I am testing ansible (developer build) to connect to a windows machine.
ansible 2.0.0 (devel d1b98ec776)
The following command fails
ansible inh-jnambood-dt.india.mentorg.com -m win_ping -vvvv
Error is as below
bash-4.1$ ansible inh-jnambood-dt.india.mentorg.com -m win_ping -vvvv
Using /etc/ansible/ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<inh-jnambood-dt.india.mentorg.com> ESTABLISH WINRM CONNECTION FOR USER: jnambood#MGC.MENTORG.COM on PORT 5985 TO inh-jnambood-dt.india.mentorg.com
inh-jnambood-dt.india.mentorg.com | FAILED! => {
"failed": true,
"msg": "ERROR! kerberos: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377)), plaintext: 401 Unauthorized."
jnambood is my user id MGC.MENTORG.COM is the domain
Clearly there is some step I missed. What should I do to fix this error?
That usually means that the Linux host where you're running kinit is not joined to the domain (ie, it doesn't have a properly configured computer account in the domain). The existing docs unhelpfully omit that requirement...
I've also seen this occur where the FQDN of the the host is not entered in both the command and the ansible hosts file.
Try something like:
inh-jnambood-dt.mcg.mentorg.com
HTH
I'm not using Ansible, but pywinrm directly. To get things working from a RHEL7 computer to a Windows 10 host in the domain, I changed # to / in the pywinrm code. I did this because I saw other software use HTTP/hostname and not HTTP#hostname when talking to Kerberos. Hope this is useful for somebody.
https://github.com/requests/requests-kerberos/pull/141/commits
We had this same error. For us, it was resolved by shortening the hostname to have less than 15 characters.
Related
I am trying to set up my ansible host to connect to windows. However ping is failing with the following error:
sudo ansible win -m win_ping
hostname | UNREACHABLE! => {
"changed": false,
"msg": "basic: HTTPConnectionPool(host='hostname', port=5986): Read timed out. (read timeout=30)",
"unreachable": true
}
pywinrm is installed on my linux box and WinRM is installed on the windows box.
Hosts file:
[win]
systemname
[win:vars]
ansible_user=username
ansible_password=passord
ansible_connection=winrm
ansible_winrm_scheme=http
ansible_winrm_server_cert_validation=ignore
ansible_winrm_transport=basic
Appreciate any advice.
Thanks.
Disabling the Windows Firewall (Domain, private and public networks) in the Windows box, fixed the issue for me.
Can you double check the WinRM Listener settings:
winrm enumerate winrm/config/Listener
If the output is what you expect, can you test a command on the local server as shown here:
winrs -r:http://server:5985/wsman -u:Username -p:Password ipconfig
Ansible has a good reference on this topic as well.
I would like to ask a question that might not really have an answer but it will save my life.
So yesterday I started using google-authenticator for a second factor authentication on all my servers.
I am configuring all my hosts with Ansible so it is very important for me to have connection from it obviously, so, what I did, was I added this line to my /etc/pam.d/ssh file
auth [success=done default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
which I think returns success if I meet the rules I added in /etc/security/access-local.conf
#localhost doesn't need two step verification
+ : ALL : <<localnetworkip>>/24
+ : ALL : LOCAL
#All other hosts need two step verification
- : ALL : ALL
So I am allowing any machine from my local network. This work when I try to ssh from my ansible to the host (it doesn't ask me for verification code) but when I try to run an ansible playbook on the same local IP I get:
fatal: [Host]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Permission denied (keyboard-interactive).", "unreachable": true}
I think Ansible doesn't know how to handle keyboard-interaction, has anyone managed to bypass it?
Thank you
So I figured out how to bypass this for my case at least.
I added the following rule at the end in /etc/ssh/sshd_config
Match Address <<localnetworkip>>/24
AuthenticationMethods publickey keyboard-interactive
So Google authentication is not mandatory anymore from internal network
Since my company needs time to consider security issues with WinRM which is used by Ansible to manage windows hosts I was thinking about doing it via Cygwin ssh connection which we already have installed.
Is this even possible?
I tried to setup env variables like that:
ansible_connection: ssh
ansible_shell_type: cmd
End I'm trying to create a folder with the folliwng playbook:
- name: Ensure C:\Temp exists
win_file:
path: C:\Temp
state: directory
Gathering Facts is succesfull, but I'm getting: FAILED! => {"changed": false, "msg": "Unhandled exception while executing module: The system cannot find the path specified"}
In theory, Ansible, since v.2.8, supports doing connections through SSH, new windows even come with a Microsoft fork of OpenSSH.
I am having trouble to make it work (that's how I ended up here), but I recommend you to take a look to the following links:
https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html#windows-ssh-setup
If you can do SSH using the PK, but you get an unreachable from Ansible, you may need to check also this:
How to fix "Unreachable" when ping windows with ansible over ssh?
For Windows Server 2019/10's OpenSSH configuration:
https://www.youtube.com/watch?v=Cs3wBl_mMH0
Setting up OpenSSH for Windows using public key authentication
I have configured WinRM at Windows Server 2012 machine using the script suggested by Ansible team: https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1
At Ansible control machine (Linux box), the configuration looks like this:
ansible_user: Administrator
ansible_password: PASS
ansible_port: 5985
ansible_connection: winrm
ansible_winrm_scheme: http
ansible_winrm_server_cert_validation: ignore
Trying to ping Windows machine I still get:
10.2.75.142 | UNREACHABLE! => {
"changed": false,
"msg": "plaintext: the specified credentials were rejected by the server",
"unreachable": true
}
User credentials are working credentials of local Windows user, belonging to Administrator group. Am I still missing some config on either side?
I've had similar problem. Through Ansible I was getting:
the specified credentials were rejected by the server
but when executing command from windows machine using winrs it was fine. For example:
winrs -r:https://myserver.com -u:Administrator -p:PASS ipconfig
was going through.
Unfortunately didn't find any solution to have Ansible running with basic authentication. Workaround was to use NTLM authentication. Just added
ansible_winrm_transport: ntlm
to control machine configuration and it works fine ever since.
When I tried to ping my Windows instance using ansible windows -i hosts.ini -m win_ping, I got the following error:
54.197.197.91 | UNREACHABLE! => {
"changed": false,
"msg": "plaintext: the specified credentials were rejected by the server",
"unreachable": true
}
My hosts.ini file looks like:
[windows]
54.197.197.91
[windows:vars]
ansible_ssh_user=Administrator
ansible_ssh_pass=MyPassword123!
ansible_ssh_port=5985
ansible_connection=winrm
To solve that, I have done this :
ansible-vault create secret.yml
and entered my password there like this:
win_initial_password: MyPassword123!
Then, my hosts.ini file looked like:
[windows]
54.197.197.91
[windows:vars]
ansible_ssh_user=Administrator
ansible_ssh_pass={{ win_initial_password }}
ansible_ssh_port=5985
ansible_connection=winrm
When I tried pinging, I got the below error :
54.197.197.91 | FAILED! => {
"failed": true,
"msg": "the field 'password' has an invalid value, which appears to include a variable that is undefined. The error was: 'win_initial_password' is undefined"
}
Where am I going wrong?
I solved it by changing these :
ansible_ssh_port=5986
ansible_winrm_server_cert_validation=ignore
This worked.
As I was following an Ansible example similar to the original post, the accepted answer didn't work for me, the following got it working
Note: This is sending password in plain text so don't use in production
On the target machine, run a powershell with admin rights and enter these commands:
Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true
winrm set winrm/config/service '#{AllowUnencrypted="true"}'
Also verify your firewall is configured correctly to allow the necessary ports through (TCP/5985, TCP/5986)
Sources:
http://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#authentication-options
https://github.com/diyan/pywinrm/issues/114
Still was an issue for me. My solution was to reinstall python-pip packages related to winrm from scratch. I had to use official Ansible documentation. As per documentation:
apt-get install python-pip git libffi-dev libssl-dev -y
pip install ansible pywinrm
Port number for Windows is 5986 so you var configuration should be ansible_ssh_port: 5986
I came across this same issue even with "AllowUnencrypted" set to true. I observed that win_ping was working for IEUser that was added to Administrator group but failing with
windows-server | UNREACHABLE! => {
"changed": false,
"msg": "plaintext: the specified credentials were rejected by the server",
"unreachable": true
}
for test-user that was not in Administrator group.
So I added the test-user to Administrator group and the issue got resolved.
I've googled a lot and finally the below configuration worked for me. I've added ntlm to my config file.
ansible_user: user#DOMAIN.COM
ansible_password: password
ansible_connection: winrm
ansible_ssh_port: 5986
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignore
Windows:
I have installed UBUNTU18-LTE in windows and face a lot of issues. So sharing my experience with the same error. Hope this will help.
The user must be local. Guys remember the user(ansible) must be a local(host - 192.168.11.22) admin user else no use of the below process.
Hosts file example.
cat /etc/ansible/hosts
[win]
192.168.11.22
[win:vars]
ansible_connection=winrm
ansible_user=ansible # Local admin user of host machine 192.168.11.22
ansible_password=ansible123
ansible_winrm_server_cert_validation=ignore
ansible_winrm_trasport=basic
ansible_port=5985 #HTTP
Run the below command on host PowerShell windows.
winrm configsddl default #Give permission to ansible user
Post step 2 configuration execute below 2 commands on host PowerShell.
winrm set winrm/config/service/auth '#{Basic="true"}'
winrm set winrm/config/service '#{AllowUnencrypted="true"}'
The Other use-full PowerShell commands to test the winrm connection.
winrm enumerate winrm/config/Listener.
winrm get winrm/config
WinRM quickconfig #Check winrm service is running
winrs -r:http://hostservername:5985/wsman -u:RDPusername -p:RDPpassword ipconfig/all