I am trying to setup an ansible environment. The controlling server is a windows 10 machine. Therefore a cygwin was installed there. The server that are maintenanced/controlled are either windows 10 or linux machines.
For connection I could already setup a ssh connection. Therefore a openssh server was installed on the controlling server and a openssh client on the maintenanced/controller server. SSH keys (public, private) were generated and the public key transfered to the maintenanced/controlled server in the folder ssha/.ssh.
On cygwin a connection can be established. But when ansible is used I get an error. For the connection As a first step I have a simple ping and to keep it easy the host file and any playbook were both avoided. , e.g.
ansible 192.168.1.30 -u ssha -m win_ping
and the following message is then displayed.
192.168.1.30 | UNREACHABLE! => {
"changed": false,
"msg": "Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in "/tmp". Failed command was: ( umask 77 && mkdir -p "echo ~/.ansible/tmp/ansible-tmp-1610305300.3137856-64003402380126" && echo ansible-tmp-1610305300.3137856-64003402380126="echo ~/.ansible/tmp/ansible-tmp-1610305300.3137856-64003402380126" ), exited with result 1",
"unreachable": true
}
I don't have any more ideas how to solve this issue. Your help is very much appreciated.
Hadrian
Related
I want to use a password protected ppk file to access my servers via ansible.
I've loaded the key using pageant
I'm trying to run a simple ansible command but it fails.
1.1.1.1 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Host key verification failed.",
"unreachable": true
}
How can I make sure ansible uses the key ?
My ansible is running inside cygwin terminal running on windows 10.
I think that the cygwin can't see the pageant running on the win 10 host.
ppk keys needs to be transformed using puttygen to OpenSSH key
Than - you need to use
ssh-agent bash
ssh-add ./ssh_key
and than, ansible will work with that key.
I am trying to connect to Windows Server 2012 from my ansible server (Centos7).
Let's assume its host is x and port is y
I managed to connect to other linux based servers but I cannot connect to the windows one.
I followed the tutorial here and after all setups and configurations I get the following error:
root#localhost: ansible# ansible windows -i hosts -m win_ping --ask-vault-pass
Vault password:
WindowsServer | UNREACHABLE! => {
"changed": false,
"msg": "ssl: HTTPSConnectionPool(host='x', port=y): Max retries exceeded with url: /wsman (Caused by ProxyError('Cannot connect to proxy.', error('Tunnel connection failed: 403 Forbidden',)))",
This is my group_vars/windows.yml file:
# it is suggested that these be encrypted with ansible-vault:
# ansible-vault edit group_vars/windows.yml
ansible_user: Administrator
ansible_password: password
ansible_port: y
ansible_connection: winrm
This is my hosts file snippet:
[windows]
WindowsServer ansible_host=x
I did configure windows server with this file.
Please help, I have no idea what to do to make the connection work.
As J and Mike from ansible google group suggested:
The reason of the error were environment variables HTTP_PROXY and HTTPS_PROXY that ansible used from the system.
To let ansible know that you are using proxy you have to:
1. Locate transport.py that comes with pywinrm
2. modify the following line session.trust_env to make it false.
125 # configure proxies from HTTP/HTTPS_PROXY envvars
126 # session.trust_env = True
127 session.trust_env = False
3. pywinrm will no longer check your local env for a proxy.
After that I also neeeded to add one more variable to group_vars/windows.yml file:
ansible_winrm_server_cert_validation: ignore
I am trying to connect to my windows computer using OpenSSH and Ansible.
I am able to connect using regular ssh, but when I try to connect using Ansible, I get pretty much the same error everytime I change something.
I've also tried running Ansible as root and still nothing
fatal: [IVU]: UNREACHABLE! => {"changed": false, "msg": "Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in \"/tmp\". Failed command was: ( umask 77 && mkdir -p \"` echo /tmp/ansible-tmp-1502794936.2073953-164132649383245 `\" && echo ansible-tmp-1502794936.2073953-164132649383245=\"` echo /tmp/ansible-tmp-1502794936.2073953-164132649383245 `\" ), exited with result 1", "unreachable": true}
I've tried to change the ssh_args in ansible.cfg to ssh_args= -o ControlMaster=no and no change to the output was made.
I've tried to change the executable in the ansible.cfg to C:/Windows/System32/cmd.exe and I got the same error
I've tried changing the remote_dir=/tmp/ and still nothing.
My ansible inventory is:
[IVU]
IVU ansible_host=**IP**
[IVU:vars]
ansible_port=22
ansible_user=**user**
ansible_ssh_pass=**pass**
ansible_ssh_private_key_file=** Keyfile **
It seems like it's failing before even running any tasks, but from the openssh logs on the windows computer I see no difference when ansible connects to it and when I ssh into it.
3724 09:27:38:720 error: Couldn't create pid file "C:\\Program Files\\OpenSSH\\sshd.pid": Permission denied
3724 09:27:41:376 Accepted publickey for **User** from **IP** port 42700 ssh2: RSA SHA256:clNmiKxygl/TLEb5Ob4lZs6JqztoQyxOsjMoHQ2HYgo
3724 09:27:58:533 Received disconnect from **IP** port 42700:11: disconnected by user
3724 09:27:58:533 Disconnected from user **User** **IP** port 42700
3360 09:28:41:398 error: Couldn't create pid file "C:\\Program Files\\OpenSSH\\sshd.pid": Permission denied
3360 09:28:41:616 Accepted publickey for **User** from **IP** port 42704 ssh2: RSA SHA256:clNmiKxygl/TLEb5Ob4lZs6JqztoQyxOsjMoHQ2HYgo
3360 09:28:41:741 Received disconnect from **IP** port 42704:11: disconnected by user
3360 09:28:41:741 Disconnected from user **User** **IP** port 42704
The 9:27 is when I'm connecting using ssh and the 9:28 is when ansible connects.
Is there something I'm missing that I need to change in order for Ansible to work with openSSH on windows?
I figured out a solution by using a reverse ssh tunnel.
I abandoned the idea of trying to use the ssh ansible module with windows since Windows simply doesn't play nicely with it unless you have the windows 10 update. I decided to use the winrm ansible module instead.
What I did is I connected the windows computer to the computer running Ansible by opening a reverse SSH tunnel by using the command:
ssh -p5983 -R 5982:localhost:5986 **my_user**#**my_ip**
For my purposes I had to port forward because my computer was on a separate vlan than the windows computer
Then in Ansible I specified that the host is localhost at port 5982.
This is about as good of a solution for when working with openssh and windows, at least until Ansible supports openssh on windows.
Every time I try running a playbook to automate some installations in Windows Server, my Windows Remote Host seems to be unreachable.
Here, I am trying to install IIS Server and my playbook looks like this :
---
- hosts : windows
tasks :
- name : Install Microsoft IIS
win_feature :
name : Web-Server
state : present
And the error is :
fatal: [ec2-54-197-197-91.compute-1.amazonaws.com]: UNREACHABLE! => {
"changed": false,
"msg": "ssl: HTTPSConnectionPool(host='ec2-54-197-197-91.compute-1.amazonaws.com', port=5986): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x1b11310>, 'Connection to ec2-54-197-197-91.compute-1.amazonaws.com timed out. (connect timeout=30)'))",
"unreachable": true
}
But, now I came to know that, to run playbooks for Windows, I need to have winrm installed on my control node.
I have done the following :
pip install "pywinrm>=0.1.1"
I have added the public ip of Windows Instance and my hosts file looks like:
[local]
127.0.0.1
[aws]
ec2-54-152-85-197.compute-1.amazonaws.com
[windows]
ec2-54-197-197-91.compute-1.amazonaws.com
Then, I created a directory "group_vars" in /etc/ansible, and in that a file windows.yml which reads :
ansible_user: Administrator
ansible_password: SecretPasswordGoesHere
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
Please let me know where I am going wrong.
(most likely, because you have not mentioned it)
You need to configure remote commands in PowerShell on your Windows instance (as described in the Windows system prep section). Execute the following (with administrator permissions):
iwr https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 -UseBasicParsing | iex
Before, depending on your settings, you might also need to enable the PowerShell execution policy, set the network interface to private network (mind the InterfaceAlias value below) and enable PowerShell remoting.
Set-ExecutionPolicy Unrestricted -Force
Set-NetConnectionProfile -InterfaceAlias Ethernet0 -NetworkCategory Private
Enable-PSRemoting
I am testing ansible (developer build) to connect to a windows machine.
ansible 2.0.0 (devel d1b98ec776)
The following command fails
ansible inh-jnambood-dt.india.mentorg.com -m win_ping -vvvv
Error is as below
bash-4.1$ ansible inh-jnambood-dt.india.mentorg.com -m win_ping -vvvv
Using /etc/ansible/ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<inh-jnambood-dt.india.mentorg.com> ESTABLISH WINRM CONNECTION FOR USER: jnambood#MGC.MENTORG.COM on PORT 5985 TO inh-jnambood-dt.india.mentorg.com
inh-jnambood-dt.india.mentorg.com | FAILED! => {
"failed": true,
"msg": "ERROR! kerberos: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377)), plaintext: 401 Unauthorized."
jnambood is my user id MGC.MENTORG.COM is the domain
Clearly there is some step I missed. What should I do to fix this error?
That usually means that the Linux host where you're running kinit is not joined to the domain (ie, it doesn't have a properly configured computer account in the domain). The existing docs unhelpfully omit that requirement...
I've also seen this occur where the FQDN of the the host is not entered in both the command and the ansible hosts file.
Try something like:
inh-jnambood-dt.mcg.mentorg.com
HTH
I'm not using Ansible, but pywinrm directly. To get things working from a RHEL7 computer to a Windows 10 host in the domain, I changed # to / in the pywinrm code. I did this because I saw other software use HTTP/hostname and not HTTP#hostname when talking to Kerberos. Hope this is useful for somebody.
https://github.com/requests/requests-kerberos/pull/141/commits
We had this same error. For us, it was resolved by shortening the hostname to have less than 15 characters.