I also forgot to mention that the module sources all the updates from the
Windows update api. If it doesn’t appear at all in either the selected or
filtered list then windows did not detect any update as being available. If you
are running a WSUS server the Windows host could be configured to
If you run with a higher verbosity (usually -vv or more) then the output from
the win_updates task will be shown. This output will contain a list of all the
updates that were matched on the criteria as well as any updates that were
available but didn’t match the criteria specified (filtered).
I don’t understand what you mean sorry. OpenLDAP is required on the controller
because that’s a dependency of python-ldap that the lookup uses
https://www.python-ldap.org/en/python-ldap-3.3.0/installing.html#installing. If
you already have it installed then you don’t need to reinstall it.
If
So you are running a PowerShell module on localhost which won’t work. How have
you defined your inventory, how are you targeting that host in your play?
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop
You have defined the vars for the group 'winhost' but have defined the host
in the group 'windows'. That's why the connection and other vars are not
being applied to the host when running.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To
There's been a recent issue on this problem
https://github.com/ansible-collections/community.windows/issues/96. I can't
say I've experienced this problem personally as if you have a credential
Windows should be using that to connect to the network path. Are you
potentially on a newer build of
Setting AllowUnencrypted -Value $true means you are allowing plaintext data
to be exchanged, you want it to be AllowUnencrypted -Value $false to make
sure encryption is used. Are you getting mixed up with the values here?
--
You received this message because you are subscribed to the Google
It didn’t fail on any patches, the ones listed were filtered because they
didn’t match any of the categories you listed in the task.
The difference between reboot: yes and win_reboot is that the former will
reboot during the win_updates take and continue to check if there are more
updates
What’s the output when you run the win_whoami module with the same become setup
you have for win_shell. Please use -vvv so we can see the output. I would also
try ansible_become_pass as I believe ansible_become_password is only valid in
later Ansible versions.
--
You received this message
>
> You've identified one of the many annoying parts of collections. You need
> a special directory structure and you can't install from git in an editable
> manner.
Admittedly you are right about the special directory structure but it's
pretty trivial to install it from git in an editable
If the task is trying to install updates then you are typically restricted
by Windows over a network logon like WinRM. The way around this that
Ansible provides is the become [1]. This turns the logon type to an
interactive logon which is allowed to install Windows updates just like you
can
The key you want to use is ‘ansible_winrm_server_cert_validation’, you were
missing the server part
https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#https-certificate-validation.
--
You received this message because you are subscribed to the Google Groups
"Ansible
With the further details exposed by -vvv we can see the error message when
it tried to create the temp folder
sleep: cannot read realtime clock
>
A quick google search brings up an issue on the WSL repo about this problem
https://github.com/microsoft/WSL/issues/4898. Looks like there are some
Please read the docs, there are a few packages that need to be installed for
pip to compile the pykerberos library
https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#installing-the-kerberos-library.
--
You received this message because you are subscribed to the Google Groups
The error message is saying
The python kerberos library is not installed
>
Make sure you have installed pykerberos by running 'pip install pykerberos'
or if you are managing Python packages through your system package manager
'apt install python-kerberos'.
You can verify whether it is
> The documentation page for this module only says name is mandatory
parameter, rest is optional.
There is only 1 option that is always required 'name', but if you read the
description you can see that there are multiple others that are required
when 'state=present'.
> I want to retrieve it’s
According to the docs, dns_hostname is
Required when *state=present*.
>
So you need to have this set for the module to work.
Thanks
Jordan
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving
The issue here is the kerberos library you have installed is either too old
or incompatible with what requests-kerberos requires. Uninstall both
kerberos and pykerberos and install just pykerberos. You may want to update
requests-kerberos as well as 0.7.0 is quite old.
--
You received this
Unfortunately no, the DSC engine requires explicit username and password
and cannot be configured to run using an existing access token. It is
probably needed because the DSC engine runs each task as the SYSTEM account
so any network authentication will appear as it came from the AD computer
You can use the changed_when task directive to control when a change is
reported. If you want to say this will never create a change set ‘changed_when:
false’
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group
If only 5986 is working then it sounds like message encryption is being
disabled for NTLM or is just unavailable (older libraries are installed).
If you already have HTTPS working then you should just continue to use
that. It provides more security benefits especially compared to NTLM over
Kerberos is highly dependent on DNS from working. With Kerberos the client
builds an SPN in the format 'HTTP/, in your case that will
be 'HTTP/10.50.1.231'. Active directory only creates automatic SPNs using
the DNS name of a host, i.e. 'HTTP/hostname.domain.com' so that's the SPN
that needs
So the drive mapping is present but Windows is unable to map the drive on
logon. You can use the win_credential [1] to store a credential that
Windows will use for mapped drives. There's even an example of this in the
win_mapped_drive [2] docs. If you are running the net use command through
You need to figure out why it's failing, we have a page for dealing with
rejected credentials
https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html#http-401-credentials-rejected
*.*
--
You received this message because you are subscribed to the Google Groups
"Ansible Project"
Just change the username and password to that domain account. Typically the
user is either in the Netlogon 'DOMAIN\user' form or the UPN
'u...@domain.com' form. The latter is preferred as it's what is required
for Kerberos auth which should be used for domain logons.
--
You received this
The error you have is nothing to do with mapped drives but that Ansible is
unable to authenticate itself over the WinRM connection. YOu need to set
ansible_user and ansible_password for Ansible to use as the connection
credentials.
Also please note that while you can map a network drive using
It really depends on how the 'DB.Migrator.exe' binary is set to use
credentials over a network path. If it's trying to find a credential in the
user's DPAPI cred store then Kerberos with credential delegation is not
enough to unlock it. Your options for this case are either:
- Use become
>
> TASK [Reboot host if required]
> **
> fatal: [10.50.1.231]: FAILED! => {"changed": false, "msg": "Invalid
> options for win_reboot: when"}
>
I can't see you task but this sounds like your when clause is
A few issues
- The output indicates you didn't supply the command args for
shutdown.exe correctly. If the +1 is meant to say shutdown after 1 second
the correct syntax is to use /t 1 -
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown
-
It’s telling you that the update has been filtered and the reason is because
the categories for that update aren’t in the categories you listed. To fix this
add one of the 2 categories it states it has and run again.
--
You received this message because you are subscribed to the Google Groups
You cannot access mapped drives through WinRM. You need to use the full UNC
path. Also you need to be aware of the credential delegation problem when
accessing network paths when using WinRM. You can connect with CredSSP, or
Kerberos with delegation or use become on the task to bypass that.
--
It was added witht he PR
https://github.com/ansible-collections/ansible.windows/pull/40 which is the
'win_service' module in the ansible.windows collection. This collection is
officially meant to be the source of supported Windows module in Ansible
2.10 and onwards but you might be able to use
See
https://docs.ansible.com/ansible/latest/user_guide/windows_faq.html#what-windows-modules-are-available,
you cannot run Python modules on Windows. You need to use the win_* variants
if they are available.
--
You received this message because you are subscribed to the Google Groups
The output shows a change occured and the file was templated. If the
contents weren't what you were expecting then you need to fix the template
or make sure you are checking the right server.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
Remove remote_src: true as it's expecting you to supply src for the copy.
Better yet use win_template instead like
- win_template:
src: config.j2
dest: D:\config1.json
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe
You WinRM service has been set to reject Basic auth. You need to change the
auth to something like kerberos (for domain auth) or ntlm using the
ansible_winrm_transport var.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe
Read through that issue you linked and you will see it.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view
Because get_url is also a Python module
https://docs.ansible.com/ansible/latest/user_guide/windows_faq.html#can-i-run-python-modules-on-windows-hosts.
The alternative for you is to either use win_get_url, or download the file
on the controller using the Python modules and use win_copy to copy
The proper way is to use the script module
- name: run script
script: test.ps1
It will automatically try and find 'test.ps1' in various folder, the files
folder adjacent to the playbook is one of them, copy it across, execute,
then delete the file all in 1 go. If you truly don't want to copy
You can’t run Python modules on Windows so this was never designed to work on
those hosts.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
You cannot run Windows modules over localhost, they are designed to run
through a connection plugin like winrm, psrp, or ssh. Also I would highly
advise not running Ansible through cygwin, it may work in some places but
will then fall flat in others. If you are on Windows 10 then WSL is a lot
There's not much more I can really say, Windows ACLs are based on SIDs so
it needs to be able to translate a human readable name to the actual SID.
If the module is complaining that it's unable to to translate an identity
that's just what Windows is returning as it's unable to translate the
Is the host actually joined to the domain the groups reside in, if you have
multiple domain controllers it may not have replicated to whatever that
host is talking to when finding the groups.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
Sorry I misread what you said and thought you meant you didn't think become
mattered here but I see your problem. You've set the become vars as a
module option to win_acl, the directives should be on the same indentation
as win_acl itself. Unfortunately not all Windows modules currently
This is because of the double hop problem, without the users credentials the
WinRM service cannot authenticate to those fileshares as that user so it
appears to be an anonymous user which does not have access. The only way around
this is to use become on the task or connect with an
And just an FYI, OpenSSH-Win32 and OpenSSH-Win64 are the same thing, one is
just a binary for 32-bit installs and the other for 64-bit installed. The
overarching project is known as 'Win32-OpenSSH' though
https://github.com/PowerShell/Win32-OpenSSH.
--
You received this message because you
Depends on what you mean by support.
Does it work? yes
Is it supported by Red Hat? no
Will there be bugs? probably
Will we fix the bugs? eventually, the biggest showstoppers are now gone
it's just the little things we don't know off.
Read through
It’s telling you it cannot find the reboot module/plugin. Make sure you are on
Ansible 2.7 or higher as that is when the module was added
https://docs.ansible.com/ansible/latest/modules/reboot_module.html,
--
You received this message because you are subscribed to the Google Groups
"Ansible
You are probably hitting the double hop issue over The WinRM. See
https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#limitations
for some workarounds.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from
Try using Ansible become to workaround this problem. It isn’t a guarantee but
it acts like the process was executed on an interactive logon. You could have
trouble if the command is expecting user input. This can’t be done on Ansible.
--
You received this message because you are subscribed to
>
> Windows could be supported if someone did the work
I think you are underestimating how much work this would actually require.
The biggest (but not the only) issue is that Ansible uses fork in it's
worker model and fork is not available on Windows. Changing that to use
threads is
If you are wanting to play around with things there's no harm in it. If you
are wanting to use it in production I would wait until some of the kinks
are ironed out and 2.10 is officially released.
That's not to say you can use it side by side and selectively try out
various modules in the
I also forgot to mention that while some components may work in 2.9 this
collection will not be tested against this version and will officially be
designed to work with 2.10 onwards.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To
That is because the ansible.windows collection because the current released
versions at https://galaxy.ansible.com/ansible/windows are all beta
versions. The ansible-galaxy cli tool does not use any pre-release versions
in it's check and the only way to install it is to explicitly set the
As I mentioned in that issue the processes run from Ansible with the
highest privileges available to the user you can verify this by running
- win_command: whoami.exe /all
Here is what you should roughly see back
(ansible-py37) jborean:~/dev/ansible-tester$ ansible 2019 -m win_command -a
When you call powershell.exe with -File you cannot run multiple commands
after that, it's designed to run a script with potential arguments. You can
even see in the error from powershell it thinks the file it needs to run is
`C:\Scripts\USERNAME\dfsadd_func.ps1;' (with the semicolon) so that's
I haven't worked with the Azure dynamic inventory so I could be wrong but
my guess is that with the lines
conditional_groups:
all_the_hosts: true
sittst-servers: "'sittst' in name"
You are creating a group called sittst-server which contains your host. You
then have a file
If you have multiple DCs then potentially it could be replication at fault
here but usually if a host is missing from the domain controller it queries
then a different error is shown (service not found in the database).
Is the host you are connecting to sharing the same hostname as an older
The fact that you were able to get a Kerberos ticket showed that your host
is set up to get the tickets correctly. Some things you should check
- The domain account is a local admin, non admins can technically
connect through WinRM but not by default. In any case Ansible is very
Plaintext means basic auth over http which is rejected by windows because it is
not encrypted. Basic auth also does not work for domain accounts but
unfortunately it is the default for backwards compatibility reasons when the
username specified is not in the UPN format.
If you are connecting
What you have there is one way but by default WinRM only allows local
administrators to connect to the host so you need to make sure you either
the domain user is also a local admin or adjust the WinRM security to allow
non-admins to connect.
Another option is to define the host twice in your
WinRM certificate auth is plain simple complex and not recommended to be
used. It's the most complex option to set up and has a loads of caveats and
downsides that I wouldn't really recommend it's use.
First question would be why am I creating a cert for Ansible on the Linux
> server and then
host_key_checking has nothing to do with parallel runs so I'm not sure what
you mean by that. By default Ansible will run on hosts in parallel up to
the forks configured [1]. If you want to run multiple tasks at the same
time the only real option is to use async with poll: 0 [2] so it runs in
I completely spaces that you are running against Server 2008 R2. There's a
bug with PowerShell v3 and remoting around out of memory issues which
commonly appears like stuff you are seeing here. Make sure you have met the
pre-reqs and either
- Update PowerShell to v5 preferably
- Install
We use C# code in our code for a lot of things, in this case it's the
Ansible wrapper we use to abstract the communication to and from the
controller. Part of that process is to compile the C# code to a dll and
load that in PowerShell. This all happens in the background and is part of
It’s totally possible you just need to learn how to do multi lined yaml values.
Have a look at the 5th example at
https://docs.ansible.com/ansible/latest/modules/win_shell_module.html#examples.
https://yaml-multiline.info/ is a great tool that can help you understand how
multi lined strings
wait_for_connection is designed to wait until ssh is up and running and Ansible
can actually run a module on it. No need for any until loops just
‘wait_for_connection:’.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from
Further to the above, those are variables and not attributes you can set on a
play. You need to set them under your the vars key or just add them using
add_host in the previous play.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To
You can’t, template will only work with a source on the controller as that is
where the cars are stored. Either store the template in your role/playbook or
use fetch to fetch the file to the controller temporarily and then template it
from there.
--
You received this message because you are
Going by that snippet you should be setting the module option
'computer_name', it's even documented in it's docs that computer_name is [1]
Specifies a DNS server.
> You can specify an IP address or any value that resolves to an IP address,
> such as a fully qualified domain name (FQDN), host
I believe since Ansible 2.8 the 'category_names' option is a free form
field and you can specify whatever you want. Since that change it should
also be reporting all the updates that were filtered (not selected) and the
category names that apply for that update which you can then use.
--
You
Based on your output Ansible is still trying to connect over SSH with port
22. Your group vars are not applying to the host so it's just using the
defaults (SSH port 22).
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from
- debug:
msg: Hi
when:
- entrycurrdb.stdout.find(hostvars['localhost']['BASEPATH_FINAL'] ~ '/' ~
vars[(item | splitext)[1].split('.')[1] | default('exe')] ~ '/' ~ item |
basename) == -1
- actualfile.stat.exists | bool
A few comments though
- This is an extremely complex and weird
Just set the connection to use IPs as you would Linux it should just work.
Without seeing the error that you are receiving we can't help you anymore.
The most common reason why it doesn't is if you are using Kerberos auth.
This is because DNS is a very important part of Kerberos auth and using
Looks like I jumped the gun with closing that issue, the backported issue
referenced is for a separate problem. The actual cross domain support of
groups is still not supported in the module. There is a PR which you can
try out https://github.com/ansible/ansible/pull/65138 and comment on if it
It doesn't look like the module supports LDS. You will have to edit it and
create a PR that modifies it to specify the Partition value with what is
required.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group
This issue is due to the double hop problem typically seen with WinRM. Any
further outbound authentications from the Windows host (Ansible -> Windows
host -> AD controller) will appear as an anonymous user and results in
either access is denied or resource not found type errors. You have 3
It’s because you have transport=local in your ansible.cfg. Remove that and it
will default to ssh.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
This sounds like it was potentially fixed with
https://github.com/ansible/ansible/pull/65023 which has been backported to
Ansible 2.9. What Ansible version are you running?
Thanks
Jordan
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To
Ansible just runs the ssh binary and reports back what it says. In this
case it tried to authenticate using an SSH key with no fallback to password
authentication and that failed. You can even run the same command that is
displayed to see what happens when you run it manually. You also say you
That's telling you it can't compile the pykerberos library, it's trying to
find headers that are not present. In this case you need the python3-devel
package installed with yum/dnf. These headers are different from the Python
2 headers which is why you can install pykerberos in Python 2 and not
Sinc pywinrm 0.4.0, requests-kerberos is not actually used so in your case
we don't really have to worry about that particular library in your pywinrm
version. The pykerberos library is still required but it looks like you do
have it there. Also you are saying you have both Python 2.7 and 3.6
Then finally for your last message, I've already told you in
https://groups.google.com/forum/#!topic/ansible-project/ME6fY1n7SCA why
it's failing the reboot check.
Firstly
1. The reboot option in win_updates is 'reboot: yes', not 'win_reboot:
yes', you would know that if you had read
The filtered message says it's filtered due to category_names, here are the
categories you've applied in one of your tasks
- Upgrades
- Security Updates
When you omit the category_names here are the categories it uses by default
(as per the docs)
- CriticalUpdates (same as "Critical
Please read through the doc for win_updates again
https://docs.ansible.com/ansible/latest/modules/win_updates_module.html.
I've told you multiple times why updates can be filtered and in your case
it's because the categories you specify don't match up with the updates
that are available. Even
According to
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/hh968413(v=vs.85),
the HRESULT value 0x80240016 corresponds to WU_E_INSTALL_NOT_ALLOWED
Operation tried to install while another installation was in progress or
> the system was pending a mandatory restart.
>
So read your filtered updates list, you can see both updates are in there
ok: [MQN-CKMH5E31UM7.corp.medqia.com] => {
"changed": false,
"filtered_updates": {
"20668013-76d9-43ec-a6f2-f76fb4271642": {
"categories": [
"Definition Updates",
Have a look through your output, the "filtered_updates" key show all the
updates that the Windows Update Agent can find and also displays why they
have been filtered in the win_updates task. So there's nothing the
win_updates module is set to do because Windows is reporting no updates are
That's probably because win_updates runs on various filters, you can't just
specify the KB, you also need to specify the category the update applies
to. If you run with -vvv you can see all the updates that have been
filtered (skipped) and the categories they apply to. If the update is not
in
It's showing OK because there was the state was already achieved. Ansible
is running and the modules you are running with just have nothing to do.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop
If using WinRM your only “password less” options are certificate based auth
which is a massive pain to setup and I would not recommend it or Kerberos. With
Kerberos you can use kinit before running Ansible to get a token that is then
used for subsequent authentication. Kinit also works with a
This is unfortunately outside of what I know and I can't really offer and
more help. From what I can see the registry settings are the same when
Ansible creates the drive vs when it's created with net use, even net use
sees the drive, it's just not available. What you need to do now is enable
Unfortunately I cannot explain this at all, a couple of final
question/clarifications
- When you map it manually with net use, can you log off and back on and
the drive still remains connected and visible in Windows Explorer?
- The output for 'net use' on a limited process is showing
That is very curious, typically the opposite is the case where the standard
(limited) process is able to see the mapped drive but the admin process is
not. We can see that in both scenarios net use can see that there is a
valid configuration for the mapped drive but it is only successfully
Sorry about the option name mismatch but glad you found the correct one.
Your task seems to be correct so it's curious as to why it isn't showing
up. What I recommend you look at;
- See if the key 'HKCU:\Network\Z' is present and if the entries match
what you set
- Run the command
CredSSP send the user accounts password across the wire but it is
definitely not in the clear. It is "wrapped" which means it's encrypted and
the Windows host can decrypt the value. This is unlike other authentication
formats where typically only a hash or shared secret known only to the
Hi, the blog is still accepting comments, I just need to approve them so it
doesn't get spammed.
As for your issue at hand.
1) to use Ansible to map this network drive automatically in all VMs for
> the domain user (mapped drive should be visible after VM reboots, during
> every RDP sessions
Paths are taken literally so it's trying to find the path
`D:\Program-Files\nginx-*\'. So first you need to find the nginx folder
then do a win_find in that folder for the nginx.conf file.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To
As the documentation for win_package says,
Installs or uninstalls a package in either an MSI or EXE format.
>
https://docs.ansible.com/ansible/latest/modules/win_package_module.html
You cannot use win_package to install an msp file, your only alternative is
to use win_command to call the
If you are using Windows 10, use WSL not Cygwin. WSL is a lot more
compatible than Cygwin so I highly recommend you use that instead. In any
case to access a Windows drive from cygwin the path is '/cygdrive//path`, so in your case it would be '/cygdrive/d/POC/POC.yml'.
--
You received this
1 - 100 of 513 matches
Mail list logo