Nshah
Feb 2, 12:42
Hello,
I followed the guidelines in setting up a windows node.
http://docs.ansible.com/ansible/intro_windows.html#windows-system-prep
I am using Windows 2008 R2, which had PowerShell 2.0 installed; I upgraded to PowerShell 4.0 (since the requirements said PowerShell 3.0)…
When trying to run ansible, I am running the following and getting the below listed error message:
ansible-playbook -i hosts ipconfig.yml --ask-vault
Vault password:
PLAY [test raw module] ********************************************************
TASK: [run ipconfig] **********************************************************
fatal: [qa-codegen01.theorchard.local] => 500 WinRMTransport. [Errno 111] Connection refused
FATAL: all hosts have already failed – aborting
Note - I went ahead and enabled winRM and configured with the following settings:
winrm quickconfig -q
winrm set winrm/config/winrs ‘@{MaxMemoryPerShellMB=“300”}’
winrm set winrm/config ‘@{MaxTimeoutms=“1800000”}’
winrm set winrm/config/service ‘@{AllowUnencrypted=“true”}’
winrm set winrm/config/service/auth ‘@{Basic=“true”}’
|
maybe this might be a bit more insight:
ansible windows -m win_ping -vvvv
<10.40.1.31> ESTABLISH WINRM CONNECTION FOR USER: root on PORT 5986 TO XXXXXXX
<10.40.1.31> WINRM CONNECT: transport=plaintext endpoint=https://XXXXX:5986/wsman
<10.40.1.31> WINRM CONNECTION ERROR: 500 WinRMTransport. [Errno 111] Connection refused
10.40.1.31 | FAILED => 500 WinRMTransport. [Errno 111] Connection refused
I’ve got a group_var/windows.yml:
ansible_user: user@domain.local
ansible_password: XXXXXXXX
ansible_port: 5986
ansible_connection: winrm
The following is necessary for Python 2.7.9+ when using default WinRM self-signed certificates:
ansible_winrm_server_cert_validation: ignore
You have
ansible_user: user@domain.local
set, implying that you want to use a domain user.
When you run, the following is shown:
transport=plaintext endpoint=https://XXXXX:5986/wsman
The transport needs to be kerberos to connect with a domain user.
I suspect you are missing the python kerberos library.
If this can’t be loaded then ansible will attempt a plaintext connection which I am fairly certain won’t work with a domain user.
You don’t mention which OS you are running ansible on but you probably need to install
python-kerberos from yum
or
pykerberos from pip
Hope this helps
Jon
That’s a good start, I am using CentOS, and I was able to run yum install python-kerberos just now. However, still seems to be getting same message when rerunning:
Installed:
python-kerberos.x86_64 0:1.1-15.el7
Complete!
[root@bamagent06 ansible]# ansible windows -m win_ping -vvvv
<10.40.1.31> ESTABLISH WINRM CONNECTION FOR USER: root on PORT 5986 TO xx.xx.xx.xx
<10.40.1.31> WINRM CONNECT: transport=plaintext endpoint=https://xx.xx.xx.xx:5986/wsman
<10.40.1.31> WINRM CONNECTION ERROR: 500 WinRMTransport. [Errno 111] Connection refused
10.40.1.31 | FAILED => 500 WinRMTransport. [Errno 111] Connection refused
It’s as if it’s not using my group_vars/windows.yml to pick up the creds.
I’ve tested kerberos following http://docs.ansible.com/ansible/intro_windows.html#id9. I ran
kinit user@DOMAIN.LOCAL and it doesn’t come back with anything but it also doesn’t come back with a failure. I also try inputting the wrong password on purpose and it throws a “kinit: Preauthentication failed while getting initial credentials” leading me to believe kerberos auth is working fine…I don’t understand why its not using kerberos and using “root” and plaintext. I even tried to set the ansible_user/password/host/port in the hosts file for that inventory group.
Nikhil,
I ran into many problems getting kerberos to work with ansible as well, but finally got it working.
First, ensure that you’ve obtained a valid kerberos ticket by running ‘klist’ on the command line after running your kinit command. Please post that back here if you can.
Second, make sure your Linux box where you’re running Ansible is registered on the same domain as the Windows server you are trying to connect to.
Third, your ansible_user domain needs to be in all CAPS like so user@DOMAIN.LOCAL
Let us know what you come up with.
-Joe
Just an update, but still having issues…I realized I was using ansible 1.9.4 and the syntax is a bit different than ansible 2.0 (e.g ansible_ssh_user vs. ansible_user), now seeing this error:
[root@bamagent06 ansible]# ansible windows -m win_ping -vvvv
<XX.XX.XX.XX> ESTABLISH WINRM CONNECTION FOR USER: on PORT 5986 TO XX.XX.XX.XX
<XX.XX.XX.XX> WINRM CONNECT: transport=kerberos endpoint=https://XX.XX.XX.XX:5986/wsman
XX.XX.XX.XX | FAILED => Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/ansible/runner/init.py”, line 586, in _executor
exec_rc = self._executor_internal(host, new_stdin)
File “/usr/lib/python2.7/site-packages/ansible/runner/init.py”, line 789, in _executor_internal
return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args)
File “/usr/lib/python2.7/site-packages/ansible/runner/init.py”, line 968, in _executor_internal_inner
conn = self.connector.connect(actual_host, actual_port, actual_user, actual_pass, actual_transport, actual_private_key_file, delegate_host)
File “/usr/lib/python2.7/site-packages/ansible/runner/connection.py”, line 52, in connect
self.active = conn.connect()
File “/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py”, line 140, in connect
self.protocol = self._winrm_connect()
File “/usr/lib/python2.7/site-packages/ansible/runner/connection_plugins/winrm.py”, line 96, in _winrm_connect
protocol.send_message(‘’)
File “/usr/lib/python2.7/site-packages/winrm/protocol.py”, line 193, in send_message
return self.transport.send_message(message)
File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 269, in send_message
krb_ticket = KerberosTicket(self.krb_service)
File “/usr/lib/python2.7/site-packages/winrm/transport.py”, line 205, in init
kerberos.authGSSClientStep(krb_context, ‘’)
GSSError: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘Server not found in Kerberos database’, -1765328377))
Right, so like I said in my previous response: make sure your Linux box is registered on the Windows domain.
Run ‘dnsdomainname’ to check if your Linux machine is joined to a domain.
If not, you need to use something like PBIS to do so:
https://community.spiceworks.com/how_to/80336-join-ubuntu-14-04lts-to-a-windows-domain-using-pbis-open
-Joe
OK, so i setup a new ubuntu serer and followed instructions on tying to domain and looks to be successful…here is the latest error:
root@ansible02:/etc/ansible# ansible windows -m win_ping -vvvv
Using /etc/ansible/ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
An exception occurred during task execution. The full traceback is:
Traceback (most recent call last):
File “/usr/lib/pymodules/python2.7/ansible/executor/process/worker.py”, line 114, in run
self._shared_loader_obj,
File “/usr/lib/pymodules/python2.7/ansible/executor/task_executor.py”, line 119, in run
res = self._execute()
File “/usr/lib/pymodules/python2.7/ansible/executor/task_executor.py”, line 366, in _execute
self._connection = self._get_connection(variables=variables, templar=templar)
File “/usr/lib/pymodules/python2.7/ansible/executor/task_executor.py”, line 582, in _get_connection
connection = self._shared_loader_obj.connection_loader.get(conn_type, self._play_context, self._new_stdin)
File “/usr/lib/pymodules/python2.7/ansible/plugins/init.py”, line 326, in get
self._module_cache[path] = self._load_module_source(‘.’.join([self.package, name]), path)
File “/usr/lib/pymodules/python2.7/ansible/plugins/init.py”, line 313, in _load_module_source
module = imp.load_source(name, path, module_file)
File “/usr/lib/pymodules/python2.7/ansible/plugins/connection/winrm.py”, line 28, in
import xmltodict
ImportError: No module named xmltodict
10.40.1.31 | FAILED! => {
“failed”: true,
“stdout”: “”
}
root@ansible02:/etc/ansible# ansible-playbook -i hosts ipconfig.yml
PLAY [test raw module] *********************************************************
TASK [run ipconfig] ************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ImportError: No module named xmltodict
fatal: [10.40.1.31]: FAILED! => {“failed”: true, “stdout”: “”}
PLAY RECAP *********************************************************************
10.40.1.31 : ok=0 changed=0 unreachable=0 failed=1
sorry for buggin you all soo much, but i feel im almost there!
root@ansible02:/etc/ansible# ansible windows -m win_ping -vvvv
Using /etc/ansible/ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<10.40.1.31> ESTABLISH WINRM CONNECTION FOR USER: agent@domain.LOCAL on PORT 5986 TO 10.40.1.31
10.40.1.31 | FAILED! => {
“failed”: true,
“msg”: “ERROR! kerberos: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘No Kerberos credentials available’, -1765328243)), ssl: 500 WinRMTransport. [Errno 111] Connection refused”
}
ro
I’d like to thank you all, i was able to resolve my windows issue. Few things I had to do was the following:
- Use Ubuntu instead of CentOS (which is not the reason for the issues)
- Install PBIS and set that stuff up
- Follow the instructions on http://docs.ansible.com/ansible/intro_windows.html
- pip install xmltodict
- pip install pywinrm
- Install apt-get install krb5-user (to be able to run kinit)
- Kept getting “ssl: 500 WinRMTransport” so i ended up using HTTP port 5985 (Ill figure out the whole SSL stuff at a later point)
Thanks guys!
I am glad you got this working. I have to prepare for this same setup and wondering if you have any comprehensive notes that you can share here?