Re: [ansible-project] Encrypted SSH Key leads to Invalid format

[Jeremie Levy]

Yes it works, and it works unencrypted.

On Sun, 2 Oct 2022 at 21:02 Evan Hisey  wrote:

>  Can you confirm the decrypted key is valid by direct ssh? Hard to tell
> for sure but that looks like the target host is rejecting the key format.
> Not all key formats are accepted by all targets. I have run in to this with
> Github and Tenable Scanners.
>
> On Sun, Oct 2, 2022 at 6:15 AM jer...@gmail.com  wrote:
>
>> I'm using in inventory/group_vars/all.yaml:
>> 
>> *ansible_ssh_private_key_file: '{{inventory_dir}}/group_vars/path/to/key'*
>>
>> This Key is working well when it's plain text
>> When I encrypt the file with ansible-vault, i get the error:
>>
>>
>>
>> *Load key
>> "/home/user/projects/ansible/inventory/group_vars/path/to/key": invalid
>> formatroot @ SOME_IP: Permission denied (publickey,password).
>> unreachable: true*
>>
>> I am using $*ANSIBLE_VAULT_PASSWORD_FILE *to decrypt everything without
>> asking for password.
>> I have other encrypted secrets in all.yaml that get decrypted.
>>
>> What am I missing ?
>>
>> Thanks!
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ansible-project+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/04e26c27-8f12-44ef-a2f6-e6055144c7edn%40googlegroups.com
>> 
>> .
>>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Ansible Project" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ansible-project/FdbkNDJ7Ut0/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CAEcFzYxBkDxsfFqb1gWz-CEriqn_Q_%3DO1zp_kKiYJX4SytOgKw%40mail.gmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAAK4BEZd3XxhgJerZvA5tLb36XjbBdXm31Pmx6jqKsv1GZmJtw%40mail.gmail.com.

Re: [ansible-project] win_service_info register

[Jeremie Levy]

Thank you!
I wonder why i didn't try it...

On Sun, Jan 24, 2021 at 9:28 PM jbor...@gmail.com 
wrote:

> Just loop the services entry and then your item is item.name.
>
> - win_service:
> name: '{{ item.name }}'
> state: started
>   with_items: '{{ service.services }}'
>
> This works because service.services is a list that contains a dictionary
> so you are looping each entry and then getting the name key in that dict.
>
> On Sunday, January 24, 2021 at 11:44:26 PM UTC+10 jer...@gmail.com wrote:
>
>> Hi Jordan, can you please assist here ?
>>
>> On Sun, Jan 24, 2021 at 3:08 PM jer...@gmail.com 
>> wrote:
>>
>>> Hi
>>> Trying to use win_service_info with a register.
>>> While the register is filled with multiple entries, i want to make sure
>>> all these are started.
>>> How to write the loop ?
>>>
>>>   - name: Find all services that start with 'blabla'
>>> ansible.windows.win_service_info:
>>>   name: blabla*
>>> register: service
>>>
>>> #Print everything
>>>   - name: Print service facts
>>> ansible.builtin.debug:
>>>   var: service
>>>
>>> #Print only the first one
>>>   - name: Print service facts
>>> ansible.builtin.debug:
>>>   var: service.services[0].name
>>>
>>> *  - name: make sure service is started*
>>> *win_service:*
>>> *  name: 'service.services[{{ item }}].name'*
>>> *  state: started*
>>> *with_items: service.services.index ?*
>>>
>>> Thanks!
>>>
>>> cc @jborean93
>>>
>>> --
>>> You received this message because you are subscribed to a topic in the
>>> Google Groups "Ansible Project" group.
>>> To unsubscribe from this topic, visit
>>> https://groups.google.com/d/topic/ansible-project/iWsksxxaAaY/unsubscribe
>>> .
>>> To unsubscribe from this group and all its topics, send an email to
>>> ansible-proje...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/ansible-project/00316553-786f-4d4b-96c8-abc85726cfebn%40googlegroups.com
>>> 
>>> .
>>>
>> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Ansible Project" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ansible-project/iWsksxxaAaY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/eeea178f-9cf3-42e8-8270-6fa3d7e4229an%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAAK4BEYgHyEVRsKdfsKtGgdN0CQTAL%3D1b50o6DZeVbmr%2BYbr_A%40mail.gmail.com.

Re: [ansible-project] win_service_info register

[Jeremie Levy]

Hi Jordan, can you please assist here ?

On Sun, Jan 24, 2021 at 3:08 PM jer...@gmail.com  wrote:

> Hi
> Trying to use win_service_info with a register.
> While the register is filled with multiple entries, i want to make sure
> all these are started.
> How to write the loop ?
>
>   - name: Find all services that start with 'blabla'
> ansible.windows.win_service_info:
>   name: blabla*
> register: service
>
> #Print everything
>   - name: Print service facts
> ansible.builtin.debug:
>   var: service
>
> #Print only the first one
>   - name: Print service facts
> ansible.builtin.debug:
>   var: service.services[0].name
>
> *  - name: make sure service is started*
> *win_service:*
> *  name: 'service.services[{{ item }}].name'*
> *  state: started*
> *with_items: service.services.index ?*
>
> Thanks!
>
> cc @jborean93
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Ansible Project" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ansible-project/iWsksxxaAaY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/00316553-786f-4d4b-96c8-abc85726cfebn%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAAK4BEYnYm2_%2B1QooJNdLCitBGZoJeYVVs2ArkehOsukLmpXtw%40mail.gmail.com.

Re: [ansible-project] Re: [Ansible windows] "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Generic error (see e-text)', -176532

[Jeremie Levy]

Hello Jordan
I moved from https to http
I removed the des kerberos options:
# default_tgs_enctypes = des-cbc-crc arcfour-hmac-md5
 default_tgs_enctypes = arcfour-hmac-md5
# default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc
 default_tkt_enctypes = arcfour-hmac-md5
# preferred_preauth_types = des-cbc-crc


And here is the result of the run - i have to admit this is not helping me
much...

# KRB5_TRACE=/dev/stdout ansible-playbook playbooks/win_test.yml --limit
scststhost67.usa.company.com -


ansible-playbook 2.6.2

  config file = /ansible/scripts/ansible.cfg

  configured module search path =
[u'/usr/local/lib/python2.7/dist-packages/ara/plugins/modules']

  ansible python module location =
/usr/lib/python2.7/dist-packages/ansible

  executable location = /usr/bin/ansible-playbook

  python version = 2.7.12 (default, Dec  4 2017, 14:50:18) [GCC 5.4.0
20160609]
Using /ansible/scripts/ansible.cfg as config file

setting up inventory plugins

Parsed /ansible/scripts/inventory/windows.yml inventory source with yaml
plugin
Loading callback plugin default of type stdout, v2.0 from
/usr/lib/python2.7/dist-packages/ansible/plugins/callback/default.pyc

Loading callback plugin ara of type notification, v2.0 from
/usr/local/lib/python2.7/dist-packages/ara/plugins/callbacks/log_ara.pyc


PLAYBOOK: win_test.yml
*
1 plays in playbooks/win_test.yml



PLAY [windows]
*
META: ran handlers


Trying secret
FileVaultSecret(filename='/nfs/site/disks/home30/ansible/.ssh/ansible_vault.txt')
for vault_id=default

TASK [Simple Ping]
*
task path: /ansible/scripts/playbooks/win_test.yml:5

Using module file
/usr/lib/python2.7/dist-packages/ansible/modules/windows/win_ping.ps1

 ESTABLISH WINRM CONNECTION FOR USER:
usa_ansi...@usa.company.com on PORT 5986 TO scststhost67.usa.company.com

checking if winrm_host scststhost67.usa.company.com is an IPv6 address


calling kinit with pexpect for principal usa_ansi...@usa.company.com


[5574] 1535488714.966934: Retrieving usa_ansi...@usa.company.com from
FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result:
2/Key table file '/etc/krb5/user/30254/client.keytab' not found


[5574] 1535488714.967925: Retrieving usa_ansi...@usa.company.com from
FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result:
2/Key table file '/etc/krb5/user/30254/client.keytab' not found


[5574] 1535488714.968917: Retrieving usa_ansi...@usa.company.com from
FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result:
2/Key table file '/etc/krb5/user/30254/client.keytab' not found


[5574] 1535488714.969845: Retrieving usa_ansi...@usa.company.com from
FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result:
2/Key table file '/etc/krb5/user/30254/client.keytab' not found


[5574] 1535488714.970790: Retrieving usa_ansi...@usa.company.com from
FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result:
2/Key table file '/etc/krb5/user/30254/client.keytab' not found


[5574] 1535488714.974593: Retrieving usa_ansi...@usa.company.com from
FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result:
2/Key table file '/etc/krb5/user/30254/client.keytab' not found


[5574] 1535488714.975957: Retrieving usa_ansi...@usa.company.com from
FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result:
2/Key table file '/etc/krb5/user/30254/client.keytab' not found


[5574] 1535488714.976891: Retrieving usa_ansi...@usa.company.com from
FILE:/etc/krb5/user/30254/client.keytab (vno 0, enctype 0) with result:
2/Key table file '/etc/krb5/user/30254/client.keytab' not found


[5574] 1535488714.979603: Getting credentials usa_ansi...@usa.company.com
-> HTTP/scststhost67.usa.company@usa.company.com using ccache
FILE:/tmp/tmpa0pCw0


[5574] 1535488714.979722: Retrieving usa_ansi...@usa.company.com -> HTTP/
scststhost67.usa.company@usa.company.com from FILE:/tmp/tmpa0pCw0 with
result: -1765328243/Matching credential not found


[5574] 1535488714.979790: Retrieving usa_ansi...@usa.company.com -> krbtgt/
usa.company@usa.company.com from FILE:/tmp/tmpa0pCw0 with result:
0/Success


[5574] 1535488714.979801: Starting with TGT for client realm:
usa_ansi...@usa.company.com -> krbtgt/usa.company@usa.company.com

[5574] 1535488714.979809: Requesting tickets for HTTP/
scststhost67.usa.company@usa.company.com, referrals on

[5574] 1535488714.979835: Generated subkey for TGS request: rc4-hmac/DA64


[5574] 1535488714.979855: etypes requested in TGS request: rc4-hmac


[5574] 1535488714.979986: Encoding request body and padata into FAST
r

[ansible-project] Re: [Ansible windows] "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Generic error (see e-text)', -1765328

[Jeremie Levy]

Using an USA domain user instead of a EUR domain user move me to another 
issue

*"kerberos: Bad HTTP response returned from server. Code 400"*
I found out this question here 
: https://groups.google.com/forum/#!topic/ansible-project/WJbhN3VYMmI but 
nothing could help me.

I have to say, my first choice would be to use the same user eventually.

Thanks

Jordan / Jon ? :)

On Monday, August 27, 2018 at 9:51:54 AM UTC+3, Jeremie Levy wrote:
>
> Hi
> In my company we have a forest with multiple domains, EUR / USA ...
> I can work without any issue with my domain (EUR) with a EUR user
>
> Now i'm trying to access a USA server with and got the following failure:
>
> # ansible-playbook agent.yml --limit tsthost67.usa.company.com -
> ansible-playbook 2.6.2
>   config file = /ansible/scripts/ansible.cfg
>   configured module search path = 
> [u'/usr/local/lib/python2.7/dist-packages/ara/plugins/modules']
>   ansible python module location = /usr/lib/python2.7/dist-packages/ansible
>   executable location = /usr/bin/ansible-playbook
>   python version = 2.7.12 (default, Dec  4 2017, 14:50:18) [GCC 5.4.0 
> 20160609]
> Using /ansible/scripts/ansible.cfg as config file
> setting up inventory plugins
> Parsed /ansible/scripts/inventory/windows.yml inventory source with yaml 
> plugin
> Loading callback plugin default of type stdout, v2.0 from 
> /usr/lib/python2.7/dist-packages/ansible/plugins/callback/default.pyc
> Loading callback plugin ara of type notification, v2.0 from 
> /usr/local/lib/python2.7/dist-packages/ara/plugins/callbacks/log_ara.pyc
>
> PLAYBOOK: agent.yml 
> *
> 1 plays in agent.yml
>
> PLAY [fw] 
> *
> Trying secret 
> FileVaultSecret(filename='/nfs/site/disks/home30/ansible/.ssh/ansible_vault.txt')
>  
> for vault_id=default
>
> TASK [Gathering Facts] 
> 
> task path: /ansible/scripts/agent.yml:2
> Using module file 
> /usr/lib/python2.7/dist-packages/ansible/modules/windows/setup.ps1
>  ESTABLISH WINRM CONNECTION FOR USER: 
> ansi...@eur.company.com on PORT 5986 TO tsthost67.usa.company.com
> checking if winrm_host tsthost67.usa.company.com is an IPv6 address
> calling kinit with pexpect for principal ansi...@eur.company.com
> fatal: [tsthost67.usa.company.com]: UNREACHABLE! => {
> "changed": false,
> *"msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS 
> failure.  Minor code may provide more information', 851968), ('Generic 
> error (see e-text)', -1765328324))",*
> "unreachable": true
> }
> to retry, use: --limit @/ansible/scripts/qb-agent-fw.retry
>
> PLAY RECAP 
> 
> tsthost67.usa.company.com : ok=0changed=0unreachable=1failed=0
>
>
>
> my kerberos file:
>
> # cat /etc/krb5.conf  
> 
> 
>  
> [libdefaults]
>  default_realm = EUR.COMPANY.COM  
>   
>  ticket_lifetime = 36000  
>  
>  renew_lifetime = 2592000  

[ansible-project] [Ansible windows] "kerberos: authGSSClientStep() failed: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Generic error (see e-text)', -1765328324)

[Jeremie Levy]

Hi
In my company we have a forest with multiple domains, EUR / USA ...
I can work without any issue with my domain (EUR) with a EUR user

Now i'm trying to access a USA server with and got the following failure:

# ansible-playbook agent.yml --limit tsthost67.usa.company.com -
ansible-playbook 2.6.2
  config file = /ansible/scripts/ansible.cfg
  configured module search path = 
[u'/usr/local/lib/python2.7/dist-packages/ara/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 2.7.12 (default, Dec  4 2017, 14:50:18) [GCC 5.4.0 
20160609]
Using /ansible/scripts/ansible.cfg as config file
setting up inventory plugins
Parsed /ansible/scripts/inventory/windows.yml inventory source with yaml 
plugin
Loading callback plugin default of type stdout, v2.0 from 
/usr/lib/python2.7/dist-packages/ansible/plugins/callback/default.pyc
Loading callback plugin ara of type notification, v2.0 from 
/usr/local/lib/python2.7/dist-packages/ara/plugins/callbacks/log_ara.pyc

PLAYBOOK: agent.yml 
*
1 plays in agent.yml

PLAY [fw] 
*
Trying secret 
FileVaultSecret(filename='/nfs/site/disks/home30/ansible/.ssh/ansible_vault.txt')
 
for vault_id=default

TASK [Gathering Facts] 

task path: /ansible/scripts/agent.yml:2
Using module file 
/usr/lib/python2.7/dist-packages/ansible/modules/windows/setup.ps1
 ESTABLISH WINRM CONNECTION FOR USER: 
ansi...@eur.company.com on PORT 5986 TO tsthost67.usa.company.com
checking if winrm_host tsthost67.usa.company.com is an IPv6 address
calling kinit with pexpect for principal ansi...@eur.company.com
fatal: [tsthost67.usa.company.com]: UNREACHABLE! => {
"changed": false,
*"msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS 
failure.  Minor code may provide more information', 851968), ('Generic 
error (see e-text)', -1765328324))",*
"unreachable": true
}
to retry, use: --limit @/ansible/scripts/qb-agent-fw.retry

PLAY RECAP 

tsthost67.usa.company.com : ok=0changed=0unreachable=1failed=0



my kerberos file:

# cat /etc/krb5.conf


   
[libdefaults]
 default_realm = EUR.COMPANY.COM
 ticket_lifetime = 36000
   
 renew_lifetime = 2592000  

 default_keytab_name = /etc/krb5.keytab

 forwardable = true

 allow_weak_crypto = true  

 dns_lookup_realm = false  

 dns_lookup_kdc = false

 default_tgs_enctypes = des-cbc-crc arcfour-hmac-md5
   
 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc
   
 preferred_preauth_types = des-cbc-crc  




[d

Re: [ansible-project] Ansible looping over register and multiple lists

[Jeremie Levy]

It worked!
Since i the first is 0, the last should be {{nb_of_agents -1 |int}}

- name: output
  debug:
var: qb_svc.results[item|int].exists
  with_sequence: start=0 end='{{nb_of_agents - 1 |int}}'


Thanks


On Tuesday, May 22, 2018 at 9:39:50 AM UTC+3, Jordan Borean wrote:
>
> Looks like item is being used as a unicode string (u'1') and not an int, 
> can you try qb_svc.results[item|int].exists and see if that works?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/b8ddf9ab-362b-4c5a-9bbd-f09fa3a56740%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] Ansible looping over register and multiple lists

[Jeremie Levy]

Thank you Jordan
Actually, I also tried without the "." as you suggested and it didn't work
Code:
- name: output
  debug:
var: qb_svc

- name: output
  debug:
var: qb_svc.results[item].exists
  with_sequence: count='{{nb_of_agents}}'




Here is my output with your suggestion:
task path: /ansible/scripts/playbooks/qb-agents-fw-multiple.yml:16
ok: [hasgappqba1102.DOMAIN] => {
*"qb_svc": {*
"changed": false,
"msg": "All items completed",
*"results": [*
{
"_ansible_ignore_errors": null,
"_ansible_item_result": true,
"_ansible_no_log": false,
"_ansible_parsed": true,
"changed": false,
*"exists": false,*
"failed": false,
"item": "1"
},
{
"_ansible_ignore_errors": null,
"_ansible_item_result": true,
"_ansible_no_log": false,
"_ansible_parsed": true,
"changed": false,
*"exists": false,*
"failed": false,
"item": "2"
}
]
}
}

TASK [output] 
**
task path: /ansible/scripts/playbooks/qb-agents-fw-multiple.yml:20
ok: [hasgappqba1102.DOMAIN] => (item=None) => {
"qb_svc.results[item].exists": "VARIABLE IS NOT DEFINED!: 'list object' 
has no attribute u'1'"
}
ok: [hasgappqba1102.DOMAIN] => (item=None) => {
"qb_svc.results[item].exists": "VARIABLE IS NOT DEFINED!: 'list object' 
has no attribute u'2'"
}

TASK [install Agent '{{ item }}'] 
**
task path: /ansible/scripts/playbooks/qb-agents-fw-multiple.yml:25
fatal: [hasgappqba1102.DOMAIN]: FAILED! => {
"msg": "The conditional check 'qb_svc.results[item].exists' failed. The 
error was: error while evaluating conditional 
(qb_svc.results[item].exists): 'list object' has no attribute u'1'\n\nThe 
error appears to have been in 
'/ansible/scripts/playbooks/qb-agents-fw-multiple.yml': line 25, column 7, 
but may\nbe elsewhere in the file depending on the exact syntax 
problem.\n\nThe offending line appears to be:\n\n\n- name: install 
Agent '{{ item }}'\n  ^ here\nWe could be wrong, but this one looks 
like it might be an issue with\nmissing quotes.  Always quote template 
expression brackets when they\nstart a value. For instance:\n\n
with_items:\n  - {{ foo }}\n\nShould be written as:\n\n
with_items:\n  - \"{{ foo }}\"\n"
}
to retry, use: --limit 
@/ansible/scripts/playbooks/qb-agents-fw-multiple.retry


Thank you!

On Tuesday, May 22, 2018 at 8:04:06 AM UTC+3, Jordan Borean wrote:
>
> You can't normally run in parallel with a loop, they are run sequentially. 
> You can hack around it by running with async and poll 0 and then poll that 
> status but it isn't a perfect "run all items in list in parallel" that you 
> are looking for.
>
> Your debug output
>
> - name: output
>   debug:
> var: svc.results.[item].exists
>   with_sequence: count='{{nb_of_agents}}'
>
> Won't work as you are trying to get key 0, 1, 2, 3, etc of the svc.results 
> var when it is actually a list. You want something like 'svc.results[item
> ].exists' instead. What this does is get's the list entry of item, bare 
> in mind that lists are a 0 based index, so the first entry is 0, 2nd is 1 
> and so on. You might have to do something like 'svc.results[item - 
> 1].exists' if you want to match up the entry to your agent index starting 
> at 1.
>
> I haven't used with_sequence a lot so can't tell if that syntax is ok, 
> apart from that what you have seems ok at a brief glance but having the 
> output from a run that failed would help us narrow down your issue.
>
> Thanks
>
> Jordan
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/de65d7db-4d31-43ef-ac9e-11e699e550eb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] Ansible looping over register and multiple lists

[Jeremie Levy]

Hi David
Here it is:

- name: check service '{{ item }}' is not already running
  win_service:
name: Build Agent Prod '{{ item }}'
  register: svc
  with_sequence: start=1 end='{{nb_of_agents}}'

- name: output
  debug:
var: svc

- name: output
  debug:
var: svc.results.[item].exists
  with_sequence: count='{{nb_of_agents}}'

- name: install Agent '{{ item }}'
  win_copy: 
src: \\some\share\buildagent_prod_template
dest: 'D:\buildagent_prod_{{ item }}'
force: no
remote_src: yes
  when: svc.results[item].exists == false
  register: agent
  with_sequence: count='{{nb_of_agents}}'
  
- name: modify Port
  win_lineinfile:
path: D:\buildagent_prod_{{ item }}\conf\node.properties
backrefs: yes
regexp: '(^port)=.*'
line: '$1={{ item2 }}'
  when: 'agent.results[item]'
  with_together: count=nb_of_agents
  with_items: start=qb_prod_agent_port count=nb_of_agents

Thanks

On Monday, May 21, 2018 at 5:05:57 PM UTC+3, David Villasmil wrote:
>
> Please paste the code WITHOUT any formatting. Font should be any 
> single-space so that spacing is correct.
>
> On Mon, May 21, 2018, 15:55 Jeremie Levy > 
> wrote:
>
>> Hi
>> I'm trying to do the following (in windows but it's not important):
>>
>>
>>1. Need to deploy N number of build agents to a server (according to 
>>the inventory nb_of_agents)  - *iteration1*
>>2. Each agent should have a unique port starting from 8811 - 
>>*iteration2*
>>3. Check if the service is already present - store in register. - 
>> *REGISTER 
>>LIST*
>>4. Install according to the register.
>>
>> First question: Using a register list, how do i use : when: 
>> service.results.exists for specific index? 
>> Second question: how do i go in parrallel via multiple list:
>>
>>1. with_sequence: start=1 end='{{ nb_of_agents}}'' *and*
>>2. with_sequence: start=8811 count='{{ nb_of_agents}}'' *and*
>>3. when: service.result[index].exists
>>
>>
>> So the code looks like this:
>> - name: check service '{{ item }}' is not already running
>> win_service:
>> name: Build Agent Prod '{{ item }}'
>> register: svc
>> with_sequence: start=1 end='{{nb_of_agents}}'
>>
>> - name: output
>> debug:
>> var: svc
>> - name: output
>> debug:
>> var: svc.results.[item].exists
>> with_sequence: count='{{nb_of_agents}}'
>>
>> - name: install Agent '{{ item }}'
>> win_copy: 
>> src: \\some\share\buildagent_prod_template
>> dest: 'D:\buildagent_prod_{{ item }}'
>> force: no
>> remote_src: yes
>> when: svc.results[item].exists == false
>> register: agent
>> with_sequence: count='{{nb_of_agents}}'
>> - name: modify Port
>> win_lineinfile:
>> path: D:\buildagent_prod_{{ item }}\conf\node.properties
>> backrefs: yes
>> regexp: '(^port)=.*'
>> line: '$1={{ item2 }}'
>> when: 'agent.results[item]'
>> with_together: count=nb_of_agents
>> with_items: start=qb_prod_agent_port count=nb_of_agents
>>
>>
>> *Thanks!!*
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ansible-proje...@googlegroups.com .
>> To post to this group, send email to ansible...@googlegroups.com 
>> .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ansible-project/babac43c-57f2-4091-b2ee-8fdc32291378%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/ansible-project/babac43c-57f2-4091-b2ee-8fdc32291378%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/772fc9fb-4681-46e8-96eb-691998ebfb78%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Ansible looping over register and multiple lists

[Jeremie Levy]

Hi
I'm trying to do the following (in windows but it's not important):


   1. Need to deploy N number of build agents to a server (according to the 
   inventory nb_of_agents)  - *iteration1*
   2. Each agent should have a unique port starting from 8811 - *iteration2*
   3. Check if the service is already present - store in register. - *REGISTER 
   LIST*
   4. Install according to the register.

First question: Using a register list, how do i use : when: 
service.results.exists for specific index? 
Second question: how do i go in parrallel via multiple list:

   1. with_sequence: start=1 end='{{ nb_of_agents}}'' *and*
   2. with_sequence: start=8811 count='{{ nb_of_agents}}'' *and*
   3. when: service.result[index].exists


So the code looks like this:
- name: check service '{{ item }}' is not already running
win_service:
name: Build Agent Prod '{{ item }}'
register: svc
with_sequence: start=1 end='{{nb_of_agents}}'

- name: output
debug:
var: svc
- name: output
debug:
var: svc.results.[item].exists
with_sequence: count='{{nb_of_agents}}'

- name: install Agent '{{ item }}'
win_copy: 
src: \\some\share\buildagent_prod_template
dest: 'D:\buildagent_prod_{{ item }}'
force: no
remote_src: yes
when: svc.results[item].exists == false
register: agent
with_sequence: count='{{nb_of_agents}}'
- name: modify Port
win_lineinfile:
path: D:\buildagent_prod_{{ item }}\conf\node.properties
backrefs: yes
regexp: '(^port)=.*'
line: '$1={{ item2 }}'
when: 'agent.results[item]'
with_together: count=nb_of_agents
with_items: start=qb_prod_agent_port count=nb_of_agents


*Thanks!!*

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/babac43c-57f2-4091-b2ee-8fdc32291378%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: win_disk_facts - get size and size remaining

[Jeremie Levy]

I found how to loop over the data, but i still didn't figure out how to 
select inside specific data
- name: test 1
debug: 
msg: "{{ item.key }}"
with_dict: "{{ ansible_disks }}"


Got:

ok: [hostname] => (item=None) => {  




"msg": "partitions"



  
}




If trying to dig into partitions 
{{ item.value.partitions }}
"msg": "The task includes an option with an undefined variable. The error 
was: 'ansible.utils.unsafe_proxy.AnsibleUnsafeText object' has no attribute 
'partitions'



Any chance someone give an input, it seems just a json gap i have and not 
ansible actually.


Thanks!


On Thursday, May 10, 2018 at 2:22:46 PM UTC+3, Jeremie Levy wrote:
>
> Hi
> I'm trying to use win_disk_facts new module.
>
> I would like to get the size and remaining size of each 
> disk/partition/volume.
>
> Is there a way to "discover" how many of them there are in a kind of loop ?
>
> - name: Get disk facts
> win_disk_facts:
>   - name: Output first disk size
> debug:
>   msg: '{{ disk1s }}' 
> vars: 
>   disk1s: '{{ ansible_facts.disks[0].partitions[0].volumes[0].size }}'
>
> This one gives me info on the first partition, what about the others ? if 
> there is 1 or 20 ?
>
> Thanks!
>
> @marqelme
> @jborean93
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/b7bb9966-a7a1-4253-a2f4-4769d67e819e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] win_disk_facts - get size and size remaining

[Jeremie Levy]

Hi
I'm trying to use win_disk_facts new module.

I would like to get the size and remaining size of each 
disk/partition/volume.

Is there a way to "discover" how many of them there are in a kind of loop ?

- name: Get disk facts
win_disk_facts:
  - name: Output first disk size
debug:
  msg: '{{ disk1s }}' 
vars: 
  disk1s: '{{ ansible_facts.disks[0].partitions[0].volumes[0].size }}'

This one gives me info on the first partition, what about the others ? if 
there is 1 or 20 ?

Thanks!

@marqelme
@jborean93

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/31e4f2e7-6081-421f-9196-50609cc9ffeb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Unable to connect to zabbix server

[Jeremie Levy]

Anyone please ? 

On Sunday, April 29, 2018 at 3:27:40 PM UTC+3, Jeremie Levy wrote:
>
> Hi
> Trying to send request to my internal zabbix server and i get this error - 
> if anyone knows how to fix it.
>
> # pip list |grep zabbix
> zabbix-api0.5.3
>
>
>
> # ansible-playbook qb-agent-fw.yml --limit hasgqba025.DOMAIN -
> ansible-playbook 2.5.0   
>   
>   config file = /ansible/scripts/ansible.cfg 
> 
>   configured module search path = [u
> '/usr/local/lib/python2.7/dist-packages/ara/plugins/modules'] 
>  
>   ansible python module location = /usr/lib/python2.7/dist-packages/ansible 
>
>   executable location = /usr/bin/ansible-playbook 
>  
>   python version = 2.7.12 (default, Dec  4 2017, 14:50:18) [GCC 5.4.0 
> 20160609]
> Using /ansible/scripts/ansible.cfg as config file 
>
> setting up inventory plugins   
> 
> Parsed /ansible/scripts/inventory/windows.yml inventory source with yaml 
> plugin  
> Loading callback plugin default of type stdout, v2.0 from /usr/lib/python2
> .7/dist-packages/ansible/plugins/callback/default.pyc
> Loading callback plugin ara of type notification, v2.0 from /usr/local/lib
> /python2.7/dist-packages/ara/plugins/callbacks/log_ara.pyc   
>
>
> TASK [common : add host to zabbix server] 
> **
> task path: /nfs/iil/disks/eis/ansible/scripts/roles/common/tasks/zabbix.
> yml:2 
> 
>   
> Using module file /usr/lib/python2.7/dist-packages/ansible/modules/
> monitoring/zabbix/zabbix_host.py 
> 
> 
>  ESTABLISH LOCAL CONNECTION FOR USER: sys_ansible 
> 
> 
>
>  EXEC /bin/sh -c 'echo ~ && sleep 0'   
> 
> 
>   
>  EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo 
> /nfs/site/home/sys_ansible/.ansible/tmp/ansible-tmp-1524991995.58-156273026676281
>  
> `" && echo ansible-tmp-1524991995.58-156273026676281="` echo 
> /nfs/site/home/sys_ansible/.ansible/tmp/ansible-tmp-1524991995.58-156273026676281
>  
> `" ) && sleep 0' 
> 
> 
>   
>  PUT /nfs/site/home/sys_ansible/.ansible/tmp/ansible-local-
> 37581eafvWL/tmpU8jpCH TO /nfs/site/home/sys_ansible/.ansible/tmp/ansible-
> tmp-1524991995.58-156273026676281/zabbix_host.py 
> 
>  EXEC /bin/sh -c 'chmod u+x 
> /nfs/site/home/sys_ansible/.ansible/tmp/ansible-tmp-1524991995.58-156273026676281/
>  
> /nfs/site/home/sys_ansible/.ansible/tmp/ansible-tmp-1524991995.58-156273026676281/zabbix_host.py
>  
> && sleep 0'  
>  EXEC /bin/sh -c '/usr/bin/python 
> /nfs/site/home/sys_ansible/.ansible/t

[ansible-project] Unable to connect to zabbix server

[Jeremie Levy]

Hi
Trying to send request to my internal zabbix server and i get this error - 
if anyone knows how to fix it.

# pip list |grep zabbix
zabbix-api0.5.3



# ansible-playbook qb-agent-fw.yml --limit hasgqba025.DOMAIN -
ansible-playbook 2.5.0 

  config file = /ansible/scripts/ansible.cfg   
  
  configured module search path = [u
'/usr/local/lib/python2.7/dist-packages/ara/plugins/modules']   
   
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible 
   
  executable location = /usr/bin/ansible-playbook   
   
  python version = 2.7.12 (default, Dec  4 2017, 14:50:18) [GCC 5.4.0 
20160609]
Using /ansible/scripts/ansible.cfg as config file   
 
setting up inventory plugins   

Parsed /ansible/scripts/inventory/windows.yml inventory source with yaml 
plugin  
Loading callback plugin default of type stdout, v2.0 from /usr/lib/python2.7
/dist-packages/ansible/plugins/callback/default.pyc
Loading callback plugin ara of type notification, v2.0 from /usr/local/lib/
python2.7/dist-packages/ara/plugins/callbacks/log_ara.pyc   


TASK [common : add host to zabbix server] 
**
task path: /nfs/iil/disks/eis/ansible/scripts/roles/common/tasks/zabbix.yml:
2   


Using module file /usr/lib/python2.7/dist-packages/ansible/modules/
monitoring/zabbix/zabbix_host.py   

  
 ESTABLISH LOCAL CONNECTION FOR USER: sys_ansible   


 
 EXEC /bin/sh -c 'echo ~ && sleep 0' 



 EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo 
/nfs/site/home/sys_ansible/.ansible/tmp/ansible-tmp-1524991995.58-156273026676281
 
`" && echo ansible-tmp-1524991995.58-156273026676281="` echo 
/nfs/site/home/sys_ansible/.ansible/tmp/ansible-tmp-1524991995.58-156273026676281
 
`" ) && sleep 0'   



 PUT /nfs/site/home/sys_ansible/.ansible/tmp/ansible-local-
37581eafvWL/tmpU8jpCH TO /nfs/site/home/sys_ansible/.ansible/tmp/ansible-tmp
-1524991995.58-156273026676281/zabbix_host.py   
  
 EXEC /bin/sh -c 'chmod u+x 
/nfs/site/home/sys_ansible/.ansible/tmp/ansible-tmp-1524991995.58-156273026676281/
 
/nfs/site/home/sys_ansible/.ansible/tmp/ansible-tmp-1524991995.58-156273026676281/zabbix_host.py
 
&& sleep 0'  
 EXEC /bin/sh -c '/usr/bin/python 
/nfs/site/home/sys_ansible/.ansible/tmp/ansible-tmp-1524991995.58-156273026676281/zabbix_host.py
 
&& sleep 0' 
  
 EXEC /bin/sh -c 'rm -f -r 
/nfs/site/home/sys_ansible/.ansible/tmp/ansible-tmp-1524991995.58-156273026676281/
 
> /dev/null 2>&1 && sleep 0'   


The full traceback is:

[ansible-project] Re: win_shell failing since Ansible 2.5 (?)

[Jeremie Levy]

Thanks Jordan!
I am able to bypass this issue by checking the directory with win_stat and 
use a register as a condition for the win_shell.
I noticed the handlers are now working which is great :)

Thanks again!

On Tuesday, March 27, 2018 at 2:50:05 AM UTC+3, Jordan Borean wrote:
>
> Sidenote: here is the PR to fix this issue 
> https://github.com/ansible/ansible/pull/37968
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/bb59cbdc-80ad-4e07-a99c-7ceef8cb29a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] win_shell failing since Ansible 2.5 (?)

[Jeremie Levy]

My playbook is broken since i upgraded to v2.5

Here is the simplest example i have:

The code from my playbook:
- name: Install Winzip Package
  win_shell: 'cmd /C C:\Users\ansible\Downloads\install_winzip.cmd'
  args:
creates: 'C:\Program Files\WinZip\WINZIP64.EXE'


Here is the output:
TASK [common : Install Winzip Package] 
*
task path: /ansible/scripts/roles/common/tasks/winzip.yml:11

  
Using module file 
/usr/lib/python2.7/dist-packages/ansible/modules/windows/win_shell.ps1  

  
 ESTABLISH WINRM CONNECTION FOR USER: ansible@DOMAIN on 
PORT 5986 TO hasgqba011.DOMAIN   
checking if winrm_host hasgqba011.DOMAIN is an IPv6 address

 
creating Kerberos CC at /tmp/tmpg3ejrJ  


calling kinit with subprocess for principal ansible@DOMAIN  


kinit succeeded for principal ansible@DOMAIN


 WINRM CONNECT: transport=kerberos 
endpoint=https://hasgqba011.DOMAIN:5986/wsman  
   
 WINRM OPEN SHELL: CCE2248A-9096-4242-B51C-9A1911DBBEE9  


EXEC (via pipeline wrapper)

 
 WINRM EXEC 'PowerShell' ['-NoProfile', 
'-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-']
  
 WINRM RESULT u''
   
 WINRM CLOSE SHELL: 
CCE2248A-9096-4242-B51C-9A1911DBBEE9
 
fatal: [hasgqba011.DOMAIN]: FAILED! => {


"changed": false,  

 
"module_stderr": "Test-AnsiblePath : Exception calling 
\"GetAttributes\" with \"1\" argument(s): \"Could not find a part of the 
path \r\n'C:\\Program Files\\WinZip\\WINZIP64.EXE'.\"\r\nAt line:59 
char:21\r\n+ if ($creates -and $(Test-AnsiblePath -Path $creates)) {\r\n+  
   ~~~\r\n+ CategoryInfo
  : NotSpecified: (:) [Test-AnsiblePath], 
MethodInvocationException\r\n+ FullyQualifiedErrorId : 
DirectoryNotFoundException,Test-AnsiblePath\r\n \r\n\r\n",  

"module_stdout": "",


"msg": "MODULE FAILURE",


"rc": 1

 
}  
  

I want to install winzip if the file winzip64.exe is not found, and it 
fails because it's not found.
Removing the args/creates lines --> works like a charm.

Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/0a363c6b-3c50-4a43-9352-1c56b83cef26%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Windows - become_method runas - password definition

[Jeremie Levy]

Hi
No $ but @ is there.
I created a service with the credentials so they are working. (win_service)
It's just for this. And win_file or win_stat, it doesn't matter, I can't 
find out how to pass the password.



On Monday, February 19, 2018 at 3:47:53 PM UTC+2, J Hawkesworth wrote:
>
> Hello,
>
> I haven't tried this myself but I am wondering if you maybe have a 
> password containing a special character, such as $ - I have had trouble 
> with passwords which contain characters which have reserved meaning in 
> powershell in the past?
>
> Also do you perhaps mean to use win_file module instead of win_stat? If I 
> recall, win_stat only returns information on a file, such as whether it 
> exists and is in the expected state, but win_file will ensure a file or 
> directory exists
>
> win_file: 
>state: directory
>path: c:\Users\bld_usr
>
> Hope this helps,
>
> Jon
>
>
>
> On Monday, February 19, 2018 at 9:40:07 AM UTC, Jeremie Levy wrote:
>>
>> Hello
>> I am using successfully ansible in my windows environment with Kerberos.
>> I am still having trouble if i want to execute a task as another user 
>> than my ansible user.
>>
>> For example, i want to execute specific task as build user to make sure 
>> it's home dir is present - if not i guess my command will create it by 
>> login this specific user.
>>
>>
>> build_usr_password is in the var files (i used the debug module to check 
>> i can access it)
>>
>> - name: Touching a file in order to make sure the account home dir is 
>> created.
>> win_stat:
>> path: C:\Users\build_usr
>> state: present
>> become: yes
>> become_method: runas
>> become_user: build_usr@DOMAIN
>> password: "{{ build_usr_password }}"
>>
>>
>> I tried *ansible_become_password* *become_password* and 
>> *ansible_password*. Still same issue:
>>
>> The full traceback is:
>> LogonUser failed (The user name or password is incorrect, Win32ErrorCode 
>> 1326)
>> At line:623 char:13
>> + throw [Ansible.Shell.Win32Exception] "LogonUser failed"
>> + ~~~
>> + CategoryInfo  : OperationStopped: (:) [], Win32Exception
>> + FullyQualifiedErrorId : LogonUser failed (The user name or password 
>> is incorrect, Win32ErrorCode 1326)
>>
>>
>> failed: [hasgqba110.ger.corp.intel.com] (item=bEeq07WG8-RQ.Myr9Ymd) => {
>> "changed": false,
>> "item": "bEeq07WG8-RQ.Myr9Ymd",
>> "msg": "LogonUser failed (The user name or password is incorrect, 
>> Win32ErrorCode 1326)"
>> }
>>
>> How do i define the password for this task ? (the password is in the 
>> vault encrypted file, i don't want to/can't pass it via the CLI)
>>
>> ansible-playbook 2.4.3.0  
>>  
>> python version = 2.7.12 (default, Dec  4 2017, 14:50:18) [GCC 5.4.0 
>> 20160609]  
>>
>>
>> Jordan ? :)
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/e22fe248-571e-4f00-8d60-9a17ef0094bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Windows - become_method runas - password definition

[Jeremie Levy]

Hello
I am using successfully ansible in my windows environment with Kerberos.
I am still having trouble if i want to execute a task as another user than 
my ansible user.

For example, i want to execute specific task as build user to make sure 
it's home dir is present - if not i guess my command will create it by 
login this specific user.


build_usr_password is in the var files (i used the debug module to check i 
can access it)

- name: Touching a file in order to make sure the account home dir is 
created.
win_stat:
path: C:\Users\build_usr
state: present
become: yes
become_method: runas
become_user: build_usr@DOMAIN
password: "{{ build_usr_password }}"


I tried *ansible_become_password* *become_password* and *ansible_password*. 
Still same issue:

The full traceback is:
LogonUser failed (The user name or password is incorrect, Win32ErrorCode 
1326)
At line:623 char:13
+ throw [Ansible.Shell.Win32Exception] "LogonUser failed"
+ ~~~
+ CategoryInfo  : OperationStopped: (:) [], Win32Exception
+ FullyQualifiedErrorId : LogonUser failed (The user name or password 
is incorrect, Win32ErrorCode 1326)


failed: [hasgqba110.ger.corp.intel.com] (item=bEeq07WG8-RQ.Myr9Ymd) => {
"changed": false,
"item": "bEeq07WG8-RQ.Myr9Ymd",
"msg": "LogonUser failed (The user name or password is incorrect, 
Win32ErrorCode 1326)"
}

How do i define the password for this task ? (the password is in the vault 
encrypted file, i don't want to/can't pass it via the CLI)

ansible-playbook 2.4.3.0
   
python version = 2.7.12 (default, Dec  4 2017, 14:50:18) [GCC 5.4.0 
20160609]  


Jordan ? :)

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/34aaac74-f6dc-4e84-b628-65671e3e0b0d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: unable to ping windows machine using ansible

[Jeremie Levy]

Your config should look like this:
ansible_user: username
#password goes here when you don't want to use -k option.
ansible_password: password
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_transport: kerberos
ansible_winrm_scheme: https
ansible_winrm_server_cert_validation: ignore
ansible_winrm_kerberos_delegation: true


And you need to run the script 
https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1
 First 

On Sunday, February 18, 2018 at 1:49:20 PM UTC+2, Sameer Modak wrote:
>
> Below is the configuration and its corresponding error,
>
> [windows]
> 192.168.1.102
> [windows:vars]
> ansible_ssh_user=smodak
> ansible_ssh_pass=**
> ansible_ssh_port=5986
> ansible_connection=winrm
> ansible_winrm_server_cert_validation=ignore
>
> =
>
> [root@hackerdev ansible]# ansible -vvv windows -m win_ping 
> Using /etc/ansible/ansible.cfg as config file
> META: ran handlers
> Using module file 
> /usr/lib/python2.7/site-packages/ansible/modules/windows/win_ping.ps1
> <192.168.1.102> ESTABLISH WINRM CONNECTION FOR USER: smodak on PORT 5986 
> TO 192.168.1.102
> 192.168.1.102 | UNREACHABLE! => {
> "changed": false, 
> "msg": "ssl: HTTPSConnectionPool(host='192.168.1.102', port=5986): Max 
> retries exceeded with url: /wsman (Caused by 
> NewConnectionError(' 0x3623650>: Failed to establish a new connection: [Errno 111] Connection 
> refused',))", 
> "unreachable": true
> }
>
>
> What is going wrong ?
>
> is it something missing on windows machine??/
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/b37835e7-acd3-4462-a36a-6f6d8e859a29%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: requests-credssp and credentials encryprion at first hop.

[Jeremie Levy]

I've checked the eventlog and it appears that ansible was trying to become 
root instead of the username from the vars.
I've dig again here to find some examples of become and i found one of your 
answers: 
https://groups.google.com/forum/#!searchin/ansible-project/windows$20become%7Csort:date/ansible-project/g205HMIEjws/tYYMEzlSBQAJ

Bottom line, it's working like that - and using the -K flag @ command line.
---
- hosts: windows
gather_facts: no
tasks:
- name: Check Visual studio Code file
win_stat:
path: \\some\dfs\path\VSCodeSetup-1.8.1.exe
register: result
state: present
become: yes
become_method: runas
become_user: ansible@domain

Thank you Jordan!

On Tuesday, February 6, 2018 at 2:11:30 PM UTC+2, Jeremie Levy wrote:
>
> Also Tried
> ---
> - hosts: windows
> gather_facts: no
> vars:
> - username: ansible@DOMAIN
> - password: password
> become_method: runas
> tasks:
> - name: Check Visual studio Code file
> win_stat:
> path: \\some\dfs\path\VSCodeSetup-1.8.1.exe
> register: result
> state: present
> become: yes
>
> And got:
>
> ansible-playbook 2.5.0 (devel 575e9e9294) last updated 2018/02/06 08:39:18 
> (GMT +300)   
>   config file = /ansible/scripts/ansible.cfg  
> 
>   configured module search path = 
> [u'/home/ansible/.ansible/plugins/modules', 
> u'/usr/share/ansible/plugins/modules']
>   ansible python module location = /ansible/scripts/ansible/lib/ansible
> 
>   executable location = /ansible/scripts/ansible/bin/ansible-playbook  
> 
>   python version = 2.7.12 (default, Dec  4 2017, 14:50:18) [GCC 5.4.0 
> 20160609]  
> Using /ansible/scripts/ansible.cfg as config file  
> 
> setting up inventory plugins  
>
> Parsed /scripts/windows-inventory.yml inventory source with yaml plugin
> 
> Loading callback plugin default of type stdout, v2.0 from 
> /ansible/scripts/ansible/lib/ansible/plugins/callback/default.pyc
>
>
>
>
>  WINRM STDERR
>  WINRM CLOSE SHELL: 
> AC3CF2B5-A044-43DF-A24B-53DB23624226
> The full traceback is:
> Exception calling "RunAsUser" with "7" argument(s): "LogonUser failed (The 
> user name or password is incorrect,
> Win32ErrorCode 1326)"
> At line:1062 char:9
> + $result = [Ansible.BecomeUtil]::RunAsUser($username, $passwor ...
> + ~
> + CategoryInfo  : NotSpecified: (:) [], 
> MethodInvocationException
> + FullyQualifiedErrorId : Win32Exception
>
>
> fatal: [hasgappqba2303.domain]: FAILED! => {
> "changed": false,
> "failed": true,
> "msg": "Exception calling \"RunAsUser\" with \"7\" argument(s): 
> \"LogonUser failed (The user name or password is incorrect, Win32ErrorCode 
> 1326)\""
> }
>
>
>
>
> On Tuesday, February 6, 2018 at 12:45:31 PM UTC+2, Jeremie Levy wrote:
>>
>> Win_package is working fine locally. I'm downloading all the SW i need 
>> and install them locally
>> win_stat:
>> TASK [Check Visual studio Code file] 
>> ***
>> task path: /ansible/scripts/win_stat.yaml:4
>> Using module file 
>> /usr/lib/python2.7/dist-packages/ansible/modules/windows/win_stat.ps1
>> Using module file 
>> /usr/lib/python2.7/dist-packages/ansible/modules/windows/win_stat.ps1
>>  ESTABLISH WINRM CONNECTION FOR USER: ansible@
>> domain on PORT 5986 TO hasgappqba2302.domain
>>  ESTABLISH WINRM CONNECTION FOR USER: ansible@
>> domain on PORT 5986 TO hasgappqba2303.domain
>> creating Kerberos CC at /tmp/tmpMi3utN
>> creating Kerberos CC at /tmp/tmpUIFzBS
>> calling kinit for principal ansible@domain
>> calling kinit for principal ansible@domain
>> kinit succeeded for principal ansible@domain
>>  WINRM CONNECT: transport=kerberos endpoint=
>> https://hasgappqba2302.domain:5986/wsman
>> kinit succeeded for principal ansible@domain
>>  WINRM CONNECT: transport=kerberos endpoint=
>> https://hasgappqba2303.doma

[ansible-project] Re: requests-credssp and credentials encryprion at first hop.

[Jeremie Levy]

Also Tried
---
- hosts: windows
gather_facts: no
vars:
- username: ansible@DOMAIN
- password: password
become_method: runas
tasks:
- name: Check Visual studio Code file
win_stat:
path: \\some\dfs\path\VSCodeSetup-1.8.1.exe
register: result
state: present
become: yes

And got:

ansible-playbook 2.5.0 (devel 575e9e9294) last updated 2018/02/06 08:39:18 
(GMT +300)   
  config file = /ansible/scripts/ansible.cfg
  
  configured module search path = 
[u'/home/ansible/.ansible/plugins/modules', 
u'/usr/share/ansible/plugins/modules']
  ansible python module location = /ansible/scripts/ansible/lib/ansible

  executable location = /ansible/scripts/ansible/bin/ansible-playbook  

  python version = 2.7.12 (default, Dec  4 2017, 14:50:18) [GCC 5.4.0 
20160609]  
Using /ansible/scripts/ansible.cfg as config file  

setting up inventory plugins
 
Parsed /scripts/windows-inventory.yml inventory source with yaml plugin

Loading callback plugin default of type stdout, v2.0 from 
/ansible/scripts/ansible/lib/ansible/plugins/callback/default.pyc




 WINRM STDERR
 WINRM CLOSE SHELL: 
AC3CF2B5-A044-43DF-A24B-53DB23624226
The full traceback is:
Exception calling "RunAsUser" with "7" argument(s): "LogonUser failed (The 
user name or password is incorrect,
Win32ErrorCode 1326)"
At line:1062 char:9
+ $result = [Ansible.BecomeUtil]::RunAsUser($username, $passwor ...
+ ~
+ CategoryInfo  : NotSpecified: (:) [], 
MethodInvocationException
+ FullyQualifiedErrorId : Win32Exception


fatal: [hasgappqba2303.domain]: FAILED! => {
"changed": false,
"failed": true,
"msg": "Exception calling \"RunAsUser\" with \"7\" argument(s): 
\"LogonUser failed (The user name or password is incorrect, Win32ErrorCode 
1326)\""
}




On Tuesday, February 6, 2018 at 12:45:31 PM UTC+2, Jeremie Levy wrote:
>
> Win_package is working fine locally. I'm downloading all the SW i need and 
> install them locally
> win_stat:
> TASK [Check Visual studio Code file] 
> ***
> task path: /ansible/scripts/win_stat.yaml:4
> Using module file 
> /usr/lib/python2.7/dist-packages/ansible/modules/windows/win_stat.ps1
> Using module file 
> /usr/lib/python2.7/dist-packages/ansible/modules/windows/win_stat.ps1
>  ESTABLISH WINRM CONNECTION FOR USER: ansible@
> domain on PORT 5986 TO hasgappqba2302.domain
>  ESTABLISH WINRM CONNECTION FOR USER: ansible@
> domain on PORT 5986 TO hasgappqba2303.domain
> creating Kerberos CC at /tmp/tmpMi3utN
> creating Kerberos CC at /tmp/tmpUIFzBS
> calling kinit for principal ansible@domain
> calling kinit for principal ansible@domain
> kinit succeeded for principal ansible@domain
>  WINRM CONNECT: transport=kerberos endpoint=
> https://hasgappqba2302.domain:5986/wsman
> kinit succeeded for principal ansible@domain
>  WINRM CONNECT: transport=kerberos endpoint=
> https://hasgappqba2303.domain:5986/wsman
>  WINRM OPEN SHELL: 
> FA267E6D-94C1-4BF1-AD41-75900BCC25DC
>  WINRM OPEN SHELL: 
> 47C7EA5A-202C-4560-B54B-B614A3C8B9C7
> EXEC (via pipeline wrapper)
> EXEC (via pipeline wrapper)
>  WINRM EXEC 'PowerShell' ['-NoProfile', 
> '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-']
>  WINRM EXEC 'PowerShell' ['-NoProfile', 
> '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-']
>  WINRM RESULT u' "{"changed":false,"st", err "Test-Path : Access i">'
>  WINRM STDOUT 
> {"changed":false,"stat":{"exists":false}}
>
>  WINRM STDERR Test-Path : Access is denied
> At line:91 char:5
> + If (Test-Path -Path $path)
> + ~
> + CategoryInfo  : PermissionDenied: 
> (\\some\dfs\path\j...Setup-1.8.1.exe:String) [Test-Path], UnauthorizedAc
>cessException
> + FullyQualifiedErrorId : 
> ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.TestPath

[ansible-project] Re: requests-credssp and credentials encryprion at first hop.

[Jeremie Levy]

Win_package is working fine locally. I'm downloading all the SW i need and 
install them locally
win_stat:
TASK [Check Visual studio Code file] 
***
task path: /ansible/scripts/win_stat.yaml:4
Using module file 
/usr/lib/python2.7/dist-packages/ansible/modules/windows/win_stat.ps1
Using module file 
/usr/lib/python2.7/dist-packages/ansible/modules/windows/win_stat.ps1
 ESTABLISH WINRM CONNECTION FOR USER: ansible@domain on 
PORT 5986 TO hasgappqba2302.domain
 ESTABLISH WINRM CONNECTION FOR USER: ansible@domain on 
PORT 5986 TO hasgappqba2303.domain
creating Kerberos CC at /tmp/tmpMi3utN
creating Kerberos CC at /tmp/tmpUIFzBS
calling kinit for principal ansible@domain
calling kinit for principal ansible@domain
kinit succeeded for principal ansible@domain
 WINRM CONNECT: transport=kerberos 
endpoint=https://hasgappqba2302.domain:5986/wsman
kinit succeeded for principal ansible@domain
 WINRM CONNECT: transport=kerberos 
endpoint=https://hasgappqba2303.domain:5986/wsman
 WINRM OPEN SHELL: 
FA267E6D-94C1-4BF1-AD41-75900BCC25DC
 WINRM OPEN SHELL: 
47C7EA5A-202C-4560-B54B-B614A3C8B9C7
EXEC (via pipeline wrapper)
EXEC (via pipeline wrapper)
 WINRM EXEC 'PowerShell' ['-NoProfile', 
'-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-']
 WINRM EXEC 'PowerShell' ['-NoProfile', 
'-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-']
 WINRM RESULT u''
 WINRM STDOUT 
{"changed":false,"stat":{"exists":false}}

 WINRM STDERR Test-Path : Access is denied
At line:91 char:5
+ If (Test-Path -Path $path)
+ ~
+ CategoryInfo  : PermissionDenied: 
(\\some\dfs\path\j...Setup-1.8.1.exe:String) [Test-Path], UnauthorizedAc
   cessException
+ FullyQualifiedErrorId : 
ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.TestPathCommand



 WINRM CLOSE SHELL: 
47C7EA5A-202C-4560-B54B-B614A3C8B9C7
ok: [hasgappqba2303.domain] => {
"changed": false,
"stat": {
"exists": false
}
}
 WINRM RESULT u''
 WINRM STDOUT 
{"changed":false,"stat":{"exists":false}}

 WINRM STDERR Test-Path : Access is denied
At line:91 char:5
+ If (Test-Path -Path $path)
+ ~
+ CategoryInfo  : PermissionDenied: 
(\\some\dfs\path\j...Setup-1.8.1.exe:String) [Test-Path], UnauthorizedAc
   cessException
+ FullyQualifiedErrorId : 
ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.TestPathCommand



 WINRM CLOSE SHELL: 
FA267E6D-94C1-4BF1-AD41-75900BCC25DC
ok: [hasgappqba2302.domain] => {
"changed": false,
"stat": {
"exists": false
}
}
META: ran handlers
META: ran handlers

PLAY RECAP 
*
hasgappqba2302.domain : ok=2changed=0unreachable=0failed=0
hasgappqba2303.domain : ok=2changed=0unreachable=0failed=0


I am not sure how to use ansible_user variable, in the inventory file or 
the playbook ? 
fatal: [hasgappqba2303.domain]: FAILED! => {
"failed": true,
"msg": "Internal Error: this connection module does not support running 
commands via sudo"
}
With:
tasks:
- name: Check Visual studio Code file
win_stat:
path: \\some\dfs\path\VSCodeSetup-1.8.1.exe
register: result
state: present
become: yes
become_user: ansible

I've downloaded version 2.5 and this is the result i got...

Any direction?


On Tuesday, February 6, 2018 at 4:02:27 AM UTC+2, Jordan Borean wrote:
>
> What I would try so that we can narrow down the issue
>
> * Run win_package but set the path to a local path and see if that works
> * Run a win_stat of the network path executable and see if it sees the 
> file (exists is True)
> * Use the username/password options and set it to "{{ ansible_user }}" and 
> "{{ ansible_password }}" respectively as that will be used when copying the 
> file locally
> * If you are on Ansible 2.5 (or the devel branch), see if become works it 
> should run the module as you would when logged on locally
>
> Thanks
>
> Jordan
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/12aa9971-9c73-4152-9f75-602153ab7022%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: requests-credssp and credentials encryprion at first hop.

[Jeremie Levy]

Of course
The inventory file is just hostnames so i don't think there is a need to 
post it.

# cat group_vars/windows.yml
# it is suggested that these be encrypted with ansible-vault:
# ansible-vault edit group_vars/windows.yml

ansible_user: ansible
#password goes here when you don't want to use -k option.
ansible_password: "PASSWORD_HERE"
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_transport: kerberos
ansible_winrm_scheme: https
ansible_winrm_server_cert_validation: ignore
ansible_winrm_kerberos_delegation: true

# cat vscode.yaml
---
- hosts: windows
tasks:
- name: Install Visual studio Code
win_package:
path: \\some\dfs\path\VSCodeSetup-1.8.1.exe
creates_path: "C:\\Program Files\\Microsoft VS Code\\Code.exe"
arguments: /verysilent
state: present


Thanks.


On Monday, February 5, 2018 at 5:09:51 PM UTC+2, J Hawkesworth wrote:
>
> Can you share your playbook or tasks to reproduce this, the error message 
> here isn't enough on its own to work out what is needed?
>
> Many thanks,
>
> Jon
>
> On Monday, February 5, 2018 at 1:00:24 PM UTC, Jeremie Levy wrote:
>>
>> Thanks Jordan
>> So i have this option activated since the beginning but the double hop is 
>> not resolved.
>> What extra configuration is needed here?
>>  WINRM CLOSE SHELL: 22A19915-A7B0-4AFB-B840-263A9980023A
>>  WINRM RESULT u'> calling "R">'
>>  WINRM STDOUT
>>  
>>  WINRM STDERR Exception calling "Run" with "1" 
>> argument(s): "Exception calling "Invoke" with "0" argument(s): "The running 
>> command
>> 
>>
>> stopped because the preference variable "ErrorActionPreference" or common 
>> parameter is set to Stop: Access is denied""
>>   
>> At line:47 char:5
>> 
>>
>> + $output = $entrypoint.Run($payload)
>> 
>>
>> + ~~~
>> 
>>
>> + CategoryInfo  : NotSpecified: (:) [], 
>> ParentContainsErrorRecordException  
>> 
>> + FullyQualifiedErrorId : ScriptMethodRuntimeException
>> 
>>   
>>   
>> 
>>   
>>
>>
>>
>>
>> On Monday, February 5, 2018 at 12:08:16 PM UTC+2, Jordan Borean wrote:
>>>
>>> By default, the Kerberos ticket does not have delegation enabled, you 
>>> can set
>>>
>>> ansible_winrm_kerberos_delegation: True
>>>
>>> in your host vars and Ansible will set the delegation flag required to 
>>> get a kerb ticket with delegation. If this doesn't work you may need to 
>>> configure your AD environment to properly allow it.
>>>
>>> Thanks
>>>
>>> Jordan
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/8f0e30a1-45bf-4e94-9163-3c8eeeff4263%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: requests-credssp and credentials encryprion at first hop.

[Jeremie Levy]

Thanks Jordan
So i have this option activated since the beginning but the double hop is 
not resolved.
What extra configuration is needed here?
 WINRM CLOSE SHELL: 22A19915-A7B0-4AFB-B840-263A9980023A
 WINRM RESULT u''
 WINRM STDOUT  
   
 WINRM STDERR Exception calling "Run" with "1" argument(s): 
"Exception calling "Invoke" with "0" argument(s): "The running command  

 
stopped because the preference variable "ErrorActionPreference" or common 
parameter is set to Stop: Access is denied""
  
At line:47 char:5  

 
+ $output = $entrypoint.Run($payload)  

 
+ ~~~  

 
+ CategoryInfo  : NotSpecified: (:) [], 
ParentContainsErrorRecordException  

+ FullyQualifiedErrorId : ScriptMethodRuntimeException  









On Monday, February 5, 2018 at 12:08:16 PM UTC+2, Jordan Borean wrote:
>
> By default, the Kerberos ticket does not have delegation enabled, you can 
> set
>
> ansible_winrm_kerberos_delegation: True
>
> in your host vars and Ansible will set the delegation flag required to get 
> a kerb ticket with delegation. If this doesn't work you may need to 
> configure your AD environment to properly allow it.
>
> Thanks
>
> Jordan
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/f92dcaeb-0da2-4920-8bd9-0ae70dd4fc1f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: requests-credssp and credentials encryprion at first hop.

[Jeremie Levy]

Thank you Jordan,
So i'm using Kerberos and i'm missing the "with delegation" part.
Can you point me to how and where to configure this option ?

Thank you!

On Wednesday, January 31, 2018 at 12:05:41 AM UTC+2, Jordan Borean wrote:
>
> TLDR: for Windows to authenticate with another server (double-hop), it 
> will either need a Kerberos ticket with the delegation flag or the user's 
> actual credentials (CredSSP/become) there is no way around that. If there 
> is that is a security issue with Windows and should be fixed by Microsoft.
>
> CredSSP isn't really the best way to go about this. And I think this post 
>> should go on Git as Ansible needs a better way to cover double-hops.
>>
>
> While I agree, it really isn't the best way to go about this and people 
> should use Kerberos with delegation instead, CredSSP is still viable in 
> some situations and in total Ansible covers 3 ways of allowing this
>
>- Kerberos with delegation
>- CredSSP
>- Become (Ansible specific implementation)
>
> All 3 allow you to cover double-hops while the 3rd fix even more 
> limitations of a network process, I'll go into more detail below.
>
> *Background*
>
> The way that Windows works is that on a normal local logon, the username 
> and password is supplied to LSA who then authenticates the user. This 
> password is then available in that logon session and can be used by the 
> client to authenticate with a remote server, i.e. connecting to a fileshare 
> with the logged on credentials and so on. When authenticated with a server 
> over the network (like WinRM), it will use an auth protocol like NTLM, 
> Kerberos, CredSSP to authenticate the user and in the majority of cases the 
> password of the user is not sent to the server. When LSA creates a logon 
> session without a password (from an NTLM hash or Kerberos ticket like 
> WinRM), it is unable to do things like calculate an NTLM hash or get a 
> Kerberos ticket from the KDC in order to authenticate with another server.
>
> This is usually fine for things like SMB but with WinRM users may want to 
> interact with a third server to copy files like they would do locally but 
> without that local password this is impossible for Windows to do, i.e. it 
> can't calculate the NTLM hash if it doesn't have the password. In order to 
> get over this problem, you can either use CredSSP to send the password to 
> the remote server that is accessible by LSA or you can use a Kerberos 
> ticket with the delegation flag set. With either of these methods, the 
> remote server is able to authenticate with another server like you would be 
> able to do locally but is unable to delegate to a 4th server from there, 
> e.g. local -> remote -> double hop remote -> another hop remote is not 
> allowed.
>
> *CredSSP*
>
> The first option CredSSP is a protocol designed by Microsoft to allow an 
> application (A) to delegate the user's credentials to another server (B) by 
> sending the user's password as "plaintext" and not a hash. This delegation 
> means that the LSA of the remote host (B) has a copy of the plaintext 
> username and password of the user which it can then use to authenticate 
> with a third remote server (C). In general the protocol works like this
>
>- The initial server response returns a HTTP 401 error with CredSSP in 
>the WWW-Authenticate header
>- The client sets up a TLS connection and starts the TLS Handshake 
>which includes things like cipher suite negotiation
>- Once the handshake is complete, the client will send either an NTLM 
>or Kerberos token to authenticate the user
>- After authenticating the user, the client will encrypt the server’s 
>CredSSP public key with the authentication wrap function and send that to 
>the server
>- The server validates that the correct public key was used and there 
>is no middle man in between the client and the server
>- The server then sends it’s public key again with the first bit set 
>to 1 also encrypted with the authentication wrap function
>- The client will verify the public key and verify the first bit was 
>set to 1
>- Once both the client and server have verified each other, the client 
>will then encrypt the username and password with the authentication wrap 
>function and send that to the server
>
> As well as the steps that use the authentication wrap function to encrypt 
> the data, each step after the TLS handshake is also encrypted with the TLS 
> protocol itself, e.g. when sending the username and password it is doubly 
> encrypted (auth wrap and then TLS wrap). So the fact that the password is 
> sent over the wire is troubling (and rightly unacceptable for some) but 
> anyone snooping over the network would have a really hard time to get the 
> credentials as it would have to break both the TLS protocol encryption and 
> the auth protocol encryption (+1 more TLS encryption if running on the 
> HTTPS WinRM listener).
>
> *Ker

Re: [ansible-project] Re: WINRM Connection always ends up with "STDERR An error occurred while creating the pipeline"

[Jeremie Levy]

You were right, my issue was in my code.
I've "patched" my ansible with the github version and i don't have the
error anymore.
Thanks a lot!

On Mon, Jan 29, 2018 at 10:11 AM, Jordan Borean  wrote:

> It wouldn't be, those issue seem to be unrelated. In most cases a fatal
> exception will return a return code that is not 0, in this case rc is still
> 0.
>
> Thanks
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Ansible Project" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/ansible-project/vypH7W6qvpg/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/ansible-project/ae9fa9f9-ce22-417a-9e96-62530356b997%40googlegroups.
> com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAAK4BEYCB2Q0Fz9LgHp4TKHsB-ze1nBMLMsexUvs-Mii_Cek3Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: WINRM Connection always ends up with "STDERR An error occurred while creating the pipeline"

[Jeremie Levy]

Thank you Jordan, really appreciate.
I am still not sure it doesn't affect module execution, i have some issues 
executing win_package. Maybe not related.

On Monday, January 29, 2018 at 9:33:23 AM UTC+2, Jordan Borean wrote:
>
> This is a known issue, technically an error did occur but it does not 
> affect the actual module execution. It was fixed a while ago in the devel 
> branch for the 2.5 release but was only recently back ported to 2.4 and 
> will be available in the 2.4.4 release.
>
> 2.5 commit
>
>
> https://github.com/ansible/ansible/commit/7fce636c2b250aa6ffd7322f03a0c982ecd802e3#diff-9b6915232549a7bcd00b8b8f142b7232
>
> 2.4.4 commit
>
>
> https://github.com/ansible/ansible/commit/e27847eda8d1ea05da8a1b96e085f41134faff94
>
> Thanks
>
> Jordan
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/cf8d45a1-b496-4140-9b2f-e970f483b55f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] WINRM Connection always ends up with "STDERR An error occurred while creating the pipeline"

[Jeremie Levy]

Hi
Any task i run is followed by this WINRM error
I am not sure it's an error since the task is done successfully, does 
someone knows about this?

TASK [Create KIT folder if missing] 

task path: /ansible/scripts/vs2012.yaml:5
Using module file 
/usr/lib/python2.7/dist-packages/ansible/modules/windows/win_file.ps1
 ESTABLISH WINRM CONNECTION FOR USER: ansible on PORT 5986 TO 
hasjrwts02
creating Kerberos CC at /tmp/tmpnaEGzD
calling kinit for principal ansible
Using module file 
/usr/lib/python2.7/dist-packages/ansible/modules/windows/win_file.ps1
 ESTABLISH WINRM CONNECTION FOR USER: ansible on PORT 5986 TO 
hasjrwts01
creating Kerberos CC at /tmp/tmpDGNECq
calling kinit for principal ansible
kinit succeeded for principal ansible
 WINRM CONNECT: transport=kerberos 
endpoint=https://hasjrwts02:5986/wsman
kinit succeeded for principal ansible
 WINRM CONNECT: transport=kerberos 
endpoint=https://hasjrwts01:5986/wsman
 WINRM OPEN SHELL: F95EFA87-3A14-4F69-AC9B-2BD43120BC93
EXEC (via pipeline wrapper)
 WINRM EXEC 'PowerShell' ['-NoProfile', '-NonInteractive', 
'-ExecutionPolicy', 'Unrestricted', '-']
 WINRM OPEN SHELL: 421A5D1E-4BC3-42C9-8E02-4B8F28EBDDD7
EXEC (via pipeline wrapper)
 WINRM EXEC 'PowerShell' ['-NoProfile', '-NonInteractive', 
'-ExecutionPolicy', 'Unrestricted', '-']
 WINRM RESULT u''
 WINRM STDOUT {"changed":true}

 WINRM STDERR An error occurred while creating the pipeline.
+ CategoryInfo  : NotSpecified: (:) [], 
ParentContainsErrorRecordException
+ FullyQualifiedErrorId : RuntimeException


 WINRM CLOSE SHELL: F95EFA87-3A14-4F69-AC9B-2BD43120BC93
 WINRM RESULT u''
 WINRM STDOUT {"changed":true}

 WINRM STDERR An error occurred while creating the pipeline.
+ CategoryInfo  : NotSpecified: (:) [], 
ParentContainsErrorRecordException
+ FullyQualifiedErrorId : RuntimeException


 WINRM CLOSE SHELL: 421A5D1E-4BC3-42C9-8E02-4B8F28EBDDD7
changed: [hasjrwts02] => {
"changed": true
}
changed: [hasjrwts01] => {
"changed": true
}



-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/6d68add6-6f0e-42c7-8542-8c57cd67f6e0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] Re: [Windows] Install visual studio

[Jeremie Levy]

To avoid this issue and since my user is already admin on the server, i've 
just download the file first instead of installing over http url.
Thanks!

On Sunday, January 28, 2018 at 6:59:33 PM UTC+2, Varun Chopra wrote:
>
> Yes, and?

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/886349bd-5014-4e32-b271-b474c27a3ebd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] Re: [Windows] Install visual studio

[Jeremie Levy]

Seems there is no become in the win_package module...

On Thu, Jan 25, 2018 at 11:03 PM, 'J Hawkesworth' via Ansible Project <
ansible-project@googlegroups.com> wrote:

> I have successfully installed visual studio using win_chocolatey in the
> past (with become escalating to run as local administrator).  Might be
> worth trying that.
> I suspect running with become might fix your problem as clearly its upset
> about having access to C:\\Users\\ansible\\r4muzag1.gdd
>
> Hope this is some help,
>
> Jon
>
> On Thursday, January 25, 2018 at 10:25:47 AM UTC, Jeremie Levy wrote:
>>
>> Hi
>>
>> It seems i need to wait a bit after the Visual studio installation.
>> It stated as failed because it couldn't remove the temporary install file
>> (web install file) - VS was installed !
>>
>> I'm using win_package and i'm not interested in using the raw module
>> since i need the win_package capabilities.
>> A workaround would be to have: if you can't remove the file, it's not a
>> failure and keep going (which i don't know how to do yet :))
>>
>> task path: /ansible/scripts/vs2012.yaml:23
>>
>>
>>
>> Using module file /usr/lib/python2.7/dist-packag
>> es/ansible/modules/windows/win_package.ps1
>>
>>
>>
>>  ESTABLISH WINRM CONNECTION FOR USER: ansible on PORT 5986 TO
>> hasjrwts02
>> creating Kerberos CC at /tmp/tmpJ_QHmz
>>
>>
>>
>>
>> calling kinit for principal ansible
>>
>>
>>
>>
>> kinit succeeded for principal ansible
>>
>>
>>
>>
>>  WINRM CONNECT: transport=kerberos endpoint=
>> https://hasjrwts02:5986/wsman
>>
>>
>>  WINRM OPEN SHELL: 23C2DB3A-DC34-4DA0-A019-7CD45579D735
>>
>>
>>
>> EXEC (via pipeline wrapper)
>>
>>
>>
>>
>>  WINRM EXEC 'PowerShell' ['-NoProfile', '-NonInteractive',
>> '-ExecutionPolicy', 'Unrestricted', '-']
>>
>>
>>  WINRM RESULT u'> occurred wh">'
>>
>>
>>
>>  WINRM STDOUT
>>
>>
>>
>>  WINRM STDERR An error occurred while creating the pipeline.
>>
>>
>>
>> + CategoryInfo  : NotSpecified: (:) [],
>> ParentContainsErrorRecordException
>>
>>
>>
>> + FullyQualifiedErrorId : RuntimeException
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Exception calling "Run" with "1" argument(s): "Exception calling "Invoke"
>> with "0" argument(s): "The running command
>>
>>
>>
>> stopped because the preference variable "ErrorActionPreference" or common
>> parameter is set to Stop: Cannot remove item
>>
>>
>>
>> C:\Users\ansible\r4muzag1.gdd: Access to the path
>> 'C:\Users\ansible\r4muzag1.gdd' is denied.""
>>
>>
>>
>> At line:47 char:5
>>
>>
>>
>>
>> + $output = $entrypoint.Run($payload)
>>
>>
>>
>>
>> + ~~~
>>
>>
>>
>>
>> + CategoryInfo  : NotSpecified: (:) [],
>> ParentContainsErrorRecordException
>>
>>
>>
>> + FullyQualifiedErrorId : ScriptMethodRuntimeException
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>  WINRM CLOSE SHELL: 23C2DB3A-DC34-4DA0-A019-7CD45579D735
>> fatal: [hasjrwts02]: FAILED! => {
>> "changed": false,
>>
>> "module_stderr": "An error occurred while creating the pipeline.\r\n
>>   + CategoryInfo  : NotSpecified: (:) [],
>> ParentContainsErrorRecordException\r\n+ FullyQualifiedErrorId :
>> RuntimeException\r\n \r\nException calling \"Run\" with \"1\" argument(s):
>> \"Exception calling \"Invoke\" with \"0\" argument(s): \"The running
>> command \r\nstopped because the preference variable
>> \"ErrorActionPreference\" or common parameter is set to Stop: Cannot remove
>> item \r\nC:\\Users\\ansible\\r4muzag1.gdd: Access to the path
>> 'C:\\Users\\ansible\\r4muzag1.gdd' is denied.\"\"\r\nAt line:47
>> char:5\r\n+ $output = $entrypoint.Run($payload)\r\n+
>>  ~~~\r\n+ CategoryInfo  :
>> NotSpecified: (:) [], ParentContainsErrorRecordException\r\n+
>> FullyQualifiedErrorId : ScriptMethodR

[ansible-project] [Windows] Install visual studio

[Jeremie Levy]

Hi

It seems i need to wait a bit after the Visual studio installation.
It stated as failed because it couldn't remove the temporary install file 
(web install file) - VS was installed !

I'm using win_package and i'm not interested in using the raw module since 
i need the win_package capabilities.
A workaround would be to have: if you can't remove the file, it's not a 
failure and keep going (which i don't know how to do yet :))

task path: /ansible/scripts/vs2012.yaml:23  


  
Using module file 
/usr/lib/python2.7/dist-packages/ansible/modules/windows/win_package.ps1


  
 ESTABLISH WINRM CONNECTION FOR USER: ansible on PORT 5986 TO 
hasjrwts02 
creating Kerberos CC at /tmp/tmpJ_QHmz  




calling kinit for principal ansible



 
kinit succeeded for principal ansible  



 
 WINRM CONNECT: transport=kerberos 
endpoint=https://hasjrwts02:5986/wsman  


   
 WINRM OPEN SHELL: 23C2DB3A-DC34-4DA0-A019-7CD45579D735


  
EXEC (via pipeline wrapper)



 
 WINRM EXEC 'PowerShell' ['-NoProfile', '-NonInteractive', 
'-ExecutionPolicy', 'Unrestricted', '-']

  
 WINRM RESULT u''  


 
 WINRM STDOUT  


  
 WINRM STDERR An error occurred while creating the pipeline.


 
+ CategoryInfo  : NotSpecified: (:) [], 
ParentContainsErrorRecordException  



+ FullyQualifiedErrorId : RuntimeException  







 

[ansible-project] Re: Kerberos authentication failed (while following instructions.)

[Jeremie Levy]

Hi
I've reinstall it on Ubuntu 16.04 and the install was much more straight 
forward. And it works now!
Are you aware of any issue with ubuntu 14.04 or it may be my company build?

Thank you!

On Sunday, January 7, 2018 at 4:18:59 PM UTC+2, Jeremie Levy wrote:
>
> I'm trying to connect to my first windows client after fresh ansible 
> install 
>
> win_ping from ansible contoller to windows 2016
> ANSIBLE VERSION
>
> ansible --version
> ansible 2.4.2.0
>   config file = /etc/ansible/ansible.cfg
>   configured module search path = 
> [u'/nfs/site/home/sys_ansible/.ansible/plugins/modules', 
> u'/usr/share/ansible/plugins/modules']
>   ansible python module location = /usr/lib/python2.7/dist-packages/ansible
>   executable location = /usr/bin/ansible
>   python version = 2.7.6 (default, Nov 23 2017, 15:49:48) [GCC 4.8.4]
>
> CONFIGURATION
>
> Nothing was changed.
> OS / ENVIRONMENT
>
> Using Ubuntu 14.04 LTS
> Linux hostname1 3.13.0-137-generic #186-Ubuntu SMP Mon Dec 4 19:09:19 UTC 
> 2017 x86_64 x86_64 x86_64 GNU/Linux
> Trying to connect to windows 2016 server in domain GER.CORP.COMPANY.COM
> SUMMARY
>
> $ ansible windows -m win_ping -v
> ansible 2.4.2.0
>   config file = /etc/ansible/ansible.cfg
>   configured module search path = 
> [u'/nfs/site/home/sys_ansible/.ansible/plugins/modules', 
> u'/usr/share/ansible/plugins/modules']
>   ansible python module location = /usr/lib/python2.7/dist-packages/ansible
>   executable location = /usr/bin/ansible
>   python version = 2.7.6 (default, Nov 23 2017, 15:49:48) [GCC 4.8.4]
> Using /etc/ansible/ansible.cfg as config file
> setting up inventory plugins
> Parsed /etc/ansible/hosts inventory source with ini plugin
> Loading callback plugin minimal of type stdout, v2.0 from 
> /usr/lib/python2.7/dist-packages/ansible/plugins/callback/__init__.pyc
> META: ran handlers
> Using module file 
> /usr/lib/python2.7/dist-packages/ansible/modules/windows/win_ping.ps1
>  ESTABLISH WINRM CONNECTION FOR USER: 
> GER\SYS_ANSIBLE on PORT 5986 TO hasjrwts01.ger.corp.company.com
>  WINRM CONNECT: transport=ssl 
> endpoint=https://hasjrwts01.ger.corp.company.com:5986/wsman
>  WINRM CONNECTION ERROR: the specified 
> credentials were rejected by the server
> Traceback (most recent call last):
>   File 
> "/usr/lib/python2.7/dist-packages/ansible/plugins/connection/winrm.py", line 
> 222, in _winrm_connect
> self.shell_id = protocol.open_shell(codepage=65001)  # UTF-8
>   File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 157, 
> in open_shell
> res = self.send_message(xmltodict.unparse(req))
>   File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 234, 
> in send_message
> resp = self.transport.send_message(message)
>   File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line 256, 
> in send_message
> response = self._send_message_request(prepared_request, message)
>   File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line 266, 
> in _send_message_request
> raise InvalidCredentialsError("the specified credentials were rejected by 
> the server")
> InvalidCredentialsError: the specified credentials were rejected by the server
> hasjrwts01.ger.corp.company.com | UNREACHABLE! => {
> "changed": false,"msg": "ssl: the specified credentials were rejected 
> by the server","unreachable": true
> }
>
>
> STEPS TO REPRODUCE
>
> followed the instructions to install ansible
> apt-add-repository ppa:ansible/ansible
> apt-get install ansible
> apt-get install python-dev libkrb5-dev krb5-user
> apt-get install python-pip git libffi-dev libssl-dev -y
> pip install ansible pywinrm
> pip install ansible pywinrmapt-get install python-dev libkrb5-dev krb5-user
> pip install cryptography
> pip install kerberos
> pip install ntlm-auth
> pip install pykerberos
> pip install "pywinrm>=0.2.2"
> pip install "pywinrm>=0.2.2"--upgrade
> pip install pywinrm[credssp]
> pip install pywinrm[kerberos]
> pip install requests
> pip install requests-kerberos
> pip install requests_kerberos --upgrade
> pip install requests_ntlm
> pip install requests_ntlm --upgrade
> pip install --upgarde setuptools
> pip install --upgrade setuptools
> pip list
> pip list | grep -i kerberos
>
>
> # pip list
> adium-theme-ubuntu (0.3.4)
> ansible (2.4.2.0)
> apt-xapian-index (0.45)
> argparse (1.2.1)
> asn1crypto (0.24.0)
> certifi (2017.11.5)
> chardet (3.0.4)
> colorama (0.2.5)
> command-not-found (0.3)
> cr

[ansible-project] Re: Kerberos authentication failed (while following instructions.)

[Jeremie Levy]

Hello Jordan
So I cleanup my environment, and restart from the begininng.
When installing everything according 
to http://docs.ansible.com/ansible/latest/intro_windows.html
(had to install setuptools before cryptography could be installed which is 
needed by pywinrm)

After installing i get this message: 

ansible windows -m win_ping -

ansible 2.4.2.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u
'/nfs/site/home/sys_ansible/.ansible/plugins/modules', u
'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.6 (default, Nov 23 2017, 15:49:48) [GCC 4.8.4]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7
/dist-packages/ansible/plugins/callback/__init__.pyc
META: ran handlers
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/
win_ping.ps1
 ESTABLISH WINRM CONNECTION FOR USER: 
sys_ansible @ GER.CORP.COMPANY.COM on PORT 5986 TO hasjrwts01.ger.corp.
company.com
hasjrwts01.ger.corp.company.com | UNREACHABLE! => {
"changed": false,
"msg": "kerberos: the python kerberos library is not installed",
"unreachable": true
}



Then i installed 
# pip install pykerberos
Downloading/unpacking pykerberos
  Downloading pykerberos-1.2.1.tar.gz
  Running setup.py (path:/tmp/pip_build_root/pykerberos/setup.py) egg_info 
for package pykerberos
Installing collected packages: pykerberos
  Running setup.py install for pykerberos
building 'kerberos' extension
x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv 
-O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c 
src/kerberos.c -o build/temp.linux-x86_64-2.7/src/kerberos.o -DGSSAPI_EXT
x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv 
-O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c 
src/kerberosbasic.c -o build/temp.linux-x86_64-2.7/src/kerberosbasic.o 
-DGSSAPI_EXT
x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv 
-O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c 
src/kerberosgss.c -o build/temp.linux-x86_64-2.7/src/kerberosgss.o 
-DGSSAPI_EXT
x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv 
-O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c 
src/kerberospw.c -o build/temp.linux-x86_64-2.7/src/kerberospw.o 
-DGSSAPI_EXT
x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv 
-O2 -Wall -Wstrict-prototypes -fPIC -I/usr/include/python2.7 -c 
src/base64.c -o build/temp.linux-x86_64-2.7/src/base64.o -DGSSAPI_EXT
x86_64-linux-gnu-gcc -pthread -shared -Wl,-O1 -Wl,-Bsymbolic-functions 
-Wl,-Bsymbolic-functions -Wl,-z,relro -fno-strict-aliasing -DNDEBUG -g 
-fwrapv -O2 -Wall -Wstrict-prototypes -D_FORTIFY_SOURCE=2 -g 
-fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security build/temp.linux-x86_64-2.7/src/kerberos.o 
build/temp.linux-x86_64-2.7/src/kerberosbasic.o 
build/temp.linux-x86_64-2.7/src/kerberosgss.o 
build/temp.linux-x86_64-2.7/src/kerberospw.o 
build/temp.linux-x86_64-2.7/src/base64.o -o 
build/lib.linux-x86_64-2.7/kerberos.so -Wl,-Bsymbolic-functions 
-Wl,-z,relro -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
  Could not find .egg-info directory in install record for pykerberos
Successfully installed pykerberos
Cleaning up...


And now another error message
ansible windows -m win_ping -
ansible 2.4.2.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = 
[u'/nfs/site/home/sys_ansible/.ansible/plugins/modules', 
u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.6 (default, Nov 23 2017, 15:49:48) [GCC 4.8.4]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading callback plugin minimal of type stdout, v2.0 from 
/usr/lib/python2.7/dist-packages/ansible/plugins/callback/__init__.pyc
META: ran handlers
Using module file 
/usr/lib/python2.7/dist-packages/ansible/modules/windows/win_ping.ps1
 ESTABLISH WINRM CONNECTION FOR USER: 
sys_ansible @ GER.CORP.COMPANY.COM on PORT 5986 TO 
hasjrwts01.ger.corp.company.com
hasjrwts01.ger.corp.company.com | UNREACHABLE! => {
"changed": false,
"msg": "kerberos: requested auth method is kerberos, but 
requests_kerberos is not installed",
"unreachable": true
}


So i continue with my installations

# pip install requests_kerberos
Downloading/unpacking requests_kerberos
  Downloading requests_kerberos-0.12.0-py2.py3-none-any.whl
Requirement already satisfied (use --upgrade to upgrade): 
cryptography>=1.3; python_version != "3.3" in 
/usr/local/lib/py

[ansible-project] Re: Kerberos authentication failed (while following instructions.)

[Jeremie Levy]

Hello Jordan,
Yes, it was me, I didn't know I should post here (searching for help lead 
me to the github page multiple times)
So i did as you suggested (have to say i tried it before) but i have 
another error, which confused me even more: 

ansible windows -m win_ping -
ansible 2.4.2.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = 
[u'/nfs/site/home/sys_ansible/.ansible/plugins/modules', 
u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.6 (default, Nov 23 2017, 15:49:48) [GCC 4.8.4]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading callback plugin minimal of type stdout, v2.0 from 
/usr/lib/python2.7/dist-packages/ansible/plugins/callback/__init__.pyc
META: ran handlers
Using module file 
/usr/lib/python2.7/dist-packages/ansible/modules/windows/win_ping.ps1
 ESTABLISH WINRM CONNECTION FOR USER: 
sys_ansible @ GER.CORP.COMPANY.COM on PORT 5986 TO 
hasjrwts01.ger.corp.company.com
hasjrwts01.ger.corp.company.com | UNREACHABLE! => {
"changed": false,
"msg": "kerberos: requested auth method is kerberos, but 
requests_kerberos is not installed",
"unreachable": true
}
$ klist
Ticket cache: FILE:/tmp/krb5cc_30254
Default principal: sys_ansible @ GER.CORP.COMPANY.COM

Valid starting   Expires  Service principal
01/07/2018 23:14:46  01/08/2018 09:14:41  krbtgt/GER.CORP.COMPANY.COM @ 
GER.CORP.COMPANY.COM
renew until 02/06/2018 23:14:41

while checking the pip list:
$pip install requests_kerberos
Requirement already satisfied (use --upgrade to upgrade): requests_kerberos 
in /usr/local/lib/python2.7/dist-packages
Cleaning up...

$ pip list |grep -i kerb
kerberos (1.2.5)
pykerberos (1.2.1)
*requests-kerberos (0.12.0)*

I'm not sure how i get there...

Any other advice?

Thank you for your time!

On Sunday, January 7, 2018 at 10:58:30 PM UTC+2, Jordan Borean wrote:
>
> I believe https://github.com/ansible/ansible/issues/34552 may be from 
> yourself as well, I'll post my response here to go into a bit more detail.
>
> By default, the winrm connector inside Ansible uses basic auth as the 
> transport authentication mechanism. You can see this happening as your 
> error message says
>
> "msg": "ssl: the specified credentials were rejected by the server",
>
>
> Due to the way that pywinrm was originally written, "ssl" means that basic 
> auth over HTTPS was done and we can't change this without breaking various 
> people's playbooks that may rely on this behaviour. When specifying an 
> ansible_user in the UPN format (username@REALM), the Ansible code picks 
> this up as you want to authenticate with a domain account and will 
> automatically change the selected auth mechanism from "ssl" to "kerberos" 
> so theoretically all you need to do is change your username to use the UPN 
> format, e.g. set *ansible_user: sys_a...@ger.corp.company.com 
>  *in your inventory.
>
> I prefer to take it a step further where you explicitly state what auth 
> you want to use to avoid default behaviour like this from occuring, you can 
> do this by setting *ansible_winrm_transport: kerberos*. When this is set 
> you can keep the username in the current format and the underlying 
> libraries will parse it for you. Ultimately what I would personally do is 
> set your group_vars to be
>
> ansible_user: sys_ansi...@ger.corp.company.com
> ansible_password: "password"
> ansible_port: 5986
> ansible_connection: winrm
> ansible_winrm_transport: kerberos
> ansible_winrm_scheme: https
> ansible_winrm_server_cert_validation: ignore
>
>
> Thanks
>
> Jordan
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/34f23d01-128d-4538-8603-58bc36b12cba%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Kerberos authentication failed (while following instructions.)

[Jeremie Levy]

I'm trying to connect to my first windows client after fresh ansible 
install 

win_ping from ansible contoller to windows 2016
ANSIBLE VERSION

ansible --version
ansible 2.4.2.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = 
[u'/nfs/site/home/sys_ansible/.ansible/plugins/modules', 
u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.6 (default, Nov 23 2017, 15:49:48) [GCC 4.8.4]

CONFIGURATION

Nothing was changed.
OS / ENVIRONMENT

Using Ubuntu 14.04 LTS
Linux hostname1 3.13.0-137-generic #186-Ubuntu SMP Mon Dec 4 19:09:19 UTC 
2017 x86_64 x86_64 x86_64 GNU/Linux
Trying to connect to windows 2016 server in domain GER.CORP.COMPANY.COM
SUMMARY

$ ansible windows -m win_ping -v
ansible 2.4.2.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = 
[u'/nfs/site/home/sys_ansible/.ansible/plugins/modules', 
u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.6 (default, Nov 23 2017, 15:49:48) [GCC 4.8.4]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading callback plugin minimal of type stdout, v2.0 from 
/usr/lib/python2.7/dist-packages/ansible/plugins/callback/__init__.pyc
META: ran handlers
Using module file 
/usr/lib/python2.7/dist-packages/ansible/modules/windows/win_ping.ps1
 ESTABLISH WINRM CONNECTION FOR USER: 
GER\SYS_ANSIBLE on PORT 5986 TO hasjrwts01.ger.corp.company.com
 WINRM CONNECT: transport=ssl 
endpoint=https://hasjrwts01.ger.corp.company.com:5986/wsman
 WINRM CONNECTION ERROR: the specified 
credentials were rejected by the server
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/ansible/plugins/connection/winrm.py", 
line 222, in _winrm_connect
self.shell_id = protocol.open_shell(codepage=65001)  # UTF-8
  File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 157, in 
open_shell
res = self.send_message(xmltodict.unparse(req))
  File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 234, in 
send_message
resp = self.transport.send_message(message)
  File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line 256, 
in send_message
response = self._send_message_request(prepared_request, message)
  File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line 266, 
in _send_message_request
raise InvalidCredentialsError("the specified credentials were rejected by 
the server")
InvalidCredentialsError: the specified credentials were rejected by the server

hasjrwts01.ger.corp.company.com | UNREACHABLE! => {
"changed": false,"msg": "ssl: the specified credentials were rejected 
by the server","unreachable": true
}


STEPS TO REPRODUCE

followed the instructions to install ansible
apt-add-repository ppa:ansible/ansible
apt-get install ansible
apt-get install python-dev libkrb5-dev krb5-user
apt-get install python-pip git libffi-dev libssl-dev -y
pip install ansible pywinrm
pip install ansible pywinrmapt-get install python-dev libkrb5-dev krb5-user
pip install cryptography
pip install kerberos
pip install ntlm-auth
pip install pykerberos
pip install "pywinrm>=0.2.2"
pip install "pywinrm>=0.2.2"--upgrade
pip install pywinrm[credssp]
pip install pywinrm[kerberos]
pip install requests
pip install requests-kerberos
pip install requests_kerberos --upgrade
pip install requests_ntlm
pip install requests_ntlm --upgrade
pip install --upgarde setuptools
pip install --upgrade setuptools
pip list
pip list | grep -i kerberos


# pip list
adium-theme-ubuntu (0.3.4)
ansible (2.4.2.0)
apt-xapian-index (0.45)
argparse (1.2.1)
asn1crypto (0.24.0)
certifi (2017.11.5)
chardet (3.0.4)
colorama (0.2.5)
command-not-found (0.3)
cryptography (2.1.4)
dblatex (0.3.4.post3)
debtagshw (0.1)
defer (1.0.6)
dirspec (13.10)
dnspython (1.11.1)
duplicity (0.6.23)
html5lib (0.999)
httplib2 (0.8)
idna (2.6)
Jinja2 (2.7.2)
kerberos (1.2.5)
lockfile (0.8)
lxml (3.3.3)
Mako (0.9.1)
Markdown (2.4)
MarkupSafe (0.18)
ntlm-auth (1.0.6)
oauthlib (0.6.1)
oneconf (0.3.7.14.4.1)
PAM (0.4.2)
paramiko (1.10.1)
pexpect (3.1)
Pillow (2.3.0)
pip (1.5.4)
piston-mini-client (0.7.5)
pyasn1 (0.2.3)
pycrypto (2.6.1)
pycups (1.9.66)
pycurl (7.19.3)
Pygments (1.6)
pygobject (3.12.0)
pykerberos (1.2.1)
pyOpenSSL (0.13)
pyserial (2.6)
pysmbc (1.0.14.1)
python-apt (0.9.3.5ubuntu2)
python-debian (0.1.21-nmu2ubuntu2)
pywinrm (0.3.0)
pyxdg (0.25)
PyYAML (3.10)
reportlab (3.0)
requests (2.18.4)
requests-kerberos (0.12.0)
requests-ntlm (1.1.0)
rsa (3.4.2)
sessioninstaller (0.0.0)
setuptools (38.2.5)
six (1.5.2)
software-center-aptd-plugins (0.0.0)
system-service (0.1.6)
Twisted-Core (13.2.0)
Twisted-Web (13.2.0)
unity-lens-photos (1.0)
urllib3 (1.22)
wheel (0.2