I installed Ansible with apt on Ubuntu 23. When I try adding Windows servers to the inventory it throws SSH errors. I’m assuming this is because the WinRM components are missing. In the docs it talks about adding them using pip or pipx but I didn’t use either of those. Do I need to uninstall Ansible with apt and reinstall with pip or something else?
Charles
Hi,
I installed Ansible with
apt
As a side note, you should install Ansible from pip if you want to use latest versions, as deb packages are updated to the whim of maintainers (thanks to them btw).
I’m assuming this is because the WinRM components are missing
No, it’s because Ansible uses ssh as default connection method. You need to explicitly specify ansible_connection: winrm, though you might indeed need to install additional packages (pywinrm from PyPI in my case, as well as krb5-user from my distro repo) for this method to work.
I remember having a bad time getting it to work, not so much because of Ansible configuration, but the Kerberos one and the fact that winrm was badly configured on multiple remote nodes. It is also really slow to work with. I don’t manage Windows Server nodes anymore these days, but if I had to, I probably use OpenSSH instead.
Anyways, here is a configuration example:
# inventories/group_vars/windows.yml
---
ansible_connection: winrm
ansible_winrm_transport: kerberos
ansible_winrm_server_cert_validation: ignore
#ansible_user: [] # To override; format : USER@DOMAIN.TLD (case sensitive)
#ansible_winrm_pass: [] # Doesn't work with --ask-pass, so either use https://docs.ansible.com/ansible/latest/user_guide/playbooks_prompts.html, or override
# Example : ANSIBLE_PASSWORD="<myPass>" ansible ... -e ansible_user=USER@DOMAIN.TLD -e ansible_winrm_pass='{{ lookup("env", "ANSIBLE_PASSWORD") }}' # It would be somewhat safer to set password in a vault encrypted file and use --ask-vault-pass parameter on command line
# To check winrm config on Windows Server nodes: winrm get winrm/config (more here: https://learn.microsoft.com/fr-fr/troubleshoot/windows-client/system-management-components/configure-winrm-for-https, here for ansible conf: https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html)
# /etc/krb5.conf
[libdefaults]
default_realm = DOM1.TLD
[realms]
DOM1.TLD = {
kdc = SRV1.DOM1.TLD:88
kdc = SRV2.DOM1.TLD:88
kdc = SRV3.DOM1.TLD:88
kdc = SRV4.DOM1.TLD:88
admin_server = SRV1.DOM1.TLD
default_domain = DOM1.TLD
}
DOM2.TLD = {
kdc = SRV1.DOM2.TLD:88
kdc = SRV2.DOM2.TLD:88
kdc = SRV3.DOM2.TLD:88
kdc = SRV4.DOM2.TLD:88
admin_server = SRV1.DOM2.TLD
default_domain = DOM2.TLD
}
[domain_realm]
.dom1.tld = DOM1.TLD
.dom2.tld = DOM2.TLD
I tried quickly to join Windows Server nodes with my previously existing config (I haven’t use for years), and have this error I really don’t want to troubleshoot:
<redacted> | UNREACHABLE! => {
"changed": false,
"msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))",
"unreachable": true
}
Anyways, here is how I used to manage do stuff on Windows Server nodes, and I’d like to not do that again, ever.
Hope it helps !
So I was investigating WinRM because ssh on windows was experimental. However, all I’m trying to do is script a shutdown of all my servers when my ups runs low. Is shutdown over ssh on Windows reliable enough for this purpose?
Charles
Is shutdown over ssh on Windows reliable enough for this purpose?
Yes, I think so. There will probably be some missing or buggy features depending on which OS version / build you’re using, but I doubt you’ll encounter much issues really. AFAIK, OpenSSH on Windows Server exists for a while and project seems well maintained.
FWIW, a team I worked with on a previous mission used this kind of setup to run centralized scheduled jobs on Windows Server targets with no issues whatsoever.
Some resources:
That being said, I’m not saying you should use OpenSSH over WinRM as it’s not a complete replacement and will probably not be the best option in every situation, but it should work just as fine if not better for your current needs (shutdown remote nodes with Ansible).
So unless you’re in a hurry or have specific requirements, I suggest you try to implement both at small scale and see what setup would be more convenient to use and manage, also taking into account your future needs.
Also not what you asked, but be aware you’ll still be limited to Windows modules use.
As for what you’re trying to achieve, ansible.windows.win_reboot module seems appropriate. I don’t know if you plan to automate your playbook execution, but if you do, you might want to have a look on Event-driven Ansible, which could be configured to receive monitoring system notifications as your UPS runs low and automatically run your playbook in response.
Have a nice Sunday !
I’ll look into SSH on windows server after I get my first linux boxes dealt with.
Thanks for the tip on event driven ansible. I was just planning to have the playbook called by NUT. Is Event Driven Ansible only part of AAP or can I get that for free too?
Charles
Is Event Driven Ansible only part of AAP or can I get that for free too?
You can use it for free 
; look at this: Installation — Ansible Rulebook Documentation
I got SSH server running on Windows Server and I had to install Python. Now when I login at the ansible user over ssh and run python it loads
ansible@FEDERATION02 C:\Users\ansible>python
Python 3.12.0 (tags/v3.12.0:0fb18b0, Oct 2 2023, 13:03:39) [MSC v.1935 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>>
But Ansible is complaining that no python intepreter is found. It says the last thing it tried was python so why isn’t it working?
This is just a warning, and is not why your task is failing. You can see the Powershell error trace in module_stderr key.
Post your playbook and I’ll try to point out where your issue lies.
You’re getting this warn about interpreter because Ansible can’t find python binary, though I’m not sure why, but probably because you can’t run python modules on Windows.
You could either try to explicitly define the absolute path in Ansible config, or mask those warns. Have a look here: Ansible Configuration Settings — Ansible Documentation, and here: Interpreter Discovery — Ansible Documentation.
All I’m doing is using the Ping module. Is that Python?
You need to use ansible.windows.win_ping ansible.windows.win_ping module – A windows version of the classic ping module — Ansible Documentation
Python modules do not work on Windows right now.
