Hello All, did anyone figured out working with ansible on windows host, if so please give me the process and info how you guys get this working on windows.
thanks,
Narmada
Depends on what you mean by working on Windows, Ansible can remotely connect to a Windows host and execute modules against that. We have numerous docs and a quick Google search will give you lots of info and blog posts detailing how this can be done.
If you want to know if you can run Ansible as a controller on a Windows host, you cannot do this natively. The easiest way is to use Windows Subsystem for Linux (WSL) or setup a VM and run it from that. There are also numerous guides out there detailing these steps which are a quick Google search away.
Thanks
Jordan
Thanks Jordan, yeah i am trying to use windows as hosts and i spent lot of time setting up windows machines as hosts. i tried kerberos as well but no luck.
Since your using Windows, you might also want to know that the ecosystem is not only Ansible… DSC also provides the rest of what you often need.
https://www.ansible.com/blog/using-the-win_dsc-module-in-ansible
Thanks Thad, i am already using DSC for server configuration, but after going thorugh Ansible felt like using single component for both linux and windows.
my ping play book is not at all working on windows hosts.
If you’ve already attempted to connect but failing it would be best to share what you have done as well as any errors you are getting back. I can definitely tell you it is possible but without knowing what issues you are having it’s hard to point you in the right direction.
Some things that would be good to know are;
- The inventory you are using
- The playbook you are running with
- The command and output when you run with -vvv so we can see the errors
- If you are running with Kerberos, a copy of the /etc/krb5.conf file
- Whether you can run ‘kinit user@DOMAIN’ outside of Ansible successfully
Thanks
Jordan
krb5.config
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = XYZ.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
XYZ.COM = {
kdc = USERNAME@XYZ.COM
}
You’re missing the most important thing, what’s the error you are receiving and whether you kinit can get the user’s token. Briefly looking at it
- The KDC as has USER...@XYZ.COM, this should be a hostname and not an account of the domain controller
- Your inventory file has ansibel_ssh_user, this has incorrect spelling and isn’t needed because you have defined ansible_user in the group vvariables
- You have ansible_winrm_message_encryption: always but because you are running over https this isn’t needed, you can omit this value
Please share the output you are getting, preferably run Ansible with -vvv, and try and run kinit manually outside of Ansible to verify your kerb setup is correct.
Thanks
Jordan
Thanks Jordan, i tried like what you mentioned above, but this is the error I am getting
fatal: [servername]: UNREACHABLE! => {“changed”: false, “msg”: “Kerberos auth failure for principal username@xyz.com with subprocess: kinit: Cannot find KDC for realm "xyz.com" while getting initial credentials”, “unreachable”: true}
please suggest with some solution…
thanks,
Narmada
So that error is saying it failed to run kinit to get a kerb ticket for the user ‘user…@xyz.com’. This isn’t necessarily an Ansible issue but a problem with how your Kerberos setup is done. It is saying it cannot contact/find the KDC in the realm ‘xyz.com’ so the one you have configured in your /etc/krb5.conf may not be correct or just not reachable.
Make sure the value for ‘kdc’ in the realms section is a valid hostname for your domain controller and that the host is able to resolve it to an actual host.
Thanks
Jordan
Now i am getting another new error, somehow i amble to create a kinit ticket but the error is
(Caused by NewConnectionError(‘<urllib3.connection.VerifiedHTTPSConnection object at 0x7f83900ebc90>: Failed to establish a new connection: [Errno 111] Connection refused’,))", “unreachable”: true}
That either means the Firewall is blocking that port of you have no HTTPS WinRM listener. To verify what listeners are active you can run ‘winrm enumerate winrm/config/listener’ on your Windows host.
PS H:> winrm enumerate winrm/config/listener
Listener [Source=“GPO”]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 0.00.000.000, , 127.0.0.1, ::1, fe80::5efe:10.33.138.118%5, fe80::7008:2200:c50:e8f4%3
Listener [Source=“Compatibility”]
Address = *
Transport = HTTP
Port = 80
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 0.00.000.000, 127.0.0.1, ::1, fe80::5efe:10.33.138.118%5, fe80::7008:2200:c50:e8f4%3
Listener [Source=“Compatibility”]
Address = *
Transport = HTTPS
Port = 443
Hostname = <Servername.domain.com>
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 0.00.000.000, 127.0.0.1, ::1, fe80::5efe:10.33.138.118%5, fe80::7008:2200:c50:e8f4%3
PS H:>
this is my inbound rules
Your problem is you’re not listening on port 5986
Thanks Lucas, is there any way i can make it listen on port 5986, or can we use 5985 to connect.
but here is from my windows host
PS H:> winrm enumerate winrm/config/listener
Listener [Source=“GPO”]
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 0.00.000.000, , 127.0.0.1, ::1,
Listener [Source=“Compatibility”]
Address = *
Transport = HTTP
Port = 80
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 0.00.000.000, 127.0.0.1, ::1,
Listener [Source=“Compatibility”]
Address = *
Transport = HTTPS
Port = 443
Hostname = <Servername.domain.com>
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 0.00.000.000, 127.0.0.1, ::1,
It’s up to you, depends on the use case. Preferably using https over 5986.
Good script to use for configuring winrm for ansible
https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1
You can configure the listener manually if you prefer but script works well
Thanks all,
I am able to run ping module on windows machines.
Lucas or someone can help me with this, currently on my krb5.config i added only 1 host@DOMAIN.com, but if i want to run on multiple windows machines do i need to add all my hosts on krb5.config file.
thanks,
Narmada
thanks, it worked , I am able to ping windows hosts but i have one more challenge
In my kerberos file i am adding my host name to the realms , so if i need to run a script or anything on multiple windows hosts do i need to add all those host under realms
[realms]
XYZ.COM = {
kdc =HOSTNAME1.XYZ.COM
kdc =HOSTNAME2.XYZ.COM
}
You only need to have your kdc (domain controller) in the realms section. This file is used by the local krb5 libraries to know what host to talk to when getting a kerberos ticket. Windows hosts you are authenticating too just need to be resolvable in DNS but don’t need to exist in your krb5.conf file.
Thanks
Jordan