Ansible for Windows - windows

I am trying to set up my ansible host to connect to windows. However ping is failing with the following error:
sudo ansible win -m win_ping
hostname | UNREACHABLE! => {
"changed": false,
"msg": "basic: HTTPConnectionPool(host='hostname', port=5986): Read timed out. (read timeout=30)",
"unreachable": true
}
pywinrm is installed on my linux box and WinRM is installed on the windows box.
Hosts file:
[win]
systemname
[win:vars]
ansible_user=username
ansible_password=passord
ansible_connection=winrm
ansible_winrm_scheme=http
ansible_winrm_server_cert_validation=ignore
ansible_winrm_transport=basic
Appreciate any advice.
Thanks.

Disabling the Windows Firewall (Domain, private and public networks) in the Windows box, fixed the issue for me.

Can you double check the WinRM Listener settings:
winrm enumerate winrm/config/Listener
If the output is what you expect, can you test a command on the local server as shown here:
winrs -r:http://server:5985/wsman -u:Username -p:Password ipconfig
Ansible has a good reference on this topic as well.

Related

Issue with connection established from ansible to windows

WinRM service is already running on this windows machine, but when I run my playbook against a Windows node I'm getting below error.
error:
fatal: [xx:xx:xx:xxx]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh_exchange_identification: Connection closed by remote host", "unreachable": true}
Could you please let me know if anything is missing or incorrect
Regards,
Priya P
As Zeitounator said:
Add winrm connection details. Ie. if you have an ini inventory with a windows group: (put the credentials in a vault)
[windows:vars]
ansible_user=<from vault>
ansible_password=<from vault>
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
ansible_port=5986
#ansible_port=5985
ansible_winrm_transport=ntlm
ansible_winrm_scheme=https
#ansible_winrm_scheme=http

Ansible: pinging windows machine using basic authentication

I have configured WinRM at Windows Server 2012 machine using the script suggested by Ansible team: https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1
At Ansible control machine (Linux box), the configuration looks like this:
ansible_user: Administrator
ansible_password: PASS
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_scheme: http
ansible_winrm_server_cert_validation: ignore
Trying to ping Windows machine I still get:
10.2.75.142 | UNREACHABLE! => {
"changed": false,
"msg": "plaintext: the specified credentials were rejected by the server",
"unreachable": true
}
User credentials are working credentials of local Windows user, belonging to Administrator group. Am I still missing some config on either side?
I've had similar problem. Through Ansible I was getting:
the specified credentials were rejected by the server
but when executing command from windows machine using winrs it was fine. For example:
winrs -r:https://myserver.com -u:Administrator -p:PASS ipconfig
was going through.
Unfortunately didn't find any solution to have Ansible running with basic authentication. Workaround was to use NTLM authentication. Just added
ansible_winrm_transport: ntlm
to control machine configuration and it works fine ever since.

Unable to ping Windows Server using win_ping

When I tried to ping my Windows instance using ansible windows -i hosts.ini -m win_ping , I got the following error :
10.0.72.11 | UNREACHABLE! => {
"changed": false,
"msg": "ssl: HTTPSConnectionPool(host='10.0.72.11', port=5986): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x2319990>, 'Connection to 10.0.72.11 timed out. (connect timeout=30)'))",
"unreachable": true
}
My hosts.ini file looks like :
[windows]
10.0.72.11
[windows:vars]
ansible_ssh_user=Administrator
ansible_ssh_pass=MyPassword123!
ansible_ssh_port=5986
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
May I know where I am wrong?
I was getting the same error. In my case WinRM was not enabled properly on Windows host. I ran the PowerShell script on my windows host, resolved the errors by setting variables and flags as mentioned in the "ConfigureRemotingForAnsible.ps1" comments section and the error disappeared.

Unable to ping my Windows Server using win_ping

When I tried to ping my Windows instance using ansible windows -i hosts.ini -m win_ping, I got the following error:
54.197.197.91 | UNREACHABLE! => {
"changed": false,
"msg": "plaintext: the specified credentials were rejected by the server",
"unreachable": true
}
My hosts.ini file looks like:
[windows]
54.197.197.91
[windows:vars]
ansible_ssh_user=Administrator
ansible_ssh_pass=MyPassword123!
ansible_ssh_port=5985
ansible_connection=winrm
To solve that, I have done this :
ansible-vault create secret.yml
and entered my password there like this:
win_initial_password: MyPassword123!
Then, my hosts.ini file looked like:
[windows]
54.197.197.91
[windows:vars]
ansible_ssh_user=Administrator
ansible_ssh_pass={{ win_initial_password }}
ansible_ssh_port=5985
ansible_connection=winrm
When I tried pinging, I got the below error :
54.197.197.91 | FAILED! => {
"failed": true,
"msg": "the field 'password' has an invalid value, which appears to include a variable that is undefined. The error was: 'win_initial_password' is undefined"
}
Where am I going wrong?
I solved it by changing these :
ansible_ssh_port=5986
ansible_winrm_server_cert_validation=ignore
This worked.
As I was following an Ansible example similar to the original post, the accepted answer didn't work for me, the following got it working
Note: This is sending password in plain text so don't use in production
On the target machine, run a powershell with admin rights and enter these commands:
Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true
winrm set winrm/config/service '#{AllowUnencrypted="true"}'
Also verify your firewall is configured correctly to allow the necessary ports through (TCP/5985, TCP/5986)
Sources:
http://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#authentication-options
https://github.com/diyan/pywinrm/issues/114
Still was an issue for me. My solution was to reinstall python-pip packages related to winrm from scratch. I had to use official Ansible documentation. As per documentation:
apt-get install python-pip git libffi-dev libssl-dev -y
pip install ansible pywinrm
Port number for Windows is 5986 so you var configuration should be ansible_ssh_port: 5986
I came across this same issue even with "AllowUnencrypted" set to true. I observed that win_ping was working for IEUser that was added to Administrator group but failing with
windows-server | UNREACHABLE! => {
"changed": false,
"msg": "plaintext: the specified credentials were rejected by the server",
"unreachable": true
}
for test-user that was not in Administrator group.
So I added the test-user to Administrator group and the issue got resolved.
I've googled a lot and finally the below configuration worked for me. I've added ntlm to my config file.
ansible_user: user#DOMAIN.COM
ansible_password: password
ansible_connection: winrm
ansible_ssh_port: 5986
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignore
Windows:
I have installed UBUNTU18-LTE in windows and face a lot of issues. So sharing my experience with the same error. Hope this will help.
The user must be local. Guys remember the user(ansible) must be a local(host - 192.168.11.22) admin user else no use of the below process.
Hosts file example.
cat /etc/ansible/hosts
[win]
192.168.11.22
[win:vars]
ansible_connection=winrm
ansible_user=ansible # Local admin user of host machine 192.168.11.22
ansible_password=ansible123
ansible_winrm_server_cert_validation=ignore
ansible_winrm_trasport=basic
ansible_port=5985 #HTTP
Run the below command on host PowerShell windows.
winrm configsddl default #Give permission to ansible user
Post step 2 configuration execute below 2 commands on host PowerShell.
winrm set winrm/config/service/auth '#{Basic="true"}'
winrm set winrm/config/service '#{AllowUnencrypted="true"}'
The Other use-full PowerShell commands to test the winrm connection.
winrm enumerate winrm/config/Listener.
winrm get winrm/config
WinRM quickconfig #Check winrm service is running
winrs -r:http://hostservername:5985/wsman -u:RDPusername -p:RDPpassword ipconfig/all

Unable to connect to a Windows Instance using Ansible Playbook

Every time I try running a playbook to automate some installations in Windows Server, my Windows Remote Host seems to be unreachable.
Here, I am trying to install IIS Server and my playbook looks like this :
---
- hosts : windows
tasks :
- name : Install Microsoft IIS
win_feature :
name : Web-Server
state : present
And the error is :
fatal: [ec2-54-197-197-91.compute-1.amazonaws.com]: UNREACHABLE! => {
"changed": false,
"msg": "ssl: HTTPSConnectionPool(host='ec2-54-197-197-91.compute-1.amazonaws.com', port=5986): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x1b11310>, 'Connection to ec2-54-197-197-91.compute-1.amazonaws.com timed out. (connect timeout=30)'))",
"unreachable": true
}
But, now I came to know that, to run playbooks for Windows, I need to have winrm installed on my control node.
I have done the following :
pip install "pywinrm>=0.1.1"
I have added the public ip of Windows Instance and my hosts file looks like:
[local]
127.0.0.1
[aws]
ec2-54-152-85-197.compute-1.amazonaws.com
[windows]
ec2-54-197-197-91.compute-1.amazonaws.com
Then, I created a directory "group_vars" in /etc/ansible, and in that a file windows.yml which reads :
ansible_user: Administrator
ansible_password: SecretPasswordGoesHere
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
Please let me know where I am going wrong.
(most likely, because you have not mentioned it)
You need to configure remote commands in PowerShell on your Windows instance (as described in the Windows system prep section). Execute the following (with administrator permissions):
iwr https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 -UseBasicParsing | iex
Before, depending on your settings, you might also need to enable the PowerShell execution policy, set the network interface to private network (mind the InterfaceAlias value below) and enable PowerShell remoting.
Set-ExecutionPolicy Unrestricted -Force
Set-NetConnectionProfile -InterfaceAlias Ethernet0 -NetworkCategory Private
Enable-PSRemoting

Resources