We have a linux ansible server managing software installation on a Windows domain. We have successfully installed software onto all our windows machines without issue. We just added a new Windows 10 computer (yes, we have succesfully connected to other Win10 computers), and when we run our ansible install script we are getting the following error
fatal: [afc54]: UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 56: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket \"/home/ansible/.ansible/cp/ansible-ssh-afc54-22-ansible\" does not exist\r\ndebug2: ssh_connect: needpriv 0\r\ndebug1: Connecting to afc54 [192.168.2.193] port 22.\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug1: connect to address 192.168.2.193 port 22: Connection timed out\r\nssh: connect to host afc54 port 22: Connection timed out\r\n",
"unreachable": true
In the [Gathering Facts] section of the playbook, the new machine shows
Using module file /usr/lib/python2.7/site-packages/ansible/modules/system/setup.py
while the other windows machines shows
Using module file /usr/lib/python2.7/site-packages/ansible/modules/windows/win_updates.ps1
Why is ansbile trying to connect via SSH rather than the windows port 5986? The same script works successfully on all our other windows computers, but this one has me stumped.
EDIT:
If I specify the credentials and specs on the machine's line in the host file (i.e. ansible_user=user#domain ansible_password=password ansible_port=5986 ansible_connection=winrm) then I get the following error
afc54 | UNREACHABLE! => { "changed": false, "msg": "kerberos: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579), ssl: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)", "unreachable": true }
I am not clear why this worked, but I changed the group name in the hosts file and in the playbook (it was [install] is now [windows]), and it's now running correctly.
EDIT: A year later I finally noticed the reason this worked. In the group_vars directory, there was nothing set up for [install] but there was an existing configuration for [windows] under windows.yml Hopefully this helps someone else =)
Related
WinRM service is already running on this windows machine, but when I run my playbook against a Windows node I'm getting below error.
error:
fatal: [xx:xx:xx:xxx]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh_exchange_identification: Connection closed by remote host", "unreachable": true}
Could you please let me know if anything is missing or incorrect
Regards,
Priya P
As Zeitounator said:
Add winrm connection details. Ie. if you have an ini inventory with a windows group: (put the credentials in a vault)
[windows:vars]
ansible_user=<from vault>
ansible_password=<from vault>
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore
ansible_port=5986
#ansible_port=5985
ansible_winrm_transport=ntlm
ansible_winrm_scheme=https
#ansible_winrm_scheme=http
I can connect to the first server with key but cannot connet to the second server jumping with the first server. I doubt it is a bug on MacOS because I can jump to the seceond server with command line. Is there ANYONE knows what happened here?
Here is the config:
Host comp
HostName xx.xx.xxx.xxx
User xxxx
Port 22
IdentityFile ***************
Host local
HostName 127.0.0.1
Port ****
User xxxx
ProxyCommand ssh -q -x -W %h:%p comp
IdentityFile ***************
Here is the error information:
[19:55:48.660] Log Level: 2
[19:55:48.662] remote-ssh#0.55.0
[19:55:48.662] darwin x64
[19:55:48.663] SSH Resolver called for "ssh-remote+localhost", attempt 1
[19:55:48.663] SSH Resolver called for host: localhost
[19:55:48.663] Setting up SSH remote "localhost"
[19:55:48.669] Acquiring local install lock: /var/folders/5q/****************_tr0000gn/T/vscode-remote-ssh-localhost-install.lock
[19:55:48.713] Looking for existing server data file at /Users/gy/Library/Application Support/Code/User/globalStorage/ms-vscode-remote.remote-ssh/vscode-ssh-host-localhost-************************************-0.55.0/data.json
[19:55:48.742] Using commit id "***********************************" and quality "stable" for server
[19:55:48.743] Install and start server if needed
[19:55:48.779] Checking ssh with "ssh -V"
[19:55:48.854] > OpenSSH_8.1p1, LibreSSL 2.7.3
[19:55:48.860] Using SSH config file "/Users/gy/.ssh/config/vscodeconfig"
[19:55:48.861] askpass server listening on /var/folders/5q/******************_tr0000gn/T/vscode-ssh-askpass-**********************************.sock
[19:55:48.862] Spawning local server with {"ipcHandlePath":"/var/folders/5q/**************_tr0000gn/T/vscode-ssh-askpass-********************************.sock","sshCommand":"ssh","sshArgs":["-v","-T","-D","54815","-o","ConnectTimeout=15","-F","/Users/gy/.ssh/config/vscodeconfig","localhost"],"dataFilePath":"/Users/gy/Library/Application Support/Code/User/globalStorage/ms-vscode-remote.remote-ssh/vscode-ssh-host-localhost-*********************************-0.55.0/data.json"}
[19:55:48.862] Local server env: {"DISPLAY":"1","ELECTRON_RUN_AS_NODE":"1","SSH_ASKPASS":"/Users/gy/.vscode/extensions/ms-vscode-remote.remote-ssh-0.55.0/out/local-server/askpass.sh","VSCODE_SSH_ASKPASS_NODE":"/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Renderer).app/Contents/MacOS/Code Helper (Renderer)","VSCODE_SSH_ASKPASS_MAIN":"/Users/gy/.vscode/extensions/ms-vscode-remote.remote-ssh-0.55.0/out/askpass-main.js","VSCODE_SSH_ASKPASS_HANDLE":"/var/folders/5q/********************_tr0000gn/T/vscode-ssh-askpass-**********************************.sock"}
[19:55:48.871] Spawned 34492
[19:55:48.987] > local-server> Spawned ssh: 34493
[19:55:49.008] stderr> OpenSSH_8.1p1, LibreSSL 2.7.3
[19:55:50.129] stderr> kex_exchange_identification: Connection closed by remote host
[19:55:50.131] > local-server> ssh child died, shutting down
[19:55:50.136] Local server exit: 0
[19:55:50.136] Received install output: OpenSSH_8.1p1, LibreSSL 2.7.3
kex_exchange_identification: Connection closed by remote host
[19:55:50.137] Stopped parsing output early. Remaining text: OpenSSH_8.1p1, LibreSSL 2.7.3kex_exchange_identification: Connection closed by remote host
[19:55:50.137] Failed to parse remote port from server output
[19:55:50.141] Resolver error: Error:
at Function.Create (/Users/gy/.vscode/extensions/ms-vscode-remote.remote-ssh-0.55.0/out/extension.js:1:130564)
at Object.t.handleInstallOutput (/Users/gy/.vscode/extensions/ms-vscode-remote.remote-ssh-0.55.0/out/extension.js:1:127671)
at Object.t.tryInstallWithLocalServer (/Users/gy/.vscode/extensions/ms-vscode-remote.remote-ssh-0.55.0/out/extension.js:127:102339)
at processTicksAndRejections (internal/process/task_queues.js:94:5)
at async /Users/gy/.vscode/extensions/ms-vscode-remote.remote-ssh-0.55.0/out/extension.js:127:104310
at async Object.t.withShowDetailsEvent (/Users/gy/.vscode/extensions/ms-vscode-remote.remote-ssh-0.55.0/out/extension.js:127:109845)
at async /Users/gy/.vscode/extensions/ms-vscode-remote.remote-ssh-0.55.0/out/extension.js:127:100912
at async R (/Users/gy/.vscode/extensions/ms-vscode-remote.remote-ssh-0.55.0/out/extension.js:127:97702)
at async Object.t.resolveWithLocalServer (/Users/gy/.vscode/extensions/ms-vscode-remote.remote-ssh-0.55.0/out/extension.js:127:100561)
at async Object.t.resolve (/Users/gy/.vscode/extensions/ms-vscode-remote.remote-ssh-0.55.0/out/extension.js:127:107840)
at async /Users/gy/.vscode/extensions/ms-vscode-remote.remote-ssh-0.55.0/out/extension.js:127:141955
[19:55:50.143] ------
Could someone enlighten me on the reason for the problem or on a possible solution ? Thanks !
I have the similar problem.
Later it disappears after I turn off the agent server.
Maybe you can try this.
I would like to ask a question that might not really have an answer but it will save my life.
So yesterday I started using google-authenticator for a second factor authentication on all my servers.
I am configuring all my hosts with Ansible so it is very important for me to have connection from it obviously, so, what I did, was I added this line to my /etc/pam.d/ssh file
auth [success=done default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
which I think returns success if I meet the rules I added in /etc/security/access-local.conf
#localhost doesn't need two step verification
+ : ALL : <<localnetworkip>>/24
+ : ALL : LOCAL
#All other hosts need two step verification
- : ALL : ALL
So I am allowing any machine from my local network. This work when I try to ssh from my ansible to the host (it doesn't ask me for verification code) but when I try to run an ansible playbook on the same local IP I get:
fatal: [Host]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Permission denied (keyboard-interactive).", "unreachable": true}
I think Ansible doesn't know how to handle keyboard-interaction, has anyone managed to bypass it?
Thank you
So I figured out how to bypass this for my case at least.
I added the following rule at the end in /etc/ssh/sshd_config
Match Address <<localnetworkip>>/24
AuthenticationMethods publickey keyboard-interactive
So Google authentication is not mandatory anymore from internal network
I am trying to connect to Windows Server 2012 from my ansible server (Centos7).
Let's assume its host is x and port is y
I managed to connect to other linux based servers but I cannot connect to the windows one.
I followed the tutorial here and after all setups and configurations I get the following error:
root#localhost: ansible# ansible windows -i hosts -m win_ping --ask-vault-pass
Vault password:
WindowsServer | UNREACHABLE! => {
"changed": false,
"msg": "ssl: HTTPSConnectionPool(host='x', port=y): Max retries exceeded with url: /wsman (Caused by ProxyError('Cannot connect to proxy.', error('Tunnel connection failed: 403 Forbidden',)))",
This is my group_vars/windows.yml file:
# it is suggested that these be encrypted with ansible-vault:
# ansible-vault edit group_vars/windows.yml
ansible_user: Administrator
ansible_password: password
ansible_port: y
ansible_connection: winrm
This is my hosts file snippet:
[windows]
WindowsServer ansible_host=x
I did configure windows server with this file.
Please help, I have no idea what to do to make the connection work.
As J and Mike from ansible google group suggested:
The reason of the error were environment variables HTTP_PROXY and HTTPS_PROXY that ansible used from the system.
To let ansible know that you are using proxy you have to:
1. Locate transport.py that comes with pywinrm
2. modify the following line session.trust_env to make it false.
125 # configure proxies from HTTP/HTTPS_PROXY envvars
126 # session.trust_env = True
127 session.trust_env = False
3. pywinrm will no longer check your local env for a proxy.
After that I also neeeded to add one more variable to group_vars/windows.yml file:
ansible_winrm_server_cert_validation: ignore
I am trying to connect to my windows computer using OpenSSH and Ansible.
I am able to connect using regular ssh, but when I try to connect using Ansible, I get pretty much the same error everytime I change something.
I've also tried running Ansible as root and still nothing
fatal: [IVU]: UNREACHABLE! => {"changed": false, "msg": "Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in \"/tmp\". Failed command was: ( umask 77 && mkdir -p \"` echo /tmp/ansible-tmp-1502794936.2073953-164132649383245 `\" && echo ansible-tmp-1502794936.2073953-164132649383245=\"` echo /tmp/ansible-tmp-1502794936.2073953-164132649383245 `\" ), exited with result 1", "unreachable": true}
I've tried to change the ssh_args in ansible.cfg to ssh_args= -o ControlMaster=no and no change to the output was made.
I've tried to change the executable in the ansible.cfg to C:/Windows/System32/cmd.exe and I got the same error
I've tried changing the remote_dir=/tmp/ and still nothing.
My ansible inventory is:
[IVU]
IVU ansible_host=**IP**
[IVU:vars]
ansible_port=22
ansible_user=**user**
ansible_ssh_pass=**pass**
ansible_ssh_private_key_file=** Keyfile **
It seems like it's failing before even running any tasks, but from the openssh logs on the windows computer I see no difference when ansible connects to it and when I ssh into it.
3724 09:27:38:720 error: Couldn't create pid file "C:\\Program Files\\OpenSSH\\sshd.pid": Permission denied
3724 09:27:41:376 Accepted publickey for **User** from **IP** port 42700 ssh2: RSA SHA256:clNmiKxygl/TLEb5Ob4lZs6JqztoQyxOsjMoHQ2HYgo
3724 09:27:58:533 Received disconnect from **IP** port 42700:11: disconnected by user
3724 09:27:58:533 Disconnected from user **User** **IP** port 42700
3360 09:28:41:398 error: Couldn't create pid file "C:\\Program Files\\OpenSSH\\sshd.pid": Permission denied
3360 09:28:41:616 Accepted publickey for **User** from **IP** port 42704 ssh2: RSA SHA256:clNmiKxygl/TLEb5Ob4lZs6JqztoQyxOsjMoHQ2HYgo
3360 09:28:41:741 Received disconnect from **IP** port 42704:11: disconnected by user
3360 09:28:41:741 Disconnected from user **User** **IP** port 42704
The 9:27 is when I'm connecting using ssh and the 9:28 is when ansible connects.
Is there something I'm missing that I need to change in order for Ansible to work with openSSH on windows?
I figured out a solution by using a reverse ssh tunnel.
I abandoned the idea of trying to use the ssh ansible module with windows since Windows simply doesn't play nicely with it unless you have the windows 10 update. I decided to use the winrm ansible module instead.
What I did is I connected the windows computer to the computer running Ansible by opening a reverse SSH tunnel by using the command:
ssh -p5983 -R 5982:localhost:5986 **my_user**#**my_ip**
For my purposes I had to port forward because my computer was on a separate vlan than the windows computer
Then in Ansible I specified that the host is localhost at port 5982.
This is about as good of a solution for when working with openssh and windows, at least until Ansible supports openssh on windows.