Fairly new to Ansible, but I am just finishing a fairly extensive course on Linux Academy. I have some good use cases… the first one is configuring windows VMs to have a number of packages installed automatically. Currently I can uninstall old versions of java and install the most current version of java on a number of VMs.
I have a problem with the install thought that I can’t seem to put my finger on, but have reproduced several times now specifically on windows 2016 servers and possibly on windows 2012.
These VMs are automatically put on the domain when they are provisioned. We are an engineering shop and we add all domain users to the local administrator group as any engineer can logon to any VM as administrator. These are engineering clusters only.
I have configured Kerberos and it works fine in general, however when I try to use win_package to install from a network share I have problems.
“failed to connect network drive with credentials: Access is denied”
I am a member of domain admins, and administrators… I can logon to these systems and execute the package from PS console and it works fine, but not using win_package
If I change the user from myuser to administrator, then it works. It seems like this is to do with ansible as I can execute it from console as me fine, but if anyone has any advice on what the problem might be, I would sure appreciate it as this is kind of stumbling block to move on to a full configuration that I am trying to achieve.
The issue you have, is that Ansible is failing to access that network file with the username MYCORP\myuser. If you say it works when running it locally as that user then it could be that Windows is caching a custom credential for that share and is using that to access the file.
When running a command in Ansible there is a big difference in how Windows deals with credentials and other factors compared to running it locally. The biggest difference is that the process usually does not have access to your credentials and can’t authenticate with downstream servers like fileshares. One other difference is the network logon type restricts you from accessing things normally available on an interactive logon, e.g. mapped drives, DPAPI (credential store), certain Windows functions. This isn’t an Ansible issue but a fundamental way of working inside Windows when it comes to network logons.
To bypass these limitatiosn that comes with WinRM we give you the following options
Use CredSSP or Kerberos with ansible_winrm_kerberos_delegation: True to access network resources with the Ansible user. This only really affects the network resource side and local limitations with WinRM still exists
Some select modules have the ability to set a username and password for network authentication, win_package is one of them and I see you are using it now
Use become to change the logon type from network to interactive and allow the credentials to be delegated like it would under CredSSP or Kerberos with the delgation flag and bypass other WinRM restrictions
In 2.5, become was expanded to allow you to explicitly set the credentials used when accessing network resources but still run the local process as the connection user
If you are on Ansible 2.5 I would highly recommend you use the last option as you can use any credential you want to access network resources. For example, I can run a process as the connection user but when accessing a fileshare I wnt to authenticate with the account fakeuser with the password fakepassword. The account fakeuser is not a valid logon account for the Windows host but a valid credential for the fileshare and before 2.5 you could only use become for a valid logon user. To achieve this you would do
The benefits of this approach is you can do this for any module (except raw and script), unlike the old method where it was only if the module supported it.
Thanks Jordan, I upgraded to 2.5 yesterday, but seem to have even more problems now in that I can’t talk to any hosts… and the message is confusing
fatal: [AnsWin201601]: UNREACHABLE! => {“changed”: false, “msg”: “ssl: the specified credentials were rejected by the server”, “unreachable”: true}
I have made the changes to use become. Slightly confused by the message, is it unreachable, or are the credentials not accepted. I’ve probably messed something during the upgrade, I have another control host I am trying to configure from fresh in parallel… but if that message means anything blindly obvious to anyone please let me know
Usually that one means that the supplied username and password aren’t valid for the machine you are trying to connect to.
I suggest running your playbook with -vvvvvv to see which user it is attempting to connect as, and also check the event logs on the remote host to see if there are any login events at the time you start running your playbook.
Thanks, it was just me being stupid… I had some stuff installed local and some in bin and was trying to clean up and I didn’t install the python Kerberos bit. Its all pretty much working now… but nice to know about that options its -vvvvvv ?
Hi, I have a kind of stupid question I guess… just shows I don’t know my ansible yaml structure very well… but in the above code there is the task… and then below and indented back out is the become: yes and become_method… does that mean that all tasks above that will run with the those parameters? Sorry, but I have not seen anything written that way before and I did a course on ansible, but just have not seen that many playbooks yet.
I am trying to install anti-virus software on bunch of windows machines using win_package module, and it works fine, however i am unable to supply license key, could you please help me with argument i should use?
name: Install Cylance from Network Share
hosts: all
gather_facts: true
tasks: