it the script I just copied.That seems usable.
I did look at the code before, but I didn't notice it at the time.
Just had a look at the code. Seems you ask the user to provide the credentials.
Steve, do you need the credentials or does Kerberos work as well ?
Or is that something you haven't tried yet ?
I always passed the credentials, because when I wrote that the servers I was managing were in a different domain anyway.
Never tried kerberos…
I've seen mention of this on a few other lists, searched here and
didn't see it. But there was an opensource powershell + bash project,
however it looks out of date...