Hi,
I installed Ansible with
apt
As a side note, you should install Ansible from pip if you want to use latest versions, as deb packages are updated to the whim of maintainers (thanks to them btw).
I’m assuming this is because the WinRM components are missing
No, it’s because Ansible uses ssh as default connection method. You need to explicitly specify ansible_connection: winrm
, though you might indeed need to install additional packages (pywinrm from PyPI in my case, as well as krb5-user from my distro repo) for this method to work.
I remember having a bad time getting it to work, not so much because of Ansible configuration, but the Kerberos one and the fact that winrm was badly configured on multiple remote nodes. It is also really slow to work with. I don’t manage Windows Server nodes anymore these days, but if I had to, I probably use OpenSSH instead.
Anyways, here is a configuration example:
# inventories/group_vars/windows.yml
---
ansible_connection: winrm
ansible_winrm_transport: kerberos
ansible_winrm_server_cert_validation: ignore
#ansible_user: [] # To override; format : USER@DOMAIN.TLD (case sensitive)
#ansible_winrm_pass: [] # Doesn't work with --ask-pass, so either use https://docs.ansible.com/ansible/latest/user_guide/playbooks_prompts.html, or override
# Example : ANSIBLE_PASSWORD="<myPass>" ansible ... -e ansible_user=USER@DOMAIN.TLD -e ansible_winrm_pass='{{ lookup("env", "ANSIBLE_PASSWORD") }}' # It would be somewhat safer to set password in a vault encrypted file and use --ask-vault-pass parameter on command line
# To check winrm config on Windows Server nodes: winrm get winrm/config (more here: https://learn.microsoft.com/fr-fr/troubleshoot/windows-client/system-management-components/configure-winrm-for-https, here for ansible conf: https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html)
# /etc/krb5.conf
[libdefaults]
default_realm = DOM1.TLD
[realms]
DOM1.TLD = {
kdc = SRV1.DOM1.TLD:88
kdc = SRV2.DOM1.TLD:88
kdc = SRV3.DOM1.TLD:88
kdc = SRV4.DOM1.TLD:88
admin_server = SRV1.DOM1.TLD
default_domain = DOM1.TLD
}
DOM2.TLD = {
kdc = SRV1.DOM2.TLD:88
kdc = SRV2.DOM2.TLD:88
kdc = SRV3.DOM2.TLD:88
kdc = SRV4.DOM2.TLD:88
admin_server = SRV1.DOM2.TLD
default_domain = DOM2.TLD
}
[domain_realm]
.dom1.tld = DOM1.TLD
.dom2.tld = DOM2.TLD
I tried quickly to join Windows Server nodes with my previously existing config (I haven’t use for years), and have this error I really don’t want to troubleshoot:
<redacted> | UNREACHABLE! => {
"changed": false,
"msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377))",
"unreachable": true
}
Anyways, here is how I used to manage do stuff on Windows Server nodes, and I’d like to not do that again, ever.
Hope it helps !