Ansible authentication on Windows - windows

I'm using Jenkins to run ansible playbook on windows host. I'm trying to do a very simple command like robocopy between NAS share and local directory on the windows. Problem is that all the time I'm receiving ACCESS DENIED(5). This is not true because user (domain\sysansible) on which I'm running ansible already have full rights. There is no problem when I start the same command on windows or any machine. I have noticed that when Jenkins is running the ansible playbook it is being recognized not as a domain\sysansible but as a member of local admin group windows_host\administrator which doesn't have right to NAS share (and they cannot have because only domain accounts are approved).
My inventory file looks as follow:
[application_host]
lizard ansible_host=windows_host.domain.companynet.net ansible_connection=winrm ansible_winrm_transport=kerberos ansible_user=sysansible#company.com ansible_password=***** ansible_port=5986 ansible_winrm_server_cert_validation=ignore
My ansible task is quite simple. It works when I have exchanged source to a local directory instead of \\nas-share\applications\app-home. I have also use somekind of variation of robocopy parameters but also they failed.
- name: Sync the contents of home directory to backup site, including subdirectories
win_command: robocopy \\nas-share\applications\app-home d:\application\backup\home-folder /E /w:5 /r:2 /log:D:\Applications\log.txt /XD \\nas-share\applications\app-home\artifacts
register: info_robocopy
tags:
- robo
The problem for me is why I'm being recognized as a local admin account group? How to be recognized on windows as domain\sysansible?

you are using basic authentification, it does not allow you to delegate credentials to next host you want to copy files to.
(see https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html)
Try to use CredSSP connections to your hosts or establish Kerberos connection with following (example) variable in inventory:
ansible_user = user#yourdomain
ansible_password = Passwordthere
ansible_port =5985
ansible_connection = winrm
ansible_winrm_transport = kerberos
ansible_winrm_message_encryption = auto
ansible_winrm_kerberos_delegation = yes

Related

Ansible command to trigger registration on another server

I can't find any documentation on how to include a secondary server in a playbook.
If for instance, I want to install sssd on SERVERA and register with a FreeIPA server.
On the FreeIPA server (only), I need to:
get a Kerberos ticket (via kinit)
check if SERVERA is already in IPA instance
delete SERVERA from IPA if true
Since this is an installation playbook run against SERVERA, it doesn't seem right to include the IPA server in the hostlist...but nor can I see any "third party servers" module?
I presume you are searching for the delegate_to option, which allows you to delegate a task to a host that is not in the hostlist.
Often used to run things on the localhost (host running ansible), it can also be used to push a task to a host not in hostlist. The host has to be in the inventory file though.
Example:
- name: Ping the other host
ping:
delegate_to: otherhost.com # This is where you set it
More info: http://docs.ansible.com/ansible/latest/user_guide/playbooks_delegation.html#delegation

Ansible Delegate_to WinRM

I am using the ansible vsphere_guest module to spin up a base windows machine on a VMWare environment. In my playbook, to do this I set Hosts: 127.0.0.1 connection: local. The reason I am doing this is I beleive im not targeting this playbook at any particular host, as I dont have one yet. I instead want to run the playbook locally.
When this runs, I get a new shiny windows server VM. What I now want to do is rename that VM's computer name. To do this I am trying to upload and run a powershell script like so rename_host.ps1 $newHostname. As I understand, I need to use the script module to do this. However, this time I want to target my brand new VM, which I get the IP address of through a fact, {{ newvm_ipaddress }}.
However, when I try and run this script with delegate_to: "{{ newvm_ipaddress}}", its trying to run as SSH. SSH wont work, im targeting a windows machine with remote powershell.
is there any way to set the connection to use winRM in the context of delegate_to? Perhaps there is a better way of doing this?
Thank you for your help
I managed to work out how to solve it. The answer is the ansible module 'add_host'. I have a play under vsphere_guest as follows. This creates a new in memory host, which can then be accessed by a different play.
- add_host group=new_machine name={{ vm_ipaddress }} ansible_connection=winrm
After this, I then have a new play that can now target this host.
- host: new_machine
Also to note, variables do not span across different hosts. The solution was to use the set_fact module in play A, which can then be accessed from within play B
-set_fact:
vm_ipaddress: "{{ hw_eth0.ipaddresses[1] }}" #hw_eth0 is the fact returned from the vsphere_guest module
What about updating the inventory with the new hosts name and with ssh winrm connection params before using delegate_to, or perhaps setting some default catch-all naming scheme with these params?
For example:
[databases]
db-[a:f].example.com:5986 ansible_user=Administrator ansible_connection=winrm ansible_winrm_server_cert_validation=ignore

copy files to remote machine's /etc/systemd/ directory using ansible

I an new to ansible. I may be saying something which is completely wrong.
I created VM using KVM, both remote and local are running on Ubuntu 16.0.4
Now I configured ansible by creating a key as
ssh-keygen -t rsa -b 4096 -C "D...#192.168.111.113"
this created key and copied it to remote machine by
ssh-copy-id D...#192.168.111.113
now I tested ssh is working, it is working fine.
I added remote machine's address in /etc/ansible/hosts under [DDAS] group.
now I can ping to remote machine using ansible. Then I wrote Playbook to copy file. I is working fine to copy files to /home/Das1/ only. I mean, I can copy files to location which do not need root permission.
I want to copy these files to /etc/systemd/ directory instead of the /home/das1/. I changed dest in playbook but it gives permission related errors.
Any help is highly appreciated.
Thank
DAS
By default your playbook tasks execute under the context of the user you use to connect to the remote system. Ansible allows you to change the user you use to run a playbook or individual tasks. You can create a new user and give it privileges to the directory you mention or you can use the built-in root user.
To run your entire playbook as root for example put this at the top adjusting for whatever your actual hosts value is:
- hosts: 192.168.111.113
become: true
become_user: root
tasks:
...
Probably the /etc/systemd/ directory does not have "write" privilege for the user you are using.
check the permission for /etc/systemd/ with ls -lrt.

Ansible execute command locally and then on remote server

I am trying to start a server using ansible shell module with ipmitools and then do configuration change on that server once its up.
Server with ansible installed also has ipmitools.
On server with ansible i need to execute ipmitools to start target server and then execute playbooks on it.
Is there a way to execute local ipmi commands on server running ansible to start target server through ansible and then execute all playbooks over ssh on target server.
You can run any command locally by providing the delegate_to parameter.
- shell: ipmitools ...
delegate_to: localhost
If ansible complains about connecting to localhost via ssh, you need to add an entry in your inventory like this:
localhost ansible_connection=local
or in host_vars/localhost:
ansible_connection: local
See behavioral parameters.
Next, you're going to need to wait until the server is booted and accessible though ssh. Here is an article from Ansible covering this topic and this is the task they have listed:
- name: Wait for Server to Restart
local_action:
wait_for
host={{ inventory_hostname }}
port=22
delay=15
timeout=300
sudo: false
If that doesn't work (since it is an older article and I think I previously had issues with this solution) you can look into the answers of this SO question.

Ansible : Not able to switch user from remote machine

I am new to Ansible. Trying to copy some files to remote machine.
I am able to copy to remote server's tmp folder, but not able to copy to a particular users folder.
I think it is possible if we can switch to that particular user. But I am not able to do so using playbook.
Please help me on this.
Regards,
KP
This is a permission issue. The user which you use to connect to the host does not have permissions to write to that other users folder.
If you have access to that users account (e.g. your ssh key is accepted) you can simply define the user per task through remote_user:
- copy: src=...
dest=...
remote_user: <SET_OWNER_HERE>
If you do not have access, you can use the sudo flag to execute a task with root permissions. But make sure you set the permissions correctly or the user might not be able to read/write those files:
- copy: src=...
dest=...
owner=<SET_OWNER_HERE>
group=<SET_GROUP_HERE>
mode=0644
sudo: yes
Also, you can define the username as which the sudo command is executed with sudo_user:
- copy: src=...
dest=...
sudo: yes
sudo_user: <SET_OWNER_HERE>
If sudo requires a password from you, you have to provide it or the task will hang forever without any error message.
You can define this globally in the ansible.cfg:
ask_sudo_pass=True
Or pass the option when you call your playbook:
ansible-playbook ... --ask-sudo-pass

Resources