[ansible-project] Re: Updating Windows 10
I also forgot to mention that the module sources all the updates from the Windows update api. If it doesn’t appear at all in either the selected or filtered list then windows did not detect any update as being available. If you are running a WSUS server the Windows host could be configured to use that as the source. If the WSUS hasn’t advertised the update the win_updates will not be able to find it. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/53a08361-8a60-4bbc-af63-0e89ee1d9793o%40googlegroups.com.
[ansible-project] Re: Updating Windows 10
If you run with a higher verbosity (usually -vv or more) then the output from the win_updates task will be shown. This output will contain a list of all the updates that were matched on the criteria as well as any updates that were available but didn’t match the criteria specified (filtered). It’s these filtered updates you need to look at and see why they are filtered out, typically it’s because none of the categories for that update match what was specified. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/81d19b1b-68be-4773-869b-64e714864c92o%40googlegroups.com.
[ansible-project] Re: Integrating Microsoft LAPS and ansible
I don’t understand what you mean sorry. OpenLDAP is required on the controller because that’s a dependency of python-ldap that the lookup uses https://www.python-ldap.org/en/python-ldap-3.3.0/installing.html#installing. If you already have it installed then you don’t need to reinstall it. If some hosts use LAPS then you can use this for plugin to get the password, for the others that don’t then you need some other mechanism to get the password. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c09a35bb-14a6-4fff-9965-d2f7d3396398o%40googlegroups.com.
[ansible-project] 'win_partition' is unable to resize the hdd
So you are running a PowerShell module on localhost which won’t work. How have you defined your inventory, how are you targeting that host in your play? -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/fe27ccf1-4009-4dcc-aa01-25634bbb46fbo%40googlegroups.com.
Re: [ansible-project] Unreachable : Failed to connect to the host via ssh
You have defined the vars for the group 'winhost' but have defined the host in the group 'windows'. That's why the connection and other vars are not being applied to the host when running. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/33a121ad-d267-46e0-8cb4-11b986a13310o%40googlegroups.com.
[ansible-project] Re: win_mapped_drive fails with become(runas) and ansible_become_pass var defined
There's been a recent issue on this problem https://github.com/ansible-collections/community.windows/issues/96. I can't say I've experienced this problem personally as if you have a credential Windows should be using that to connect to the network path. Are you potentially on a newer build of Windows 10? -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a5a6bb94-65ae-42be-9d2d-12bc4d1688c7o%40googlegroups.com.
[ansible-project] Re: Ansible connecting to Windows host using pywinrm module over HTTP
Setting AllowUnencrypted -Value $true means you are allowing plaintext data to be exchanged, you want it to be AllowUnencrypted -Value $false to make sure encryption is used. Are you getting mixed up with the values here? -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/b93590b7-4dba-48ac-a701-2c9b49f11ba1o%40googlegroups.com.
[ansible-project] Re: windows update playbook failed
It didn’t fail on any patches, the ones listed were filtered because they didn’t match any of the categories you listed in the task. The difference between reboot: yes and win_reboot is that the former will reboot during the win_updates take and continue to check if there are more updates available. I highly recommend you use the reboot: yes instead of win_reboot as it is better at handling reboots that take a long time to come back online compared to win_reboot. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ca260ffe-d583-4c4e-ad29-e600e01e8c0co%40googlegroups.com.
[ansible-project] Re: Use Ansible to Install SharePoint Server Updates
What’s the output when you run the win_whoami module with the same become setup you have for win_shell. Please use -vvv so we can see the output. I would also try ansible_become_pass as I believe ansible_become_password is only valid in later Ansible versions. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/089606d9-9412-40dc-9562-b997e7dda253o%40googlegroups.com.
Re: [ansible-project] aws community edition and collection
> > You've identified one of the many annoying parts of collections. You need > a special directory structure and you can't install from git in an editable > manner. Admittedly you are right about the special directory structure but it's pretty trivial to install it from git in an editable manner. I do this for the Windows collections; # Usually I have this in my ~/.bashrc where the last segment is my dev location export ANSIBLE_COLLECTIONS_PATHS=~/.ansible/collections:/usr/share/ansible/ collections:~/ansible-dev git clone g...@github.com:ansible-collections/ansible.windows.git ~ /ansible-dev/ansible_collections/ansible/windows I won't lie and say this is a perfect scenario but it's just 2 commands, one of which can be set automatically in your profile. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c3c6a188-ff2c-4d5c-be96-774ce225023fo%40googlegroups.com.
[ansible-project] Re: Use Ansible to Install SharePoint Server Updates
If the task is trying to install updates then you are typically restricted by Windows over a network logon like WinRM. The way around this that Ansible provides is the become [1]. This turns the logon type to an interactive logon which is allowed to install Windows updates just like you can when running it manually. [1] - https://docs.ansible.com/ansible/latest/user_guide/become.html#become-and-windows -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d7ab32f3-52d0-4470-9f70-4508a8b9d0e4o%40googlegroups.com.
[ansible-project] "kerberos: HTTPSConnectionPool(host='win-xx.ca.local', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificat
The key you want to use is ‘ansible_winrm_server_cert_validation’, you were missing the server part https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#https-certificate-validation. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a1d8fa1a-f38e-4d0d-8616-8caa9b73a81c%40googlegroups.com.
[ansible-project] Re: Localhost unreachable on Windows Subsystem for Linux (WSL2, Ubuntu) (Git Issue #: 69765)
With the further details exposed by -vvv we can see the error message when it tried to create the temp folder sleep: cannot read realtime clock > A quick google search brings up an issue on the WSL repo about this problem https://github.com/microsoft/WSL/issues/4898. Looks like there are some workarounds in that post that indicate it's due to a recent package update that isn't handled by WSL. Ansible has no guarantees that it will work properly on WSL, while most things are fine you've encountered one of those edge cases which stop us from officially supporting/testing Ansible on this platform. There is nothing we can do here but rely on WSL implementing the POSIX syscalls that Ansible relies on. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7f470cf0-dfef-4675-ac04-5c47490b4ef1%40googlegroups.com.
Re: [ansible-project] ansible kerberos library is not installed
Please read the docs, there are a few packages that need to be installed for pip to compile the pykerberos library https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#installing-the-kerberos-library. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/81358d82-7c54-4cec-a8ce-f18f0e3f82cc%40googlegroups.com.
Re: [ansible-project] ansible kerberos library is not installed
The error message is saying The python kerberos library is not installed > Make sure you have installed pykerberos by running 'pip install pykerberos' or if you are managing Python packages through your system package manager 'apt install python-kerberos'. You can verify whether it is installed with 'python -c "import kerberos"'. Make sure the Python you use to execute this check is the same Python that Ansible runs with. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/92b6295c-8117-4029-80c2-63a08b532cdc%40googlegroups.com.
Re: [ansible-project] win_domain_computer module
> The documentation page for this module only says name is mandatory parameter, rest is optional. There is only 1 option that is always required 'name', but if you read the description you can see that there are multiple others that are required when 'state=present'. > I want to retrieve it’s OU location The module doesn't look like it will do what you want, it's designed to enforce a state which requires input. If you want to get the status/info of an existing resource you will have to develop your own win_domain_computer_info module or just use 'win_shell: Get-ADComputer' as you've already pointed out only requires the identity. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f59e5a0a-825b-4416-b0f7-9804a7b5e9f0%40googlegroups.com.
Re: [ansible-project] win_domain_computer module
According to the docs, dns_hostname is Required when *state=present*. > So you need to have this set for the module to work. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f363da27-26f8-41c7-8675-d45fa82bfcdf%40googlegroups.com.
[ansible-project] Re: WINRM CONNECTION ERROR: function takes at most 2 arguments (3 given)
The issue here is the kerberos library you have installed is either too old or incompatible with what requests-kerberos requires. Uninstall both kerberos and pykerberos and install just pykerberos. You may want to update requests-kerberos as well as 0.7.0 is quite old. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/904f0877-7350-4675-8bec-d5077b056ecd%40googlegroups.com.
[ansible-project] Re: SharePointDSC parameter PsDscRunAsCredential with Kerberos
Unfortunately no, the DSC engine requires explicit username and password and cannot be configured to run using an existing access token. It is probably needed because the DSC engine runs each task as the SYSTEM account so any network authentication will appear as it came from the AD computer account. By setting explicit PSDSCRunAsCredential you tell the engine to use those credentials instead. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/bb05319f-37ce-456b-a7a4-9ad4528e77c5%40googlegroups.com.
[ansible-project] Task reported as "changed" even if unchanged
You can use the changed_when task directive to control when a change is reported. If you want to say this will never create a change set ‘changed_when: false’ -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/080d3479-0d49-468b-adf4-da639367a849%40googlegroups.com.
[ansible-project] Re: winrm http port 5985
If only 5986 is working then it sounds like message encryption is being disabled for NTLM or is just unavailable (older libraries are installed). If you already have HTTPS working then you should just continue to use that. It provides more security benefits especially compared to NTLM over port 5985. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1f14526c-6b3d-4821-b4d2-39388adca783%40googlegroups.com.
[ansible-project] Re: kerberos
Kerberos is highly dependent on DNS from working. With Kerberos the client builds an SPN in the format 'HTTP/, in your case that will be 'HTTP/10.50.1.231'. Active directory only creates automatic SPNs using the DNS name of a host, i.e. 'HTTP/hostname.domain.com' so that's the SPN that needs to be specified by the Ansible client for Kerberos auth to work. TLDR you can do on of the following in order of preference - Connect to Ansible using the FQDN of the host and not the IP. This will construct the proper SPN - Continue connecting using the IP but set 'ansible_winrm_kerberos_hostname_override: ' - Create the SPN in AD for 'HTTP/' for the host you are connecting to The first option is really the only sane way going forward as you don't need to maintain 2 sets of data for the Windows host. If you have Kerberos set up correctly in your org then DNS should work just fine and you don't have to worry about IP addresses at all. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5d3223f4-729b-42d6-b221-f3bfb8baeae8%40googlegroups.com.
Re: [ansible-project] facing the problem in mapping network drive
So the drive mapping is present but Windows is unable to map the drive on logon. You can use the win_credential [1] to store a credential that Windows will use for mapped drives. There's even an example of this in the win_mapped_drive [2] docs. If you are running the net use command through Ansible and expecting to see that mapped drive available then you are out of luck. Mapped drives are only for use with interactive logons and not for use in Ansible, Ansible can only manage the mappings but not use them. [1] https://docs.ansible.com/ansible/latest/modules/win_credential_module.html [2] https://docs.ansible.com/ansible/latest/modules/win_mapped_drive_module.html -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d013a3e5-d5d0-4aa9-b809-7850cee84167%40googlegroups.com.
[ansible-project] Re: winrm http port 5985
You need to figure out why it's failing, we have a page for dealing with rejected credentials https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html#http-401-credentials-rejected *.* -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1f2e646d-d56f-41cc-a323-0f3a5850908b%40googlegroups.com.
Re: [ansible-project] Re: ssl: the specified credentials were rejected by the server
Just change the username and password to that domain account. Typically the user is either in the Netlogon 'DOMAIN\user' form or the UPN 'u...@domain.com' form. The latter is preferred as it's what is required for Kerberos auth which should be used for domain logons. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c48924dc-6345-4527-bf81-f63e48fa4240%40googlegroups.com.
Re: [ansible-project] facing the problem in mapping network drive
The error you have is nothing to do with mapped drives but that Ansible is unable to authenticate itself over the WinRM connection. YOu need to set ansible_user and ansible_password for Ansible to use as the connection credentials. Also please note that while you can map a network drive using win_mapped_drive in Ansible, you cannot use that mapped drive in Ansible tasks. That mapping is just for interactive logons. If you want to access files from a network path in Ansible you need to use the UNC path and potentially use become to add outbound creds to your process. We have an example of that here https://docs.ansible.com/ansible/latest/user_guide/become.html#become-flags-for-windows. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/50432530-6dfa-45a5-b8eb-9cc128378fc5%40googlegroups.com.
Re: [ansible-project] win_shell, kerberos and credential delegation
It really depends on how the 'DB.Migrator.exe' binary is set to use
credentials over a network path. If it's trying to find a credential in the
user's DPAPI cred store then Kerberos with credential delegation is not
enough to unlock it. Your options for this case are either:
- Use become on the task with the connection user credentials
- Use credssp as the transport
I would also suggest you use win_command and not win_shell for this task.
The latter is only really useful if you want shell-isms, to run a binary
win_command is usually enough for you. My personal preference here is to
use become as that will do more than just fix credential delegation, it
runs the task in a similar security context as to how it is run
interactively.
Here is the task as I would write it with become
- name: Execute migrator
win_command: >
"{{ backup_path}}\Migrator\DB.Migrator.exe"
-s
-connstring "Server=application-listener.dev\applications,64000;
Database=USERAPPDB; User ID=USERAPP; Integrated Security=True;"
args:
chdir: '{{ backup_path }}\Migrator'
become: yes
become_method: runas
vars:
ansible_become_user: '{{ ansible_user }}'
ansible_become_pass: '{{ ansible_password }}'
register: migrator
failed_when: migrator.rc != 6
run_once: true
A few things I've changed
- I've done away with the set_fact task as it shouldn't be needed
- Used win_command instead of win_shell, the latter shouldn't be needed
for your task
- Using a yaml multiline syntax '>' that turns newlines into spaces so
the task line isn't too long
- Use a double quote for the executable argument. Because it's in a yaml
multilines string you don't need to escape that or backslashes making the
command line more representative of what will run
- Use single quotes for quoting YAML values like you need for chdir, no
need to escape double quotes
- Added the become vars to run with become
Thanks
Jordan
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/0e36c3a2-579d-4cb8-9cfe-647f57a5b400%40googlegroups.com.
Re: [ansible-project] installing windows updates on windows hosts
>
> TASK [Reboot host if required]
> **
> fatal: [10.50.1.231]: FAILED! => {"changed": false, "msg": "Invalid
> options for win_reboot: when"}
>
I can't see you task but this sounds like your when clause is not indented
correctly. You have it as a module option for win_reboot when it should be
on the same indentation as the module name.
> Just found out when I run windows update manually on the machine, there
> were 3 updates that ansible didnt report back?
>
>From your screenshot it indicated those updates are only available through
the public Windows Update catalogue and not your org's WSUS catalog. The
win_updates module defaults to whatever the OS settings are so if you have
a WSUS server configured it will only look there by default. In Ansible 2.8
and newer you can use the 'server_selection' option as documented [1] to
force win_updates to check the public Windows update catalog and not the
configured WSUS server.
[1] -
https://docs.ansible.com/ansible/latest/modules/win_updates_module.html
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/ca56bd43-5561-44de-a578-819563549c36%40googlegroups.com.
Re: [ansible-project] Shutting Down Windows with Ansible
A few issues - The output indicates you didn't supply the command args for shutdown.exe correctly. If the +1 is meant to say shutdown after 1 second the correct syntax is to use /t 1 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown - You need to run the task with async: 60 and poll: 0 so Ansible doesn't fail when trying to get the output back from the remote host. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d2fb473f-78fd-48f4-b72b-d218217d952d%40googlegroups.com.
Re: [ansible-project] Re: Window patch module not working on 2.9 Ansible
It’s telling you that the update has been filtered and the reason is because the categories for that update aren’t in the categories you listed. To fix this add one of the 2 categories it states it has and run again. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/42aca4cc-5736-4f9a-a561-d8206d525726%40googlegroups.com.
[ansible-project] Problem copying a file from a network drive to a another directory (Windows 10)
You cannot access mapped drives through WinRM. You need to use the full UNC path. Also you need to be aware of the credential delegation problem when accessing network paths when using WinRM. You can connect with CredSSP, or Kerberos with delegation or use become on the task to bypass that. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a2037914-5f73-4e59-869d-63a338712ce5%40googlegroups.com.
[ansible-project] Re: Windows service recovery on failure with ansible?
It was added witht he PR https://github.com/ansible-collections/ansible.windows/pull/40 which is the 'win_service' module in the ansible.windows collection. This collection is officially meant to be the source of supported Windows module in Ansible 2.10 and onwards but you might be able to use it for Ansible 2.9. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/25c725fd-041a-487a-9f83-167d0642a5f2%40googlegroups.com.
[ansible-project] Re: Problem connecting to Windows Server 2008R2 host
See https://docs.ansible.com/ansible/latest/user_guide/windows_faq.html#what-windows-modules-are-available, you cannot run Python modules on Windows. You need to use the win_* variants if they are available. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/71c3fb22-0fe1-433c-b2b8-320a8921e86d%40googlegroups.com.
Re: [ansible-project] Re: copy j2 file to Json on windows server
The output shows a change occured and the file was templated. If the contents weren't what you were expecting then you need to fix the template or make sure you are checking the right server. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8529201d-3719-4550-9677-9fec0d41523d%40googlegroups.com.
[ansible-project] Re: copy j2 file to Json on windows server
Remove remote_src: true as it's expecting you to supply src for the copy. Better yet use win_template instead like - win_template: src: config.j2 dest: D:\config1.json -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8c3816e3-703c-490a-a591-ed7256bf0c59%40googlegroups.com.
[ansible-project] Re: ssl: the specified credentials were rejected by the server
You WinRM service has been set to reject Basic auth. You need to change the auth to something like kerberos (for domain auth) or ntlm using the ansible_winrm_transport var. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e04a3c3f-6c8d-4eac-a8dd-75d6ef959fd9%40googlegroups.com.
[ansible-project] Re: Ansible invoking aws_s3 windows host in block/rescue failed error which hard to understand
Read through that issue you linked and you will see it. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/586d3144-e53a-45c5-956b-ea78889b7dd5%40googlegroups.com.
[ansible-project] Re: Ansible invoking aws_s3 windows host in block/rescue failed error which hard to understand
Because get_url is also a Python module https://docs.ansible.com/ansible/latest/user_guide/windows_faq.html#can-i-run-python-modules-on-windows-hosts. The alternative for you is to either use win_get_url, or download the file on the controller using the Python modules and use win_copy to copy it across. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/760ce24f-6d55-40dd-84d3-b4eafbfb3367%40googlegroups.com.
[ansible-project] Re: need to run powershell script without copying to target host
The proper way is to use the script module
- name: run script
script: test.ps1
It will automatically try and find 'test.ps1' in various folder, the files
folder adjacent to the playbook is one of them, copy it across, execute,
then delete the file all in 1 go. If you truly don't want to copy across
the file then your only option is to read the script using the lookup
plugin and use it with win_shell
- name: run script in memory
win_shell: '{{ lookup("file", "test.ps1") }}'
If this is a really large script you might read some command line length
limits so it's not always possible to do this.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/72a3b823-dcc1-4932-94f0-9e681e4a577f%40googlegroups.com.
[ansible-project] Ansible invoking aws_s3 windows host in block/rescue failed error which hard to understand
You can’t run Python modules on Windows so this was never designed to work on those hosts. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/94c36de4-65cc-44b3-9329-5e3aa75edd2e%40googlegroups.com.
[ansible-project] Re: "Win_Command" module not working to connect localhost to run Powershell script from ansible which is installed in windows10
You cannot run Windows modules over localhost, they are designed to run through a connection plugin like winrm, psrp, or ssh. Also I would highly advise not running Ansible through cygwin, it may work in some places but will then fall flat in others. If you are on Windows 10 then WSL is a lot better in terms of compatibility but nothing will trump a VM running Linux. You also avoid issue like this where you try to run Windows stuff on localhost when Ansible isn't designed for that. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a99e4f37-f2da-4015-93ef-3634ee812521%40googlegroups.com.
Re: [ansible-project] Re: win_acl and remote fileshares
There's not much more I can really say, Windows ACLs are based on SIDs so it needs to be able to translate a human readable name to the actual SID. If the module is complaining that it's unable to to translate an identity that's just what Windows is returning as it's unable to translate the name to an actual SID. You shouldn't need become or credential delegation enabled for this as the host will talk to the DC to translate the names under it's own account. The only thing I would suggest is to try translating it yourself through a win_shell task and see if it errors out - win_shell: | $account = [System.Security.Principal.NTAccount]'gr...@realm.com' $account.Translate([System.Security.Principal.SecurityIdentifier]) If that works then I'm not sure why the win_acl task is failing, you could try the Netlogon form 'DOMAIN\group' but the UPN should work just fine here. If the win_shell task fails then there's a problem with your host setup. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8d42492c-6b7e-4fa6-b96d-a83f5795d0c5%40googlegroups.com.
[ansible-project] Re: win_acl and remote fileshares
Is the host actually joined to the domain the groups reside in, if you have multiple domain controllers it may not have replicated to whatever that host is talking to when finding the groups. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ba6f6242-30ab-49bf-b48c-cf1eb235c943%40googlegroups.com.
[ansible-project] Re: win_acl and remote fileshares
Sorry I misread what you said and thought you meant you didn't think become
mattered here but I see your problem. You've set the become vars as a
module option to win_acl, the directives should be on the same indentation
as win_acl itself. Unfortunately not all Windows modules currently validate
that the options you've specified are actually supported, they are just
silently ignored but hopefully over time more of them use the newer
framework that does do that validation. In short your task should look like
- name: Define RW permissions on new share.
win_acl:
path: "{{ prd_shr_path }}"
rights: Modify
type: allow
user: 'DOMAIN\{{ h_dl_prefix }}{{ u_name }}{{ suffix_RW }}'
inherit: containerinherit, objectinherit
become: yes
become_method: runas
vars:
ansible_become_user: '{{ ansible_user }}'
ansible_become_pass: '{{ ansible_password }}'
I've made a slight tweak to specify the user and password in the vars
section. My reasons for this are
- You need to specify the password or else you will have the same
problem as WinRM where you become the user but with no password available,
there is no task directive for 'become_pass' and it needs to be set in a
variable
- Setting a var has a higher precedence than a task directive, so if
you've set 'become_user: some user' on your task but have set
'ansible_become_user: other user' in your host/group vars for that host,
'other user' is used. Setting it on the vars section of a task is pretty
high up there on variable precedence with only a few things being higher
(vars specified by -e is one of them)
- I've also said to just become the connection user using the existing
connection variables. This makes things host agnostic and just ensures that
the process runs as the same connection user but has it's credentials
available for delegation
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/e6498220-ca32-446d-b46b-66d025f68f71%40googlegroups.com.
[ansible-project] win_acl and remote fileshares
This is because of the double hop problem, without the users credentials the WinRM service cannot authenticate to those fileshares as that user so it appears to be an anonymous user which does not have access. The only way around this is to use become on the task or connect with an authentication option that support credential delegation like CredSSP or Kerberos with delegation enabled. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/754adf32-6a24-42bb-887c-6d16f4af7230%40googlegroups.com.
[ansible-project] Re: OpenSSH-Win64 support?
And just an FYI, OpenSSH-Win32 and OpenSSH-Win64 are the same thing, one is just a binary for 32-bit installs and the other for 64-bit installed. The overarching project is known as 'Win32-OpenSSH' though https://github.com/PowerShell/Win32-OpenSSH. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/de18f9d2-aa12-4741-bcfb-2922651b9795%40googlegroups.com.
[ansible-project] Re: OpenSSH-Win64 support?
Depends on what you mean by support. Does it work? yes Is it supported by Red Hat? no Will there be bugs? probably Will we fix the bugs? eventually, the biggest showstoppers are now gone it's just the little things we don't know off. Read through https://docs.ansible.com/ansible/latest/user_guide/windows_faq.html#can-i-connect-to-windows-hosts-over-ssh for more info. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/bc9af86a-2291-4bcc-a5d7-dcec96bf8906%40googlegroups.com.
[ansible-project] Ansible Reboot Error...
It’s telling you it cannot find the reboot module/plugin. Make sure you are on Ansible 2.7 or higher as that is when the module was added https://docs.ansible.com/ansible/latest/modules/reboot_module.html, -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3ccf48e5-95c3-4201-b12c-a99226da48eb%40googlegroups.com.
[ansible-project] Ansible with Windows Shared Folder
You are probably hitting the double hop issue over The WinRM. See https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#limitations for some workarounds. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/fc595e89-2f76-4b8f-86d3-c0aa96c615b1%40googlegroups.com.
[ansible-project] Re: Invoke-CommandInDesktopPackage ( Not able to execute Invoke-CommandInDesktopPackage with Ansible (win_shell) option
Try using Ansible become to workaround this problem. It isn’t a guarantee but it acts like the process was executed on an interactive logon. You could have trouble if the command is expecting user input. This can’t be done on Ansible. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e8bed54c-2729-4c64-8bd8-36fce1ae3a85%40googlegroups.com.
Re: [ansible-project] OS support contribution guidelines
> > Windows could be supported if someone did the work I think you are underestimating how much work this would actually require. The biggest (but not the only) issue is that Ansible uses fork in it's worker model and fork is not available on Windows. Changing that to use threads is technically possible and there is/was some work going on to add a way to specify either threading or forking in a strategy to control how this works. This would solve 1 hurdle but there also remains a whole lot of others not limited to - A whole bunch of other code on the controller is designed specifically for Linux and not Windows. Things like the SSH plugin would most likely break with using the Win32 OpenSSH port - Running a playbook on Windows localhost is different than Linux localhost, lookups can act differently especially something like pipe - Should delegate_to: localhost automatically redirect ping to win_ping for Windows, what happens if there is no win_* equivalent module or specific options aren't supported - This leads into playbooks developed on Windows as a controller aren't compatible with Linux as a controller and vice versa - The basic.py module util wrapper imports a few Python modules like 'grp', 'fcntl' and probably others. Without these common utilities used by modules will not work and requires either workaround or more caveats to apply to a Windows host - This would need to be solved and tested before you can start running Python modules on Windows - Python is riddled with lots of modules only work on X platform or specific features of this module won't work. This isn't Python's fault but just due to the differences between Windows and POSIX compliant systems - We don't test Ansible as a controller on Windows - We could fix things as we go but without testing in CI these things will inevitably break leading to anger from people who use it making no one happy This is confusing because there's nothing explicitly calling out that > Windows shouldn't be supported > The link that sivel has posted explicitly states that Windows is not supported for the control node. As one of the Windows devs it would be fantastic if we could ever get Ansible as a controller working on Windows but the practical realities is that this won't happen anytime soon. With the introduction of WSL and WSL2 on Windows 10 there is even less of a reason to push for this as Ansible works perfectly fine under those hosts and it allows you to run it on a Windows host like you are asking. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c939d235-3a0f-4539-9b14-6dae83a7cf0c%40googlegroups.com.
[ansible-project] Re: ansible windows
If you are wanting to play around with things there's no harm in it. If you are wanting to use it in production I would wait until some of the kinks are ironed out and 2.10 is officially released. That's not to say you can use it side by side and selectively try out various modules in the collection if you want to use a newer version. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3bb44e87-771d-4313-8dde-1c2518b0984f%40googlegroups.com.
[ansible-project] Re: ansible windows
I also forgot to mention that while some components may work in 2.9 this collection will not be tested against this version and will officially be designed to work with 2.10 onwards. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/34d808a7-0a8a-480d-8ee9-c2d05e1efef3%40googlegroups.com.
[ansible-project] Re: ansible windows
That is because the ansible.windows collection because the current released versions at https://galaxy.ansible.com/ansible/windows are all beta versions. The ansible-galaxy cli tool does not use any pre-release versions in it's check and the only way to install it is to explicitly set the version like ansible-galaxy collection install ansible.windows:0.0.1-beta.2 Once a proper release is out then the install command will select the latest non-prerelease version as expected but for you now you need to explicitly opt in. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3e1f2c41-4744-45f2-b8da-1755e6f21504%40googlegroups.com.
[ansible-project] Re: Need win_shell to run with elevated privileges
As I mentioned in that issue the processes run from Ansible with the highest privileges available to the user you can verify this by running - win_command: whoami.exe /all Here is what you should roughly see back (ansible-py37) jborean:~/dev/ansible-tester$ ansible 2019 -m win_command -a 'whoami.exe /all' [WARNING]: You are running the development version of Ansible. You should only run Ansible from "devel" if you are modifying the Ansible engine, or trying out features under development. This is a rapidly changing source of code and can become unstable at any point. 2019 | CHANGED | rc=0 >> USER INFORMATION User Name SID = = domain\vagrant-domain S-1-5-21-2959096244-3298113601-420842770-1104 GROUP INFORMATION - Group NameType SID Attributes = === Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Performance Log Users AliasS-1-5-32-559 Mandatory group, Enabled by default, Enabled group BUILTIN\Users AliasS-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\AdministratorsAliasS-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This OrganizationWell-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group DOMAIN\Domain Admins GroupS-1-5-21- 2959096244-3298113601-420842770-512 Mandatory group, Enabled by default, Enabled group Authentication authority asserted identityWell-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group DOMAIN\Denied RODC Password Replication Group AliasS-1-5-21- 2959096244-3298113601-420842770-572 Mandatory group, Enabled by default, Enabled group, Local Group Mandatory Label\High Mandatory Level LabelS-1-16-12288 PRIVILEGES INFORMATION -- Privilege NameDescription State = == === SeAssignPrimaryTokenPrivilege Replace a process level token Enabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeSecurityPrivilege Manage auditing and security log Enabled SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeSystemProfilePrivilege Profile system performance Enabled SeSystemtimePrivilege Change the system time Enabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilegeRestore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeDebugPrivilege
[ansible-project] Re: Calling powershell function via Ansible
When you call powershell.exe with -File you cannot run multiple commands after that, it's designed to run a script with potential arguments. You can even see in the error from powershell it thinks the file it needs to run is `C:\Scripts\USERNAME\dfsadd_func.ps1;' (with the semicolon) so that's why it is saying the extension is wrong. If you are trying to run a function that is sourced from a file do the following - name: Create DFS links win_shell: | . C:\Scripts\USERNAME\dfsadd_func.ps1 # dot source the file to load the functions dfsadd -junction Apps -obj_name toast -prd_vserver PROD -dr_vserver DR -prd_state online -dr_state offline Please bear in mind the double hop problem with WinRM where you will be unable to talk to downstream servers in your task unless you use something like become or your auth is CredSSP or Kerberos with credential delegation enabled. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/efdc8a5e-0262-4ca8-913b-bbbecc97cf75%40googlegroups.com.
[ansible-project] Re: windows dynamic inventory
I haven't worked with the Azure dynamic inventory so I could be wrong but my guess is that with the lines conditional_groups: all_the_hosts: true sittst-servers: "'sittst' in name" You are creating a group called sittst-server which contains your host. You then have a file 'group_vars/sittst.yaml' which will only apply to hosts in the 'sittst' group and not 'sittst-server'. The 'group: sittst-servers' entry in your group_vars file does not assign a group name to the hosts but rather just sets the group var which is nothing special. Either chang ethe filename to sittst-server.yaml or change the group name in conditional_groups to sittst. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/711a150c-1725-41fd-8e0b-096ef540a48a%40googlegroups.com.
[ansible-project] Re: Swapping credentials
If you have multiple DCs then potentially it could be replication at fault here but usually if a host is missing from the domain controller it queries then a different error is shown (service not found in the database). Is the host you are connecting to sharing the same hostname as an older host that it's potentially replacing? If so the SPN could be registered under the newer host on 1 DC but still not been replicated to another DC where it still thinks hostname is another host. Each host would technically have it's own unique key and when the server goes to check the credentials it is unable to decrypt the secret because it's using a different key than the one the DC thought it had (older host) and thus think the credentials were bad. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/473b6cc3-5ac7-4c3a-82e0-06e5b15ae750%40googlegroups.com.
[ansible-project] Re: Swapping credentials
The fact that you were able to get a Kerberos ticket showed that your host is set up to get the tickets correctly. Some things you should check - The domain account is a local admin, non admins can technically connect through WinRM but not by default. In any case Ansible is very limited with what it can do when connecting as a non-admin account so it's not something we usually document - The time is synced between your Ansible controller and the Windows server - You aren't using message encryption. This should be done automatically but some older libraries that Ansible uses may not have it available. To check set 'ansible_winrm_message_encryption: always' just to double check message encryption is available and works Also you should set `ansible_winrm_transport: kerberos' to stop the fallback to Basic auth. Unfortunately this is also another backwards compatibility issue which we can't take away but isn't something that is really optimal. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f877f403-e265-485a-8164-cfd14f9b45fb%40googlegroups.com.
[ansible-project] Re: Swapping credentials
Plaintext means basic auth over http which is rejected by windows because it is not encrypted. Basic auth also does not work for domain accounts but unfortunately it is the default for backwards compatibility reasons when the username specified is not in the UPN format. If you are connecting to a domain account you can set ansible_winrm_transport: ntlm to get you going but I highly recommend you get Kerberos auth working for domain accounts. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7c123396-682b-4eaf-8663-d5b38c643218%40googlegroups.com.
[ansible-project] Re: Swapping credentials
What you have there is one way but by default WinRM only allows local administrators to connect to the host so you need to make sure you either the domain user is also a local admin or adjust the WinRM security to allow non-admins to connect. Another option is to define the host twice in your inventory like so [windows] serverA_local ansible_host=serverA.internal.domain ansible_user=administrator ansible_password=pass serverA_domain ansible_host=serverA.internal.domain ansible_user=DOMAIN\user ansible_password=pass [windows:vars] ansible_connection=winrm ansible_port=5985 In your play you would set hosts: serverA_local for the local inventory entry and hosts: serverA_domain for the domain inventory. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/24eea4bf-9db7-4932-98bb-e48a3c8879ac%40googlegroups.com.
[ansible-project] Re: SSL Certificate or Passwordless WinRM setup
WinRM certificate auth is plain simple complex and not recommended to be used. It's the most complex option to set up and has a loads of caveats and downsides that I wouldn't really recommend it's use. First question would be why am I creating a cert for Ansible on the Linux > server and then creating a SSL cert on the Windows server? > WinRM certificate auth is based on X509 mutual authentication [1]. It's a very enterprise like setup but IMO it's quite difficult to set up properly and then WinRM adds even more complication on top that reduces it's effectiveness. But ultimately it balls down to having both the client and server trust each other which requires both entities to have their own X509 certificate and a private key that backs that cert. These keys are used for; - Windows - This is the certificate that is used by WinRM to back it's https endpoint. It's a server certificate and when used properly it is designed to allow clients who connect to the server the ability to trust it is who it says it is. This cert is required for any auth methods that run on the https endpoint - Ansible - This is the certificate that is used by Ansible to authenticate as a local user on the Windows host. This is purely for WinRM certificate auth. That is why you need to generate 2 certificates, one for the server for it to allow clients to verify it is who it says it is and another for the client (Ansible) to tell the server who it is. So think of the 2nd certificate generated on the Ansible host as something that is unrelated to the cert that is generated by Windows for WinRM. At the heart of this client certificate setup is 2 files - The public X509 certificate with the subject 'CN=username' (ansible_winrm_cert_pem) - The private X509 key for the above certificate, this should only be Ansible controller (ansible_winrm_cert_key_pem) The public key is placed in the Root store so that Windows will trust that it knows the public key sent by Ansible and I believe in a proper CA setup if that key is signed by a known CA authority only the CA authority needs to be in the Root store. It is also placed in the TrustedPeople store as I believe that is required for Windows to trust a cert that is mapped to a local account. Does the Windows Cert need to be installed on the Linux server? > For you to actually take advantage of the https endpoint yes you should be signing the certs used by the WinRM endpoint with a trusted CA and having that CA installed on your Linux server. This allows Ansible to be able to verify the Windows host it is connecting to is actually who it says it is and not just some rogue server pretending to be it and stealing your information. So while using self signed certs will work it's breaking a key cornerstone of TLS and a proper enterprise environment should be using their internal CA setup to sign and distribute the keys to the Windows host. As for the client auth side there is no way to install these certs for use in Ansible as authentication. One of the limitations of the WinRM certificate auth is the fact that you need both the cert and private key as plaintext files on the system. This is a limitation of the underlying Python library we are using and one of the reasons why we don't recommend you use it. In the end I highly recommend you move across to using Kerberos auth as that provides both trust and a way to connect without a password (using keytabs). You also don't need to worry about https endpoints as the message encryption offered by Kerberos is quite strong. For your domain joined servers but for your non domain hosts there really isn't a good way of ensuring trust between the hosts. You could still sign the WinRM certs with a known trusted CA and get your trust that way but this would be a manual process. In the end most people just rely on self signed certs for non-domain hosts as you still get encryption, you just miss the trust aspect. [1] - https://medium.com/sitewards/the-magic-of-tls-x509-and-mutual-authentication-explained-b2162dec4401 -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8ee447da-8ee3-4c81-9b64-b93b929fcf3c%40googlegroups.com.
[ansible-project] Re: Ansible parallel execution over winrm
host_key_checking has nothing to do with parallel runs so I'm not sure what you mean by that. By default Ansible will run on hosts in parallel up to the forks configured [1]. If you want to run multiple tasks at the same time the only real option is to use async with poll: 0 [2] so it runs in the background and Ansible continues onto the next task. This does have limitations and it makes it difficult to track the status or even the success of each task you run in async. [1] - https://docs.ansible.com/ansible/latest/user_guide/playbooks_strategies.html#setting-the-number-of-forks [2] - https://docs.ansible.com/ansible/latest/user_guide/playbooks_async.html#concurrent-tasks-poll-0 -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d4b3ada3-9cae-457d-a07a-c07aad1c5a71%40googlegroups.com.
Re: [ansible-project] Re: Win_ping Module | failed to run exec_wrapper | URGENT
I completely spaces that you are running against Server 2008 R2. There's a bug with PowerShell v3 and remoting around out of memory issues which commonly appears like stuff you are seeing here. Make sure you have met the pre-reqs and either - Update PowerShell to v5 preferably - Install the Windows hotfix for v3 [1] The hotfix is hard to get but that link should have enough details to get you started. I would highly recommend you upgrade to PowerShell v5 anyway as that contains some nice logging features you can take advantage of. [1] - https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html#winrm-memory-hotfix Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/370fb247-4976-4399-ac6e-6e9dc8e8beb9%40googlegroups.com.
[ansible-project] Re: Win_ping Module | failed to run exec_wrapper | URGENT
We use C# code in our code for a lot of things, in this case it's the Ansible wrapper we use to abstract the communication to and from the controller. Part of that process is to compile the C# code to a dll and load that in PowerShell. This all happens in the background and is part of PowerShell, similar to how the Add-Type cmdlet works. If it's failing to write to a file in the temp directory then it could be an issue with; - Not having permissions to the dir - Antivirus blocking the process I don't think it's the permissions issue as that's the temp dir for the current user but it's probably still a good idea to check. As for the anti-virus, it could be seeing a process writing a dll as something suspicious and just block it from doing so. Unfortunately this is how Ansible compiles the C# code for use in it's modules and we can't really do too much about that. I would check to see if there are any AV logs to see if it logged a reason why it blocked access. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8c2131f4-5856-4779-88e5-adb3e628e3da%40googlegroups.com.
Re: [ansible-project] win_shell module with multiple lines not working
It’s totally possible you just need to learn how to do multi lined yaml values. Have a look at the 5th example at https://docs.ansible.com/ansible/latest/modules/win_shell_module.html#examples. https://yaml-multiline.info/ is a great tool that can help you understand how multi lined strings work in yaml and the difference between folded and literal block style symbols are. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2584cebf-d858-4513-9851-dbc7eae23f08%40googlegroups.com.
Re: [ansible-project] wait_for ping?
wait_for_connection is designed to wait until ssh is up and running and Ansible can actually run a module on it. No need for any until loops just ‘wait_for_connection:’. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/02493a1f-9c99-40b7-a834-c024f0b64127%40googlegroups.com.
Re: [ansible-project] Connecting to a WinRM host with different credentials?
Further to the above, those are variables and not attributes you can set on a play. You need to set them under your the vars key or just add them using add_host in the previous play. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/299d9b64-6f47-4b8a-87bc-791ccaf821ed%40googlegroups.com.
[ansible-project] Re: remote_src and template_host for template module not working for me
You can’t, template will only work with a source on the controller as that is where the cars are stored. Either store the template in your role/playbook or use fetch to fetch the file to the controller temporarily and then template it from there. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/081efcb8-68a7-4cf8-bddb-13c0672dccae%40googlegroups.com.
[ansible-project] Re: win_dns_record
Going by that snippet you should be setting the module option 'computer_name', it's even documented in it's docs that computer_name is [1] Specifies a DNS server. > You can specify an IP address or any value that resolves to an IP address, > such as a fully qualified domain name (FQDN), host name, or NETBIOS name. > [1] - https://docs.ansible.com/ansible/latest/modules/win_dns_record_module.html -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/39e6552e-adc8-4d95-b878-b2375e837ff5%40googlegroups.com.
[ansible-project] Re: win_update to upgrade windows 10 version
I believe since Ansible 2.8 the 'category_names' option is a free form field and you can specify whatever you want. Since that change it should also be reporting all the updates that were filtered (not selected) and the category names that apply for that update which you can then use. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8119a39c-e58f-42ad-9852-fe08d13618a0%40googlegroups.com.
[ansible-project] Re: windows dynamic inventory
Based on your output Ansible is still trying to connect over SSH with port 22. Your group vars are not applying to the host so it's just using the defaults (SSH port 22). -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/6a4f9f43-741e-4f98-9b41-b6330c3f0328%40googlegroups.com.
[ansible-project] Re: How to fix warning message conditional statements should not include jinja2 templating delimiters
- debug:
msg: Hi
when:
- entrycurrdb.stdout.find(hostvars['localhost']['BASEPATH_FINAL'] ~ '/' ~
vars[(item | splitext)[1].split('.')[1] | default('exe')] ~ '/' ~ item |
basename) == -1
- actualfile.stat.exists | bool
A few comments though
- This is an extremely complex and weird conditional that will be hard
for anything to read and understand what is happening. Consider simplifying
it as much as you can or using set_fact beforehand to build the path to
find components so you can better document it.
- Split every and condition only a new entry to reduce the line length,
each entry is just and'd together
- The '~' is a jinja2 string concatenation operator that works similar
to '+' but it converts both sides to a string before adding it together
making it better for what you want
- The reason why the warning still showed is because you still have
jinja2 blocks, technically they are required in your example because you
have it in a string but what you should be doing is not enclse the var in a
string and concat it together
I haven't tested this but it "should" work.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/f1aae5f8-b18e-4f6b-b770-b3a741d8cb8d%40googlegroups.com.
[ansible-project] Re: how can i have my windows instances to use IP address instead of dns name?
Just set the connection to use IPs as you would Linux it should just work. Without seeing the error that you are receiving we can't help you anymore. The most common reason why it doesn't is if you are using Kerberos auth. This is because DNS is a very important part of Kerberos auth and using IPs removes some of protection kerberos offers. It is still possible but I wouldn't recommend it at all. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c2c12f70-4a1f-4fb1-8fdd-f7a6af14b382%40googlegroups.com.
[ansible-project] Re: win_domain_group_membership
Looks like I jumped the gun with closing that issue, the backported issue referenced is for a separate problem. The actual cross domain support of groups is still not supported in the module. There is a PR which you can try out https://github.com/ansible/ansible/pull/65138 and comment on if it solves your issue. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5394d5c5-036b-42e1-a415-1599791d8d6c%40googlegroups.com.
[ansible-project] Re: win_domain_group using AD LDS?
It doesn't look like the module supports LDS. You will have to edit it and create a PR that modifies it to specify the Partition value with what is required. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/dc9bf1c6-678d-4720-9333-36e60f9edcb8%40googlegroups.com.
[ansible-project] Re: Having issues running win_domain_group
This issue is due to the double hop problem typically seen with WinRM. Any
further outbound authentications from the Windows host (Ansible -> Windows
host -> AD controller) will appear as an anonymous user and results in
either access is denied or resource not found type errors. You have 3
options
1. Use become on your task with the same credentials as the connection
user
- name: run win_domain_group with become
win_domain_group:
...
become: yes
become_method: runas
vars:
ansible_become_user: '{{ ansible_user }}' # The module will run as
this user and have it's credentials enabled for further network
authentication.
ansible_become_pass: '{{ ansible_password }}'
1. Use explicit credentials with win_domain_group, i.e. set
domain_username and domain_password
2. Use CredSSP or Kerberos with credential delegation set as your WinRM
transport
All 3 options allow the requests to AD to be backed by a set of credentials
so it doesn't appear as an anonymous user they are just done in different
ways.
Thaks
Jordan
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/7498bbde-d23d-4125-b942-8042483fa23b%40googlegroups.com.
[ansible-project] ansible playbook executing the tasks on localhost(Master Node) instead of remote node
It’s because you have transport=local in your ansible.cfg. Remove that and it will default to ssh. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/cd574164-3e21-4c9e-b4d0-2e9c26029d12%40googlegroups.com.
[ansible-project] Re: Issues with specifying group vars with a dynamic EC2 inventory
This sounds like it was potentially fixed with https://github.com/ansible/ansible/pull/65023 which has been backported to Ansible 2.9. What Ansible version are you running? Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/feda3107-94b7-422a-b8bc-79803cc3e27e%40googlegroups.com.
[ansible-project] Re: Ansible win_ping fails
Ansible just runs the ssh binary and reports back what it says. In this case it tried to authenticate using an SSH key with no fallback to password authentication and that failed. You can even run the same command that is displayed to see what happens when you run it manually. You also say you are running Ansible with sudo, why are you doing that? Do you want to use SSH key auth, or are wanting to use password auth. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/bba9bee3-cca5-46ca-9c47-78f67d957b74%40googlegroups.com.
[ansible-project] Re: kerberos: the python kerberos library is not installed
That's telling you it can't compile the pykerberos library, it's trying to find headers that are not present. In this case you need the python3-devel package installed with yum/dnf. These headers are different from the Python 2 headers which is why you can install pykerberos in Python 2 and not 3. There may be other headers that are present but you just need to solve them 1 by 1. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d38c4224-4c78-4101-9421-89e2525aa931%40googlegroups.com.
[ansible-project] Re: kerberos: the python kerberos library is not installed
Sinc pywinrm 0.4.0, requests-kerberos is not actually used so in your case we don't really have to worry about that particular library in your pywinrm version. The pykerberos library is still required but it looks like you do have it there. Also you are saying you have both Python 2.7 and 3.6 installed, typically pip points to the 2.x install and pip3 is for Python 3.x (although that's not always the case). You can run the following to test out what Python is actually being used and the installed libraries for that Python. ANSIBLE_PYTHON=$(head -n 1 $(which ansible) | cut -c 3-) echo $ANSIBLE_PYTHON $ANSIBLE_PYTHON -m pip list $ANSIBLE_PYTHON -c "import winrm; import kerberos" The first step gets the shebang of ansible (#!/usr/bin/python), strips out the #1 part so we can determine what Python is set to execute Ansible. From there we echo the path so we know exactly what Python bin is being used. Finally it calls pip list for that Python then tries to import pywinrm and pykerberos which will tell you if it's installed properly or not. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/349dea99-a4b7-4e0f-afe1-66c5f2dd5a6b%40googlegroups.com.
Re: [ansible-project] Playbook is unable to install specified KB number updates but shows OK in playbook recap
Then finally for your last message, I've already told you in https://groups.google.com/forum/#!topic/ansible-project/ME6fY1n7SCA why it's failing the reboot check. Firstly 1. The reboot option in win_updates is 'reboot: yes', not 'win_reboot: yes', you would know that if you had read the docs and understand how the options work. The win_reboot module is a completely separate module 2. I've said in your original post that the win_updates module only handles reboots post installation, if a reboot is required before the install it won't do that Arguably 2 is something that we can do but it's just not something that is available right now. Feel free to submit a PR to add that functionality if you desire it. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/54a75f65-0b41-43c4-b1a0-e048170f5f20%40googlegroups.com.
Re: [ansible-project] Playbook is unable to install specified KB number updates but shows OK in playbook recap
The filtered message says it's filtered due to category_names, here are the categories you've applied in one of your tasks - Upgrades - Security Updates When you omit the category_names here are the categories it uses by default (as per the docs) - CriticalUpdates (same as "Critical Updates") - SecurityUpdates (same as "Security Updates") - UpdateRollups (same as "Update Rollups") Here are the categories for KB2267602 - Definition Updates - Windows Defender You can see that none of the categories for KB2267602 are matching up in either of your tasks so they are being filtered out, hence the "filtered_reason": "category_names" entry in the filtered list. For an update to not be filtered you MUST specify at least one of the categories it belongs to, you have not done this. The whitelist/blacklist is only applied to updates that have already matched the categories as per the documentation The whitelist is only validated on updates that were found based on > *category_names*. It will not force the module to install an update if it > was not in the category specified. > You cannot just specify a whitelist of categories and expect them to be match, they MUST first be part of the categories you have specified. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/17ef0071-7b00-4d97-b1dd-cc723228da38%40googlegroups.com.
Re: [ansible-project] Re: Ansible playbook is not working on the target host but shows in play recap - OK
Please read through the doc for win_updates again https://docs.ansible.com/ansible/latest/modules/win_updates_module.html. I've told you multiple times why updates can be filtered and in your case it's because the categories you specify don't match up with the updates that are available. Even the filtered updates entries tell you what categories they apply to and the reason why they have been filtered. 1. Well we provided *reboot: yes * doesn't it suppose to make mandatory > reboot by itself? In a perfect world yes but right now reboot: yes only applies to reboots that need to happen post installation, the win_updates module does not have reboots that need to occur before an update is installed. There's no reason why this isn't possible it's just not implemented. 2. I used the same playbook to a different instance. For some reason, it > filtered out the required information but didn't install. > See my first comment, there's a reason why updates are filtered, it's because they are for categories you never specified. *After I installed the update manually on the server for " *Security > Intelligence Update for Windows Defender Antivirus - KB2267602 (Version > 1.307.2841.0)". * the prompt went away. Why it didn't update?* > Because the update is installed it won't appear in the list anymore and once again, if the categories for an update do not match up with what you specify it will be filtered. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e3193879-b277-44ae-905a-73ae84795e72%40googlegroups.com.
Re: [ansible-project] Re: Ansible playbook is not working on the target host but shows in play recap - OK
According to https://docs.microsoft.com/en-us/previous-versions/windows/desktop/hh968413(v=vs.85), the HRESULT value 0x80240016 corresponds to WU_E_INSTALL_NOT_ALLOWED Operation tried to install while another installation was in progress or > the system was pending a mandatory restart. > Sounds like you either have some other installer working in the background or a reboot is pending -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c0009163-cfc7-49ba-a53b-8fb30f9a3e28%40googlegroups.com.
Re: [ansible-project] Re: Ansible playbook is not working on the target host but shows in play recap - OK
So read your filtered updates list, you can see both updates are in there
ok: [MQN-CKMH5E31UM7.corp.medqia.com] => {
"changed": false,
"filtered_updates": {
"20668013-76d9-43ec-a6f2-f76fb4271642": {
"categories": [
"Definition Updates",
"Windows Defender"
],
"filtered_reason": "category_names",
"id": "20668013-76d9-43ec-a6f2-f76fb4271642",
"installed": false,
"kb": [
"2267602"
],
"title": "Security Intelligence Update for Windows Defender
Antivirus - KB2267602 (Version 1.307.2832.0)"
},
"5bb32ece-7c8c-4f07-ace1-7ba1d36736a1": {
"categories": [
"Updates",
"Windows 10"
],
"filtered_reason": "category_names",
"id": "5bb32ece-7c8c-4f07-ace1-7ba1d36736a1",
"installed": false,
"kb": [
"4494452"
],
"title": "2019-05 Update for Windows 10 Version 1709 for
x64-based Systems (KB4494452)"
},
"65ecc208-c6b1-4fce-b892-fc2c93917d76": {
"categories": [
"Drivers"
],
"filtered_reason": "category_names",
"id": "65ecc208-c6b1-4fce-b892-fc2c93917d76",
"installed": false,
"kb": [],
"title": "Logitech - Image - 10/24/2018 12:00:00 AM - 1.3.89.0"
},
"79bfbb87-ae9d-480d-9f6f-5c82361e015d": {
"categories": [
"Upgrades"
],
"filtered_reason": "category_names",
"id": "79bfbb87-ae9d-480d-9f6f-5c82361e015d",
"installed": false,
"kb": [
"4530684"
],
"title": "Feature update to Windows 10, version 1909"
}
},
"found_update_count": 0,
"installed_update_count": 0,
"reboot_required": false,
"updates": {}
}
The win_updates modules has 2 filters that are applied to available updates
1. It first filters the updates based on the categories that are set. By
default Critical Updates, Security Updates, and Update Rollups are applied
and any other filtered
2. From there if you have a whitelist or blacklist these filters are
applied to the list
We can see that both the defender update and the feature update have been
filtered due to the category name not matching from the input. If you want
them to be applied you will have to add the 'Upgrades' category for the
feature upgrade and the 'Windows Defender' or 'Definition Updates' for the
defender update. Say you wanted to make sure that only the feature update
to Windows 10, version 1909 is installed you can do
- name: ensure Windows 10 has 1909 feature upgrade installed
win_updates:
category_names:
- Upgrades
whitelist:
- KB4530684
reboot: yes
If you didn't care about the actual KB and want all Upgrades installed then
just remove the whitelist.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/8e43d291-1018-4533-affe-6cb378f7f48a%40googlegroups.com.
[ansible-project] Re: Ansible playbook is not working on the target host but shows in play recap - OK
Have a look through your output, the "filtered_updates" key show all the updates that the Windows Update Agent can find and also displays why they have been filtered in the win_updates task. So there's nothing the win_updates module is set to do because Windows is reporting no updates are available that match the criteria you are wanting. You should see the exact same thing if you were to log onto the computer manually and search for update, Ansible isn't doing anything special here. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d1b60c38-6cad-448e-bee3-6db9181b3f10%40googlegroups.com.
[ansible-project] Re: Ansible playbook is not working on the target host but shows in play recap - OK
That's probably because win_updates runs on various filters, you can't just specify the KB, you also need to specify the category the update applies to. If you run with -vvv you can see all the updates that have been filtered (skipped) and the categories they apply to. If the update is not in that filtered list then the Windows Update Agent can't see it as an applicable update and Ansible can't do anything about that. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8c33625f-3bc8-4515-ad30-07b4e7c67b78%40googlegroups.com.
[ansible-project] Re: Ansible playbook is not working on the target host but shows in play recap - OK
It's showing OK because there was the state was already achieved. Ansible is running and the modules you are running with just have nothing to do. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/03729d6c-d054-4d78-b981-4e343308d48d%40googlegroups.com.
[ansible-project] Re: How can I connect to Windows Server using WinRM without password(like linux ssh authentication)?
If using WinRM your only “password less” options are certificate based auth which is a massive pain to setup and I would not recommend it or Kerberos. With Kerberos you can use kinit before running Ansible to get a token that is then used for subsequent authentication. Kinit also works with a pre generated key tab so you don’t need to set the password. A final option is to use SSH with Windows with key auth. This is a fairly recent feature and it may still have some bugs but it does work. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0ae19a66-65b8-4b1a-870f-93e7993e9942%40googlegroups.com.
[ansible-project] Re: Windows mapped drives – what the hell is going on?
This is unfortunately outside of what I know and I can't really offer and more help. From what I can see the registry settings are the same when Ansible creates the drive vs when it's created with net use, even net use sees the drive, it's just not available. What you need to do now is enable file share auditing [1] on the target to try and track down why the drive is unavailable and what error is being reported by SMB that explains the failure a bit more. [1] - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1ca9fbf1-9902-4d06-9234-a0d31798da3e%40googlegroups.com.
[ansible-project] Re: Windows mapped drives – what the hell is going on?
Unfortunately I cannot explain this at all, a couple of final question/clarifications - When you map it manually with net use, can you log off and back on and the drive still remains connected and visible in Windows Explorer? - The output for 'net use' on a limited process is showing that the Z map is configured but is unavailable, does the drive show up in Windows Explorer, maybe with a red X - If yes to the above, what happens when you try and open it up or just navigate to Z - Can you use Ansible to map a shared path on any other server - In your limited/admin processes you ran the tests on, are they the same account or is your admin account a completely separate account The only extra thing you can do is enable file share audit logs on the UNC target and attempt to audit why the connections are failing. I don't know of any way to audit the LANMan Redirector locally to see why it failed to map the drive when you log in after Ansible is run. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/20f83465-7990-4437-8c4e-61065451c490%40googlegroups.com.
[ansible-project] Re: Windows mapped drives – what the hell is going on?
That is very curious, typically the opposite is the case where the standard (limited) process is able to see the mapped drive but the admin process is not. We can see that in both scenarios net use can see that there is a valid configuration for the mapped drive but it is only successfully connecting under the administrative process. We can also see that the registry settings are exactly the same compared to when you map it manually and when Ansible does it for you. This pretty much means there's some sort of credential/authentication issue that occurs with your limited process compared to the admin process. - What is the full command you run to map the drive normally (outside of Ansible). - If you manually map it through the GUI are you connecting with explicit credentials? - When you map it manually and there is a mapped drive in the GUI, what is the output for 'cmdkey.exe /list', is there an entry for 'bellagio.intra.vegas.net'? If the answer to the last 2 (or even 1) is with an explicit credential you will have to do the same thing with Ansible with the win_credential module. Having a credential present for the server specified will mean that credential is used for outbound authentication. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2b8190d5-bf2f-43dd-806a-010cb89c2574%40googlegroups.com.
[ansible-project] Re: Windows mapped drives – what the hell is going on?
Sorry about the option name mismatch but glad you found the correct one. Your task seems to be correct so it's curious as to why it isn't showing up. What I recommend you look at; - See if the key 'HKCU:\Network\Z' is present and if the entries match what you set - Run the command 'net use' on both a normal and elevated (Run as administrator) and see if any of them show the Z drive - If they do, see what the status is for it - Look at the security event logs for both the server you are RDP'ing to as well as the target UNC server (bellagio). Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d18ff19d-4d6e-44cc-8462-e1e2a1694d93%40googlegroups.com.
[ansible-project] Re: ansible communication to windows
CredSSP send the user accounts password across the wire but it is definitely not in the clear. It is "wrapped" which means it's encrypted and the Windows host can decrypt the value. This is unlike other authentication formats where typically only a hash or shared secret known only to the client and server are exchanged. So in that sense, CredSSP is not as secure as say Kerberos but the advantage is now the remote process can use those credentials for further authentication and bypassing the double hop problem. Ultimately it's a trade off with what you need, if you are in a domain environment you should be using Kerberos. If it's local accounts then you should be using HTTPS at least then either NTLM or CredSSP depending on your needs. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/bcdfd059-0b36-4549-ae7a-34bb14385596%40googlegroups.com.
[ansible-project] Re: Windows mapped drives – what the hell is going on?
Hi, the blog is still accepting comments, I just need to approve them so it
doesn't get spammed.
As for your issue at hand.
1) to use Ansible to map this network drive automatically in all VMs for
> the domain user (mapped drive should be visible after VM reboots, during
> every RDP sessions using this credentials?
>
You should be using the win_mapped_drive to create the mapping for the
user you want. This should be as simple as
- win_mapped_drive:
name: Z
path: \\bellagio.infra.vegas.net\how\the\hell\to\solve\this\issue
state: present
become: yes
become_method: runas
vars:
ansible_become_user: '{{ ansible_user }}'
ansible_become_pass: '{{ ansible_password }}'
Because you are using NTLM authentication, the task will not be able to
access the network path so become is being used to bypass that limitation.
If you are connecting with Ansible to one account but want the mapped drive
for another, change the become user/pass vars to the account in question.
What this task will do is create the mapped drive Z for the become user and
that drive will appear when they log on locally. When they try and access
it locally it will use their logon credentials to access the UNC path.
If you need to connect to the UNC path with custom credentials you can add
the following task *before* the win_mapped_drive one.
- win_credential:
name: bellagio.infra.vegas.net
type: domain_password
username: custom user
secret: password
state: present
become: yes
become_method: runas
vars:
ansible_become_user: '{{ ansible_user }}'
ansible_become_pass: '{{ ansible_password }}'
This task creates a credential for that host in the become user's
credential manager and it is used for any outbound authentication attempts
on that particular host. This enables you to save a credential for a
network host and then use that credential for the mapped drive. Once again
become is important for this task to work as the credential manager can
only be accessed through become when using WinRM. The win_credential module
is pretty much a wrapper for the same functionality that cmdkey.exe offers
[1].
2) to use this mapped drive as a 'repo place' for future purposes - to copy
> scrips, apps from this drive to VMs using Ansible?
>
This is not possible, ultimately it is next to impossible to do. A network
logon like WinRM will not mount the network mounts for you so even with
become it won't appear in Ansible. Technically it is possible to create a
"global" mapped drive which always appears but credential management in
this scenario is not ideal. I would highly recommend you don't create a
global mount at all, the blog post does mention how it can be possible
though.
For your problem, you should always use the full UNC path in your Ansible
scripts. This is beneficial for a few reasons
1. You are not relying on the host to be setup in a particular method
for your Ansible scripts to work
2. The Ansible playbook is self documenting as to where it is
referencing a file rather than something trying to figure out 'M:\path'
refers to this network host
3. Mapped drives are a pain and are really only designed for interactive
setups, which Ansible is not
If you just don't want to type out the full path for each task, use an
Ansible fact/variable that references the UNC path for you. If you are
having trouble trying to connect to a UNC path that's probably due to the
double hop problem with WinRM. See our documentation for more info on how
to overcome the double hop problem [2].
[1] -
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
[2] -
https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#limitations
Thanks
Jordan
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/bffc2e28-919f-45c2-95b3-2df192450579%40googlegroups.com.
[ansible-project] Re: find windows directory name with version number
Paths are taken literally so it's trying to find the path `D:\Program-Files\nginx-*\'. So first you need to find the nginx folder then do a win_find in that folder for the nginx.conf file. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f42381f0-d6cb-44db-aaed-2b4293beec3f%40googlegroups.com.
[ansible-project] Re: MSP Files
As the documentation for win_package says, Installs or uninstalls a package in either an MSI or EXE format. > https://docs.ansible.com/ansible/latest/modules/win_package_module.html You cannot use win_package to install an msp file, your only alternative is to use win_command to call the relevant executable and arguments for them. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8c58267b-ccdc-4f10-80ba-836a99bab8ae%40googlegroups.com.
[ansible-project] Re: home directory for Ansible in windows machine using cygwin
If you are using Windows 10, use WSL not Cygwin. WSL is a lot more compatible than Cygwin so I highly recommend you use that instead. In any case to access a Windows drive from cygwin the path is '/cygdrive//path`, so in your case it would be '/cygdrive/d/POC/POC.yml'. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d044d0fe-4653-44f8-b7ac-bec64a52919b%40googlegroups.com.
