[ansible-project] New releases: ansible-core 2.12.1, ansible-core 2.11.7, ansible-base 2.10.16

[Matt Davis]

Hi all- we're happy to announce the general release of:

- ansible-core 2.12.1
- ansible-core 2.11.7
- ansible-base 2.10.16


How to get it
-

$ pip install ansible-core==2.12.1 --user
or
$ pip install ansible-core==2.11.7 --user
or
$ pip install ansible-base==2.10.16 --user

The tar.gz of the release can be found here:

* ansible-core 2.12.1

https://pypi.python.org/packages/source/a/ansible-core/ansible-core-2.12.1.tar.gz
  SHA256: a4508707262be11bb4dd98a006f1b14817879a055e6b6c46ad9fca8894fb3073

* ansible-core 2.11.7

https://pypi.python.org/packages/source/a/ansible-core/ansible-core-2.11.7.tar.gz
  SHA256: b87188beacfac1bb6dc5cf65663f3c52e66e0f9990742db00a3dca71ebae2eee

* ansible-base 2.10.16

https://pypi.python.org/packages/source/a/ansible-base/ansible-base-2.10.16.tar.gz
  SHA256: d974214ed03ac129c299967aa4c98205943ba36f20040e7feb7248e0c3e2ea15


What's new
--

This release is a maintenance release containing numerous bugfixes.
 The full changelog is at:


* ansible-core 2.12.1

https://github.com/ansible/ansible/blob/v2.12.1/changelogs/CHANGELOG-v2.12.rst

* ansible-core 2.11.7

https://github.com/ansible/ansible/blob/v2.11.7/changelogs/CHANGELOG-v2.11.rst

* ansible-base 2.10.16

https://github.com/ansible/ansible/blob/v2.10.16/changelogs/CHANGELOG-v2.10.rst


What's the schedule for future maintenance releases?


The planned December releases have been deferred to account for holiday
staffing.
The next batch of release candidates is planned to be released on 24
January 2022.
The next general availability release will be one week after.


Porting Help


If you discover any errors or if any of your working playbooks break when
you
upgrade, please use the following link to report the regression:

  https://github.com/ansible/ansible/issues/new/choose

In your issue, be sure to mention the version that works and the one that
doesn't.

Thanks!

-Matt Davis, Ansible Core Engineering

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAJD0SsjtbyGeRsKeFs8B2oEyWf-hWwzQ%3D7WAiEuwjB-%3D9UPQtw%40mail.gmail.com.

Re: [ansible-project] OS support contribution guidelines

[Matt Davis]

This thread hits on a number of discussions that have been happening for years- 
rather than trying to recap them here, I wrote a blog post about it: 
http://blog.rolpdog.com/2020/03/why-no-ansible-controller-for-windows.html

On another note: it bothers me that there's perception that Ansible is a "Red 
Hat only" project. It's true that those of us that are paid by Red Hat to work 
on Ansible have to pick and choose carefully where we spend our time, and that 
the concerns of paying customers (including keeping the underlying codebase 
reasonably stable) often take priority over shiny things. At the end of the 
day, Red Hat can't possibly capital-S-support everything, and we have to be 
really careful about large contributions or projects that are potentially 
destabilizing (especially when they involve things we currently have no way to 
test).

One of the major purposes of the move to collections is to get us out of the 
community's way in this regard. Rather than applying overly-harsh filters to 
all contributions in the name of capital-S-supportability and releasing at a 
relatively slow cadence, community-owned collections will be able to apply 
whatever quality rules they like, apply whatever compatibility policies they 
like, and release on whatever schedule they like, while still having a way to 
be part of a "batteries included" community Ansible distribution. For the 
collections that are capital-S-supported by Red Hat, the requirements for 
getting contributions accepted will still remain pretty high, but anyone is 
free to release their own version of that content themselves with whatever 
changes they like, while still enjoying the stability of the core Ansible 
engine itself.

We're also working to further plugin-ify and democratize even more of the 
"guts" of the Ansible engine in future releases. That doesn't directly address 
this case, but a number of others around first-class target support for many 
things that aren't Windows or POSIX, and will also probably knock down a few 
more of the barriers to a hypothetical native-Windows Ansible.

-Matt Davis (@nitzmahone)

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/67dba41d-f27b-40f0-ac3a-b49ccd3f19ad%40googlegroups.com.

[ansible-project] New Ansible release 2.9.4

[Matt Davis]

Hi all- we're happy to announce that the general release of Ansible 2.9.4 is
now available! This release contains a single bugfix to a regression in the
yum module, introduced in 2.9.3.


How do you get it?
--

$ pip install ansible==2.9.4 --user

The tar.gz of the release can be found here:

* 2.9.4
  https://releases.ansible.com/ansible/ansible-2.9.4.tar.gz
  SHA256: 2517bf4743d52f00d509396a41e9ce44e5bc1285bd7aa53dfe28ea02fc1a75a6


What's new in 2.9.4
---

This release is a maintenance release containing a single bugfix to the yum
module. The full changelog is at:

* 2.9.4
  
https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst


What's the schedule for future maintenance releases?


Future maintenance releases will occur approximately every 3 weeks.  So 
expect
the next one around 2020-02-13.


Porting Help


We've published a porting guide at
https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.9.html 
to
help migrate your content to 2.9.


If you discover any errors or if any of your working playbooks break when 
you
upgrade to 2.9.4, please use the following link to report the regression:

  https://github.com/ansible/ansible/issues/new/choose

In your issue, be sure to mention the Ansible version that works and the one
that doesn't.

Thanks!

-Matt Davis

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/db48256f-d6d1-466e-a64c-aede064b7e0b%40googlegroups.com.

[ansible-project] New Ansible releases 2.9.3, 2.8.8, and 2.7.16

[Matt Davis]

Hi all- we're happy to announce that the general release of Ansible 2.9.3,
2.8.8, and 2.7.16 are now available!


How do you get it?
--

$ pip install ansible==2.9.3 --user
or
$ pip install ansible==2.8.8 --user
or
$ pip install ansible==2.7.16 --user

The tar.gz of the releases can be found here:

* 2.9.3
  https://releases.ansible.com/ansible/ansible-2.9.3.tar.gz
  SHA256: 36f501a17fb15d210722b649d53582acf47835ea0bbda7eab79e13c945e4eac2
* 2.8.8
  https://releases.ansible.com/ansible/ansible-2.8.8.tar.gz
  SHA256: c364ff5807cb88af29b161a3a1d88ff737f10b930a24be66d88769ee204f4536
* 2.7.16
  https://releases.ansible.com/ansible/ansible-2.7.16.tar.gz
  SHA256: bb4a95a3e1a0f9e1aabd8cf628de68f5218fba3057b970b6b3c41cc53ab06268


What's new in 2.9.3, 2.8.8, and 2.7.16
--

These releases are maintenance releases containing security fixes for
CVE-2019-14904 (solaris_zone module) and CVE-2019-14905 (nxos_file_copy 
module),
as well as various bugfixes. The full changelogs are at:

* 2.9.3
  
https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst
* 2.8.8
  
https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
* 2.7.16
  
https://github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELOG-v2.7.rst


What's the schedule for future maintenance releases?


Future maintenance releases in the 2.9 series will occur approximately 
every 3
weeks.  So expect the next one around 2020-02-06. The 2.8 series is only 
accepting
critical bugfixes, and the 2.7 series is only accepting critical security
bugfixes, so releases will occur only as necessary.


Porting Help


We've published a porting guide at
https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.9.html 
to
help migrate your content to 2.9.


If you discover any errors or if any of your working playbooks break when 
you
upgrade to 2.9.3, please use the following link to report the regression:

  https://github.com/ansible/ansible/issues/new/choose

In your issue, be sure to mention the Ansible version that works and the one
that doesn't.

Thanks!

-Matt Davis

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/1c897836-22f7-41c4-8daf-c1dbc17bdafd%40googlegroups.com.

[ansible-project] New Ansible release 2.9.2

[Matt Davis]

Hi all- we're happy to announce that the general release of Ansible 2.9.2 is
now available!


How do you get it?
--

$ pip install ansible==2.9.2 --user

The tar.gz of the release can be found here:

* 2.9.2
  https://releases.ansible.com/ansible/ansible-2.9.2.tar.gz
  SHA256: 2f83f8ccc50640aa41a24f6e7757ac06b0ee6189fdcaacab68851771d3b42f3a


What's new in 2.9.2
---

This release is a maintenance release containing numerous bugfixes. The full
changelog is at:

* 2.9.2
  
https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst


What's the schedule for future maintenance releases?


The next 2.9 series release is scheduled for early January, due to US 
holidays.
Future maintenance releases will occur approximately every 3 weeks.


Porting Help


We've published a porting guide at
https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.9.html 
to
help migrate your content to 2.9.


If you discover any errors or if any of your working playbooks break when 
you
upgrade to 2.9.2, please use the following link to report the regression:

  https://github.com/ansible/ansible/issues/new/choose

In your issue, be sure to mention the Ansible version that works and the one
that doesn't.

Thanks!

-Matt Davis

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/a8859662-a810-42e0-902b-476e3281abc6%40googlegroups.com.

[ansible-project] New Ansible releases 2.7.15, 2.8.7, and 2.9.1

[Matt Davis]

Hi all- we're happy to announce that the general release of Ansible 2.7.15,
2.8.7, and 2.9.1 are now available!


How do you get it?
--

$ pip install ansible==2.7.15 --user
or
$ pip install ansible==2.8.7 --user
or
$ pip install ansible==2.9.1 --user

The tar.gz of the releases can be found here:

* 2.7.15
  https://releases.ansible.com/ansible/ansible-2.7.15.tar.gz
  SHA256: 99bf683d069b3f73704182ece95b6618ae2090594a66e146f4d286c0cac858ce
* 2.8.7
  https://releases.ansible.com/ansible/ansible-2.8.7.tar.gz
  SHA256: 828239ca2b4d92865a00ab415caa932700f7c93f3e4838ddd55614ddf104c947
* 2.9.1
  https://releases.ansible.com/ansible/ansible-2.9.1.tar.gz
  SHA256: d87cb25df02284d59226ff1d935d7075a175f31d0db83564c2f1ca28bbbd4cb4


What's new in 2.7.15, 2.8.7, and 2.9.1
--

These releases are maintenance releases containing numerous bugfixes, 
including a
fix for CVE-2019-14864 (issue with Splunk and Sumologic callback plugins). 
The
full changelogs are at:

* 2.7.15
  
https://github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELOG-v2.7.rst
* 2.8.7
  
https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst
* 2.9.1
  
https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst


What's the schedule for future maintenance releases?


Future 2.9 series maintenance releases will occur approximately every 3 
weeks, so
the next one can be expected around 2019-12-05. 2.8 is in critical bugfix 
only
mode, and 2.7 is in security bugfix only mode, so future releases for those 
will
be as needed.


Porting Help


We've published a porting guide at
https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.9.html 
to
help migrate your content to 2.9.


If you discover any errors or if any of your working playbooks break when 
you
upgrade to 2.9.1, please use the following link to report the regression:

  https://github.com/ansible/ansible/issues/new/choose

In your issue, be sure to mention the Ansible version that works and the one
that doesn't.

Thanks!

-Matt Davis

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/5143cdea-a3bb-43b6-99a2-f678d2af2c29%40googlegroups.com.

[ansible-project] New Ansible release 2.9.0rc5

[Matt Davis]

Hi all- we're happy to announce that Ansible 2.9.0rc5 is now available! 
This is
anticipated as the final release candidate before Ansible 2.9.0 is generally
available within the next week or so.


How do you get it?
--

$ pip install ansible==2.9.0rc5 --user

The tar.gz of the release can be found here:

* 2.9.0rc5
  https://releases.ansible.com/ansible/ansible-2.9.0rc5.tar.gz
  SHA256: 0ef189c180a48d8702eba704093f7b7ab49ce54834a6a9848b33126f15e67ba8


What's new in 2.9.0rc5
--

This release is a maintenance release containing minor bugfixes. The full
changelog is at:

* 2.9.0rc5
  
https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst


What's the schedule for 2.9.0 final?


Ansible 2.9.0 final is expected to be generally available within the next 
week
or so. Future 2.9 series maintenance releases will be every few weeks as 
needed.


Porting Help


We've published a porting guide at
https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.9.html 
to
help migrate your content to 2.9.


If you discover any errors or if any of your working playbooks break when 
you
upgrade to 2.9.0rc5, please use the following link to report the regression:

  https://github.com/ansible/ansible/issues/new/choose

In your issue, be sure to mention the Ansible version that works and the one
that doesn't.

Thanks!

-Matt Davis

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/34ec4ada-1305-4c5c-8df8-654d24250751%40googlegroups.com.

[ansible-project] Re: Where is ansible when installing via pip?

[Matt Davis]

Assuming you're using the OS packaged version of pip from apt (python-pip). 
Ubuntu at some point changed their pip to install to ~/.local/bin, which 
should be added to your PATH by the Ubuntu default ~/.profile. If you've 
removed that or in some other way aren't using it, make sure to add 
~/.local/bin to your PATH and it should start working.

On Thursday, June 1, 2017 at 11:02:26 AM UTC-7, Tadas Talaikis wrote:
>
> Documentation states I can install ansible via pip, but after installing, 
> doesn't seem it's available via command line:
>
> bash: /usr/bin/ansible: No such file or directory
>
> which ansible
> ...
>
> Ansible v. 2.4.0, Ubuntu 16.10, Python 3.6
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/132b1119-e9d8-40d5-8128-3b0752913ad9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Ansible 2.2.1.0 failing while connecting to Windows using AD credentials.

[Matt Davis]

Also, I think the EPEL packages for python kerberos and/or pywinrm may be 
horribly outdated (you'd think that working for Red Hat, I'd know who to 
bug about that, but alas...). That's the likely cause of the error messages 
you're seeing. Install via pip (as specified by the docs) to ensure you've 
got the latest.

On Thursday, April 20, 2017 at 4:13:45 PM UTC-7, Siva-Ansile wrote:
>
> HI Team,
>
> I have a new requirement to install an agant in 1500 windows machines, all 
> these machine are Domain managed VMs. When i try to connect using local 
> user, i am able to connect the windows box, But when i use AD credentials 
> its not working. Let me share my current Setup here. Please help.
>
> Windows VM settings:-
>
>
>1. Enabled WINRM
>2. Ran the script in the remote Windows VM
>
>ConfigureRemotingForAnsible.ps1 
>
> 
> 
>
>  
> Ansible Host:(Linux RHEL 7.2)
> Installed packages:
>
>1.  Ansible 2.2.1.0
>2.  Python 2.7.5
>3.  krb5-workstation-1.14.1-27.el7_3.x86_64
>4.  krb5-devel-1.14.1-27.el7_3.x86_64
>5.  krb5-libs-1.14.1-27.el7_3.x86_64
>6. kerberos
>
> Krb5.conf entry as below:
>
>  [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [realms]
>  UAT.INTRA.COM = {
>  kdc = winad23987.uat.intra.com
>  admin_server = winad23987.uat.intra.com
>  }
>
> [domain_realm]
>  .uat.intra.com = UAT.INTRA.COM
>
> ==
> Kinit and Klist as below:-
>
>
> [root@liuatasans01 ~]# kinit ansi...@uat.intra.com
> Password for ansi...@uat.intra.com:
>
> [root@liuatasans01 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ansi...@uat.intra.com
>
> Valid starting   Expires  Service principal
> 04/20/2017 18:31:59  04/21/2017 04:31:59  krbtgt/
> uat.intra@uat.intra.com
> renew until 04/21/2017 18:31:55
> [root@liuatasans01 ~]#
>
> 
> Inventory file as below:-
>
> /etc/ansible/hosts
>
> [windows]
> 172.45.17.182
>
> [windows:vars]
>
>   ansible_ssh_user=ansi...@uat.intra.com
>   ansible_password="P@$$wo6d"
>   ansible_port=5985
>   ansible_connection=winrm
>
> =
> Error as below:-(while trying to connect the AD user)
>
>   [root@liuatasans01 ~]# ansible windows -m win_ping
> 172.45.17.182 | UNREACHABLE! => {
> "changed": false,
> "msg": "kerberos: __init__() got an unexpected keyword argument 
> 'hostname_override', plaintext: auth method plaintext requires a password",
> "unreachable": true
> }
>
> 
>
> Working when connecting as windows local user:-
>
> [root@liuatasans01 ~]# ansible windows -m win_ping
>
> 172.45.17.182 | SUCCESS => {
> "changed": false,
> "ping": "pong"
> }
>
> =
>
>
> Please help to fix the issue:
>
> While connecting as AD user, getting the below error in the windows Audit 
> log
>
>
> The computer attempted to validate the credentials for an account.
>
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon Account: ansi...@uat.intra.com
> Source Workstation: winvmuatiis7202
> Error Code: 0xC064 
> 
>
> Appreciate your help on this
>
>
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/6b157649-8588-4d0a-bcfa-95129d47d0f7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Is win_msi deprecated or not ?

[Matt Davis]

It's on the way to being deprecated (most likely we'll do it for real in 
2.4)- win_package is the recommended replacement, but we've been holding 
off on "really" deprecating win_msi until we make some usability changes to 
win_package. The big one is that you have to look up the product ID to 
supply it to win_package, but that's not necessary with an MSI unless it's 
being hosted remotely (so the module can query for the product_id without 
downloading the msi). So we'll be relaxing that requirement, as well as 
tweaking around a few other things. 

On Wednesday, April 19, 2017 at 12:25:51 PM UTC-7, Tai Kedzierski wrote:
>
> Hello
>
> *(Apologies if this is a double-post - I am sure I posted yesterday, but I 
> do not see the item in the list or in my activities)*
>
> The docs page for the win_msi module states that the module is deprecated, 
> and its information seems clipped (incomplete sentence in the explanation)
>
> http://docs.ansible.com/ansible/win_msi_module.html
>
> But the general modules list does not (no "D:" on the module name)
>
> http://docs.ansible.com/ansible/list_of_windows_modules.html
>
> My questions are:
>
>
>- Is win_msi really deprecated ?
>- If so, what's the new preferred method ?
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/3d577f27-c13e-4f39-bb68-8e447313be6a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: CentOS 7 control server can't connect to Windows with kerberos

[Matt Davis]

The "connection refused" error doesn't have anything to do with Kerberos- 
WinRM is not answering on 5986. Have you run the 
ConfigureRemotingForAnsible.ps1 script on the target host (or taken manual 
steps) to set up an HTTPS WinRM listener? If so, I'd suspect a firewall or 
some other networking issue is part of the problem.

I'd also suggest that you get things working with a local account and Basic 
auth first, as Kerberos can be a complicated beast to debug, and it sounds 
like you've got other problems to solve first that aren't Kerb-related.

-Matt

On Thursday, April 20, 2017 at 7:29:47 AM UTC-7, Mark Allison wrote:
>
> I've set up a new CentOS 7 VM and installed ansible fine and the kerberos 
> components according to this guide 
> https://docs.ansible.com/ansible/intro_windows.html#kerberos
>
> I've done the following:
> Added the ansible control server Computer account to AD.
> Added a test windows machine into /etc/ansible/hosts (called 
> wisteria.duck.loc)
> Created /etc/ansible/group_vars/windows.yml with this text:
>
> ansible_user: m...@duck.loc
> ansible_password: SecretPasswordGoesHere
> ansible_port: 5986
> ansible_connection: winrm
> # The following is necessary for Python 2.7.9+ (or any older Python that 
> has backported SSLContext, eg, Python 2.7.5 on RHEL7) when using default 
> WinRM self-signed certificates:
> ansible_winrm_server_cert_validation: ignore
>
> Ran kinit and klist and it worked fine.
>
> [mark@carnation ansible]$ ansible --version
>
> ansible 2.2.1.0
>   config file = /etc/ansible/ansible.cfg
>   configured module search path = Default w/o overrides
>
>
> [mark@carnation ansible]$ ansible windows -m win_ping
> wisteria.duck.loc | UNREACHABLE! => {
> "changed": false,
> "msg": "kerberos: HTTPSConnectionPool(host='wisteria.duck.loc', 
> port=5986): Max retries exceeded with url: /wsman (Caused by 
> NewConnectionError('  
> object at 0x27b8510>: Failed to establish a new connection: [Errno 111] 
> Connection refused',)), ssl: HTTPSConnectionPool(host='wisteria.duck.loc', 
> port=5986): Max retries exceeded with url: /wsman (Caused by 
> NewConnectionError('  
> object at 0x285d750>: Failed to establish a new connection: [Errno 111] 
> Connection refused',))",
> "unreachable": true
> }
> [mark@carnation ansible]$
>
> Any ideas on next steps to troubleshoot?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/21037cb3-c44f-4073-b78c-b593a7550332%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: azure_rm_virtualmachine tags weirdness

[Matt Davis]

Possibly- if you're running from source, make sure you're running the 
hacking/env-setup script each and every time you pull new changes in. 
Otherwise there can be stale .pyc files and other things laying around that 
can wreak all sorts of havoc (the script cleans all that up).

On Friday, April 7, 2017 at 10:59:22 PM UTC-7, mkpor...@porwit.net wrote:
>
> So, here's the kicker...
>
> Switched from devel to stable-2.3, and I'm able to provision using the 
> templated tags. Switch back to devel, and I'm still able to use the 
> templated mechanism.
>
> So, probably not a bug. Rather, some edge case interplay between the 
> various python dependencies?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/4f66a87f-1612-42b3-856f-8bb9dc672ef0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: azure_rm_virtualmachine tags weirdness

[Matt Davis]

Hrm, kinda looks like a templating bug (or a bad template value)- pretty 
sure it's not a module bug since it's working with the discrete dict.

Can you run that both ways in check_mode with -vv and look at the tags 
element in the invocation value from the result to see if it looks the same 
in both cases? If it works with the discrete dict and fails with the 
templated one, I'm guessing that the templated arg isn't getting rendered 
in the right shape to the module.

-Matt

On Friday, April 7, 2017 at 6:22:18 AM UTC-7, mkpor...@porwit.net wrote:
>
> Hi,
>
> Not sure yet if what I have here is a bug or not, so thought I'd ask 
> first. I'm seeing a strange failure out of azure_rm_virtualmachine in the 
> latest ansible devel. The working playbook looks as follows:
> - name: Create VM and attach NIC
>   azure_rm_virtualmachine:
> resource_group: '{{ rg }}'
> name: '{{service_name}}-vm-{{item}}'
> network_interface_names: '{{service_name}}-vm-{{item}}-nic'
> storage_account: '{{ env_name }}'
> vm_size: Standard_DS1_v2
> admin_username: hoylu
> ssh_password_enabled: False
> ssh_public_keys: '{{ssh_keys}}'
> image:
>   offer: UbuntuServer
>   publisher: Canonical
>   sku: '16.04-LTS'
>   version: latest
> tags:
>   env: '{{env}}'
>   service: '{{service}}'
>   with_sequence:
> start=1
> end='{{count}}'
> stride=1
> format=%02d
>
> This code runs. When I then change the tags: section of the playbook task 
> to a dictionary that looks like the following:
> tags: '{{ { "env": env, service: env } }}'
> I get an error that looks like this:
> "module_stderr": "Traceback (most recent call last):\n  File 
> \"/var/folders/06/zm5r71tj60b4_19wlz7h822mgn/T/ansible_GI_w3r/ansible_module_azure_rm_virtualmachine.py\",
>  
> line 1311, in \nmain()\n  File 
> \"/var/folders/06/zm5r71tj60b4_19wlz7h822mgn/T/ansible_GI_w3r/ansible_module_azure_rm_virtualmachine.py\",
>  
> line 1308, in main\nAzureRMVirtualMachine()\n  File 
> \"/var/folders/06/zm5r71tj60b4_19wlz7h822mgn/T/ansible_GI_w3r/ansible_module_azure_rm_virtualmachine.py\",
>  
> line 554, in __init__\nsupports_check_mode=True)\n  File 
> \"/var/folders/06/zm5r71tj60b4_19wlz7h822mgn/T/ansible_GI_w3r/ansible_modlib.zip/ansible/module_utils/azure_rm_common.py\",
>  
> line 197, in __init__\n  File 
> \"/var/folders/06/zm5r71tj60b4_19wlz7h822mgn/T/ansible_GI_w3r/ansible_module_azure_rm_virtualmachine.py\",
>  
> line 797, in exec_module\n   
>  vm_id=vm_dict['properties']['vmId'],\nKeyError: 'vmId'\n", 
>
> This error only happens with the azure_rm_virtualmachine module. The 
> azure_rm_publicipaddress and azure_rm_networkinterface modules are both 
> fine with that change. Is there some vagary of azure I'm not aware of 
> that's biting me here, or does this look like a bug to folks?
>
> Thanks,
>
> Marcin
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/d566b887-f5b6-4cb9-b673-2a2bf8c60627%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Problem with AD-Related activities

[Matt Davis]

Kerberos auth is likely your problem- as soon as you rename the computer, 
the Kerberos service ticket is no longer valid, as it has the original 
hostname baked into it.

I see two options that might work: either use NTLM or CredSSP (at least for 
that task), or do the rename as a "run now-ish" scheduled task (you'd still 
need to avoid a race where the rename occurs before the Ansible task that 
schedules it has returned). 

This could probably also be fixed by having pywinrm/requests-kerberos only 
pass the Kerberos auth headers on the initial connection (since it reuses 
the underlying HTTP connection), but that's non-HTTP-RFC compliant and will 
likely cause problems for people running through proxies and other things 
that might cause the underlying connection to be broken. This is the way 
the Microsoft PS client stack does it, but I'm not sure how much hassle 
it'd be to implement (it's several layers away from the Ansible code in 
requests-kerberos)- doing it right might require changes to 
requests/urllib3 directly.

-Matt


On Friday, April 7, 2017 at 2:37:09 PM UTC-7, Jonathan Coupal wrote:
>
> Hi, for some reason I'm really struggling with executing domain-related 
> activities on Windows machines that are domain members. Two specific things 
> that I'm trying to do is Rename-Computer and Remove-Computer. Note that I 
> am using Kerberos for authentication and am not passing through credentials 
> stored in any files.
>
> When I try Rename-Computer I get an access denied error, if I supply the 
> "DomainCredential" switch to include my username, the Ansible task simply 
> sits there forever and I have to cancel the task.
>
> Anyone have similar experiences? Ideas?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/787eef44-9f32-4022-84db-76477689526a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Ansible DSC integration - coming to main release?

[Matt Davis]

I'm definitely open to shipping the dynamic DSC executor module as a big 
first step (and maybe the only one?), so if you want to polish it up and PR 
it for 2.4, please do! Agreed WRT the name change to remove the version- 
DSC4 is pretty worthy of ignoring IMO. :)

On Friday, April 7, 2017 at 2:02:01 PM UTC-7, Trond Hindenes wrote:
>
> Its my impression that the win_dsc5 module is far more popular than the 
> "auto-generated" stuff. win_dsc5 simply looks at the underlying dsc 
> resource at execution time, maps the parameters and injects the things - so 
> its essentially just a shim. The ModuleGenerator stuff is more of a moving 
> target, so that one would probably not be the best of ideas to include in 
> core.
>
> I'd be mroe than happy to pr the win_dsc5 module (probably rename it to 
> win_dsc) and get some community contribution on it in order to increase its 
> quality and robustness.
>
>
> On Monday, April 3, 2017 at 9:06:53 AM UTC+2, J Hawkesworth wrote:
>>
>> Would shipping a module generator be a viable way around this?
>>
>> Once you start doing anything you care about, you need to pick a version 
>> of ansible and test with it before using it in production anyway, so having 
>> an extra step where you generate the modules you are going to test with and 
>> keep them in your /library (probably in source) control, would seem 
>> reasonable to me.
>>
>> Jon
>>
>> On Thursday, March 30, 2017 at 6:30:53 PM UTC+1, Matt Davis wrote:
>>>
>>> The other to-be-solved issue that might hold up meaningful DSC support 
>>> in Ansible proper is around generated modules- we've thus far been very 
>>> resistant to ship them in the box, as PR/change/attribution are very 
>>> problematic. We're still juggling options around external module hosting, 
>>> which might be one way to solve that, but at least currently, we're saying 
>>> "no" to shipping generated modules in the box with Ansible.
>>>
>>> On Thursday, March 30, 2017 at 10:26:27 AM UTC-7, Matt Davis wrote:
>>>>
>>>> Big-picture, I have no problem shipping modules that require a greater 
>>>> Powershell/Windows version than our baselines if they're baked on tech 
>>>> that 
>>>> requires it. No sense in keeping Ansible in the relative "dark ages" and 
>>>> ignoring all the great stuff that's happening in the PS community around 
>>>> DSC and other things. However, before we open the door to that, I want to 
>>>> make sure that we've got clear and consistent ways to both document the 
>>>> requirements, and to fail clearly when they're not met.
>>>>
>>>> In 2.4, we'll be using Powershell's native #Requires syntax to drive 
>>>> module imports and PS version testing (but ATM we have to roll our own 
>>>> checking for it), so the runtime failure side should be covered. We just 
>>>> need to extend the doc metadata and rendering to show that it has external 
>>>> requirements beyond our baseline stuff. Off the top of my head, I think we 
>>>> already have a requirements keyword, but can't remember how/if it 
>>>> renders to HTML. 
>>>>
>>>> -Matt
>>>>
>>>> On Sunday, March 26, 2017 at 2:27:29 PM UTC-7, Trond Hindenes wrote:
>>>>>
>>>>> I'm actually getting a steady trickle of prs and feedbacks on the 
>>>>> dsc-related stuff I wrote - which is great! 
>>>>>
>>>>> These were written when dsc still was a bit flakey and more than 
>>>>> anything as proof of concept pieces. But yeah, we run these things in 
>>>>> production - and they work really great. I haven't made any effort to get 
>>>>> them merged in to main, mostly since Ansible's "main" powershell 
>>>>> requirement is for psv3 and my modules require psv5. 
>>>>>
>>>>> Happy to submit them tho, but that would mean that we (as in the 
>>>>> Ansible project) first take an "official" stance on powershell version 
>>>>> support. eg, do we allow v5-only modules into ansible core?
>>>>>
>>>>> I'm open to suggestions!
>>>>>
>>>>> On Thursday, March 23, 2017 at 10:08:57 AM UTC+1, J Hawkesworth wrote:
>>>>>>
>>>>>> Trond certainly is - see this entry on his blog: 
>>>>>> http://hindenes.com/trondsworking/2016/12/21/ansible-wind

[ansible-project] Re: Using configurationName in powershell module

[Matt Davis]

IIRC, each named configuration has a discrete HTTP URL, and at least for 
JEA (which is the recommended method), it's PSRP-only. Jordan's got a PSRP 
layer prototyped for pywinrm that we'll likely be merging soon, so the 
protocol end of things is getting workable, it's just a matter of how to 
sanely lock down the module stuff. My early experiments with PSRP a long 
time ago showed that it'd be quite a bit slower than naked WinRM, too, so 
we'd probably want to keep both options available unless we do some fancier 
connection pooling or something to cut down on the extra PSRP chatter.

I've been kicking around a couple of ideas on how we might be able to 
enable JEA sanely. The one I like the best is to build a tool that can 
either wrap Ansible modules directly in a rolecap PS module, or define a 
custom rolecap executor function that includes a list of "allowed" modules 
(which would need to be code-signed by Ansible or the org). In the second 
case, the executor runs in the unrestricted context, so would verify that 
the module is on the list and that the signature is valid (ie, the module 
code hasn't been hacked by the caller), then run it. I like the second 
option better, since it'd better allow for upgrades of Ansible without 
updating the rolecap stuff, but securely implementing code-signing on 
modules in an open-source project is a big ball of wax.

Anyway, plenty of discussion to have here in the coming months...

-Matt


On Friday, April 7, 2017 at 1:54:44 PM UTC-7, Trond Hindenes wrote:
>
> I thought about this myself.
>
> One of the nice things with constrained endpoints (which is one of the 
> things you can do with the "configuration" option is that the connection 
> account doesn't have to be the same as the execution account on the server, 
> which (imho) is an avenue that could potentially be worth exploring. 
> That said, I have no idea how winrm implements configurations so it 
> probably takes a bit of research.
>
> On Thursday, April 6, 2017 at 8:43:27 PM UTC+2, Matt Davis wrote:
>>
>> Sorry, it's on the *2.4* roadmap to explore.
>>
>> On Thursday, April 6, 2017 at 11:42:59 AM UTC-7, Matt Davis wrote:
>>>
>>> Yeah, this is along the lines of "constrained sudo" on the Linux side. 
>>> We haven't spent any time working on this yet, but it's on the 2.3 roadmap 
>>> to explore. I won't say it's impossible to make it work with a constrained 
>>> configuration, but as you've alluded, it's very difficult, and at least in 
>>> the Linux case, you have to give so many privileges (eg, launching 
>>> arbitrary processes) that the "jail" is very escapable anyway. The way we 
>>> do things on Windows, I suspect the same will be true. Switching out the 
>>> underlying WinRM protocol to PSRP is actually the easy part.
>>>
>>> I've thought through a couple of ways that we *might* be able to make 
>>> this work, but they'd require a lot of infrastructure that's currently 
>>> missing, so I wouldn't count on it for at least the next couple of 
>>> releases...
>>>
>>> -Matt
>>>
>>>
>>> On Thursday, April 6, 2017 at 8:27:40 AM UTC-7, Vincent Desjardins wrote:
>>>>
>>>> Hi Jordan,
>>>>
>>>> This is a custom configuration created by one of our Windows admin to 
>>>> control what Ansible could do on the server. Personally I have some doubts 
>>>> about the maintainability and the usefulness of managing these 
>>>> configurations since the purpose of Ansible is to configure the server... 
>>>> Ansible needs to have Admin right to do anything meaningful in my opinion.
>>>>
>>>> Do you know if an upgrade to the protocol implementation in Ansible is 
>>>> on the roadmap?
>>>>
>>>> Thanks,
>>>> Vincent
>>>>
>>>> On Wednesday, April 5, 2017 at 10:03:12 PM UTC-4, Jordan Borean wrote:
>>>>>
>>>>> Hi Vincent
>>>>>
>>>>> I don't believe this is possible right now as Ansible uses an older 
>>>>> protocol than Enter-PSSession. What is the configuration that you need to 
>>>>> use, potentially it can be covered with different arugments.
>>>>>
>>>>> Thanks
>>>>>
>>>>> Jordan
>>>>>
>>>>> On Thursday, April 6, 2017 at 10:08:48 AM UTC+10, Vincent Desjardins 
>>>>> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>

[ansible-project] Re: Using configurationName in powershell module

[Matt Davis]

Sorry, it's on the *2.4* roadmap to explore.

On Thursday, April 6, 2017 at 11:42:59 AM UTC-7, Matt Davis wrote:
>
> Yeah, this is along the lines of "constrained sudo" on the Linux side. We 
> haven't spent any time working on this yet, but it's on the 2.3 roadmap to 
> explore. I won't say it's impossible to make it work with a constrained 
> configuration, but as you've alluded, it's very difficult, and at least in 
> the Linux case, you have to give so many privileges (eg, launching 
> arbitrary processes) that the "jail" is very escapable anyway. The way we 
> do things on Windows, I suspect the same will be true. Switching out the 
> underlying WinRM protocol to PSRP is actually the easy part.
>
> I've thought through a couple of ways that we *might* be able to make this 
> work, but they'd require a lot of infrastructure that's currently missing, 
> so I wouldn't count on it for at least the next couple of releases...
>
> -Matt
>
>
> On Thursday, April 6, 2017 at 8:27:40 AM UTC-7, Vincent Desjardins wrote:
>>
>> Hi Jordan,
>>
>> This is a custom configuration created by one of our Windows admin to 
>> control what Ansible could do on the server. Personally I have some doubts 
>> about the maintainability and the usefulness of managing these 
>> configurations since the purpose of Ansible is to configure the server... 
>> Ansible needs to have Admin right to do anything meaningful in my opinion.
>>
>> Do you know if an upgrade to the protocol implementation in Ansible is on 
>> the roadmap?
>>
>> Thanks,
>> Vincent
>>
>> On Wednesday, April 5, 2017 at 10:03:12 PM UTC-4, Jordan Borean wrote:
>>>
>>> Hi Vincent
>>>
>>> I don't believe this is possible right now as Ansible uses an older 
>>> protocol than Enter-PSSession. What is the configuration that you need to 
>>> use, potentially it can be covered with different arugments.
>>>
>>> Thanks
>>>
>>> Jordan
>>>
>>> On Thursday, April 6, 2017 at 10:08:48 AM UTC+10, Vincent Desjardins 
>>> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I wrote a small powershell module for Ansible. My Windows Admin wants 
>>>> me to use a specific configuration when connecting to the server for 
>>>> security. So I would like to know if Ansible can be configured to have a 
>>>> session initialized like this:
>>>>
>>>> Enter-PSSession -ComputerName myhostname -ConfigurationName Ansible
>>>>
>>>> I did some digging and found nothing.
>>>>
>>>> Thanks!
>>>> Vincent
>>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/f36c5b7e-58d7-4bf4-8e37-0caceffb8cdc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Using configurationName in powershell module

[Matt Davis]

Yeah, this is along the lines of "constrained sudo" on the Linux side. We 
haven't spent any time working on this yet, but it's on the 2.3 roadmap to 
explore. I won't say it's impossible to make it work with a constrained 
configuration, but as you've alluded, it's very difficult, and at least in 
the Linux case, you have to give so many privileges (eg, launching 
arbitrary processes) that the "jail" is very escapable anyway. The way we 
do things on Windows, I suspect the same will be true. Switching out the 
underlying WinRM protocol to PSRP is actually the easy part.

I've thought through a couple of ways that we *might* be able to make this 
work, but they'd require a lot of infrastructure that's currently missing, 
so I wouldn't count on it for at least the next couple of releases...

-Matt


On Thursday, April 6, 2017 at 8:27:40 AM UTC-7, Vincent Desjardins wrote:
>
> Hi Jordan,
>
> This is a custom configuration created by one of our Windows admin to 
> control what Ansible could do on the server. Personally I have some doubts 
> about the maintainability and the usefulness of managing these 
> configurations since the purpose of Ansible is to configure the server... 
> Ansible needs to have Admin right to do anything meaningful in my opinion.
>
> Do you know if an upgrade to the protocol implementation in Ansible is on 
> the roadmap?
>
> Thanks,
> Vincent
>
> On Wednesday, April 5, 2017 at 10:03:12 PM UTC-4, Jordan Borean wrote:
>>
>> Hi Vincent
>>
>> I don't believe this is possible right now as Ansible uses an older 
>> protocol than Enter-PSSession. What is the configuration that you need to 
>> use, potentially it can be covered with different arugments.
>>
>> Thanks
>>
>> Jordan
>>
>> On Thursday, April 6, 2017 at 10:08:48 AM UTC+10, Vincent Desjardins 
>> wrote:
>>>
>>> Hi,
>>>
>>> I wrote a small powershell module for Ansible. My Windows Admin wants me 
>>> to use a specific configuration when connecting to the server for security. 
>>> So I would like to know if Ansible can be configured to have a session 
>>> initialized like this:
>>>
>>> Enter-PSSession -ComputerName myhostname -ConfigurationName Ansible
>>>
>>> I did some digging and found nothing.
>>>
>>> Thanks!
>>> Vincent
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/d001c99e-8754-4cb5-acac-97bbcd337d99%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: ansible_os_family values

[Matt Davis]

The Windows setup module is a completely separate thing (written in 
Powershell)

On Thursday, April 6, 2017 at 2:01:52 AM UTC-7, Noel Verhoeven wrote:
>
> Funny how I have "windows" in my OS_family variable, but it is not member 
> of this dict. Are there 2 separate instances of this in the code, one for 
> linux and one for windows hosts?
>
> On Friday, December 6, 2013 at 9:46:40 AM UTC+1, anatoly techtonik wrote:
>>
>> Hi,
>>
>> I know ansible_os_family can be "RedHat" or "Debian", where "RedHat" 
>> includes Fedora
>> and "Debian" is for Ubuntu. Where to find the list of all values that 
>> "ansible_os_family"
>> can take? It would be awesome if every value also included most popular 
>> examples of
>> named families.
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/6ce7ed28-dc81-47a3-a4c7-e8e0059844ba%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] Re: Kerberos in Ansible Tower, pulling my hair out.

[Matt Davis]

Tower uses an isolation tech called proot that will often break shared 
ticket caches. If you can't wait for Ansible 2.3 (should be released within 
the next couple weeks), I'd suggest disabling proot (IIRC it's in 
settings.py, but my Tower-fu is getting rusty). 

On Tuesday, April 4, 2017 at 12:48:27 PM UTC-7, William McKenzie wrote:
>
> time is definitely good.
>
> i run ntpdate in my vagrant provisioning script just to be sure.
>
> On Tue, Apr 4, 2017 at 2:20 PM, cupcake  wrote:
>
>> sanity check; is time in sync? windows AD/kerb wont auth if the skew is 
>> more than 5 or 10 minutes off. I also saw some weirdness like this recently 
>> and a reboot and then kinit again made it work but i think due to another 
>> config reason on my part.
>>
>> On Tuesday, April 4, 2017 at 9:09:27 AM UTC-4, William McKenzie wrote:
>>>
>>> I think that's what I'm doing.
>>>
>>> I've tried doing the kinit from the console, doing the kinit in a cron 
>>> job, doing the kinit manually in a playbook before running the winrm play 
>>> book, and doing it as a local_action in the winrm playbook itself.
>>>
>>> In all cases (except the last one), the kinit succeeds; I can use klist 
>>> to see the tickets (logged in as awx user). I can see the credential cache 
>>> with the correct owner and attributes in the /tmp directory. I've also 
>>> tried using the KEYRING instead of the FILE cache. For whatever reason, the 
>>> winrm job is unable to see the credentials in the cache. 
>>>
>>> When I run this playbook, it fails:
>>> ---
>>> - name: WinPing
>>>   hosts: all
>>> 
>>>   tasks:
>>>   - name: knit
>>> local_action: command echo "xxx" | kinit -l 7d -r 7d -pf 
>>> ansi...@home.cartewright.com
>>>   
>>>   - name: ping
>>> win_ping:
>>>
>>>
>>>
>>>
>>> Produces this output. It seems to be running task setup before running 
>>> my local action, and setup fails.
>>>
>>>
>>> TASK [setup] 
>>> *** 
>>> 07:39:32
>>> 8
>>> Using module file 
>>> /usr/lib/python2.7/site-packages/ansible/modules/core/windows/setup.ps1 
>>> 9
>>>  ESTABLISH WINRM CONNECTION FOR USER: 
>>> ans...@home.cartewright.com on PORT 5986 TO louis.home.cartewright.com 
>>> 10
>>>  WINRM CONNECT: transport=kerberos endpoint=
>>> https://louis.home.cartewright.com:5986/wsman 
>>> 11
>>>  WINRM CONNECTION ERROR: 
>>> authGSSClientInit() failed: (('Unspecified GSS failure. Minor code may 
>>> provide more information', 851968), ("Can't find client principal 
>>> ans...@home.cartewright.com in cache collection", -1765328243)) 
>>> 12
>>> Traceback (most recent call last): 
>>> 13
>>> File 
>>> "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", 
>>> line 154, in _winrm_connect 
>>> 14
>>> self.shell_id = protocol.open_shell(codepage=65001) # UTF-8 
>>> 15
>>> File 
>>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", 
>>> line 132, in open_shell 
>>> 16
>>> res = self.send_message(xmltodict.unparse(req)) 
>>> 17
>>> File 
>>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", 
>>> line 207, in send_message 
>>> 18
>>> return self.transport.send_message(message) 
>>> 19
>>> File 
>>> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/transport.py", 
>>> line 181, in send_message 
>>> 20
>>> prepared_request = self.session.prepare_request(request) 
>>> 21
>>> File "/var/lib/awx/venv/ansible/lib/python2.7/site-packag… 
>>> 22
>>>
>>>
>>>
>>>
>>> On Monday, April 3, 2017 at 4:37:12 PM UTC-5, Matt Davis wrote:
>>>>
>>>> Ansible doesn't manage the tickets for you until Ansible Core 2.3 
>>>> (still in release candidate). Anything earlier, you'll have to do the 
>>>> kinit 
>>>> on the controller yourself (either via a cron job or as part of your 
>>>> playbook with a local action). 
>>>>
>>>> On Monday, April 3, 2017 at 7:27:21 AM UTC-7, William McKenzie wrote:
>>>>>
>>>>

[ansible-project] Re: winrm certificate authentication

[Matt Davis]

Doesn't look like you actually set up the cert->user mapping. Take a look 
at 
http://www.hurryupandwait.io/blog/certificate-password-less-based-authentication-in-winrm
 
- it's a decent end-to-end tutorial on how to set it up. That said, I'd 
strongly recommend you don't use it- the mapping is brittle, it doesn't 
work for domain users, and underlying urllib3 requirements mean that the 
cert has to be sitting on disk unencrypted. Most folks are better off just 
using vaulted passwords.

-Matt

On Tuesday, April 4, 2017 at 9:03:10 AM UTC-7, Hmdi Bz wrote:
>
> Hi,
>
> I have two VMs the first one is centos 7 VM with ansible 2.2.1 installed 
>  (ip: 192.168.26.2)
> the second one is a windows 10 VM(ip: 192.168.26.3)
>
> I have managed to connect to windows VM from centos VM using basic 
> authentication (username +  password)
>
> I need to use certificate authentication between centos and windows and I 
> did the following with no success:
>
>  1) I have generated a self-signed certificate in the windows VM then 
> I have installed it  with the following command 
>  $ip="192.168.26.3"
>  $c = New-SelfSignedCertificate -DnsName $ip -CertStoreLocation 
> cert:\LocalMachine\My
>
>  2) I have created the following winrm listener on the windows VM:
>  winrm create winrm/config/Listener?Address=*+Transport=HTTPS 
> "@{Hostname=`"$ip`";CertificateThumbprint=`"$($c.ThumbPrint)`"}"
>
>  3) I have generated a private key on centos VM:
>  openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt 
> rsa_keygen_bits:2048
>
>  4) I have generated a csr on centos VM:
> openssl req -key private_key.pem -new -out ansible.csr
>
>  5) I have signed the csr (ansible.csr) using the self-generated 
> certificate in windows VM
>   openssl ca -out ansible.crt -infiles ansible.csr
>
>  6) I have edited the inventory file:
> [test]
> 192.168.26.2
> [test:vars]
> ansible_user=administrator 
> ansible_winrm_port=5986
> ansible_connection=winrm
> ansible_winrm_scheme=https
> ansible_winrm_transport=certificate
> ansible_winrm_server_cert_validation=ignore
> ansible_winrm_cert_key_pem=path/to/private/key/ private_key.pem
> ansible_winrm_cert_pem=path/to/certificate/ansible.crt
>
>  7) I have executed the following command  but it failed
>  ansible -i pilote.ini test win_ping
>
>I had the following error:
> msg:"certificate: the specified credentials were rejected by the 
> server
>
>
>   
> can you point me what  am I doing wrong??
> Thank you
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/44593eb9-51c9-4bbf-868f-c084c60183b6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Kerberos in Ansible Tower, pulling my hair out.

[Matt Davis]

Ansible doesn't manage the tickets for you until Ansible Core 2.3 (still in 
release candidate). Anything earlier, you'll have to do the kinit on the 
controller yourself (either via a cron job or as part of your playbook with 
a local action). 

On Monday, April 3, 2017 at 7:27:21 AM UTC-7, William McKenzie wrote:
>
> Here's my setup:
>
> Ansible Tower 3.1.1, Basic License, using the vagrant box, with some post 
> provisioning steps to setup krb5 and join the box to my domain.
>
> Kerberos configuration is good. I can kinit, klist, etc. etc. from command 
> line.
>
> python winrm is good:
>
> vagrant@ansible-tower ~]$ sudo su - awx
>
> Last login: Sat Apr  1 23:12:18 JST 2017 on pts/1
>
>
> *Welcome to Ansible Tower!*
>
> Log into the web interface here: etc...
>
> -bash-4.2$ cat test.py
>
> import sys
>
> from winrm.protocol import Protocol
>
> HYPERV_SERVER = 'https://louis.home.cartewright.com:5986/wsman'
>
> class RM():
>
>
> def __init__(self):
>
>self.win_connect = Protocol(endpoint=HYPERV_SERVER, transport=
> 'kerberos', server_cert_validation='ignore')
>
>
> def test(self):
>
>shell_id = self.win_connect.open_shell()
>
>cmd = "dir"
>
>command_id = self.win_connect.run_command(shell_id, cmd)
>
>output,error_value,exit_status = self.win_connect.
> get_command_output(shell_id, command_id)
>
>self.win_connect.cleanup_command(shell_id, command_id)
>
>self.win_connect.close_shell(shell_id)
>
>print output
>
>
> def main():
>
>rm = RM()
>
>rm.test()
>
> if __name__ == '__main__':
>
>main()
>
>sys.exit()
>
> -bash-4.2$ python test.py
>
> Volume in drive C is SAMSUNG 512GB SSD
>
> Volume Serial Number is 2C8F-7BFA
>
>
> Directory of C:\Users\ansible
>
>
> 03/31/2017  11:04 AM  .
>
> 03/31/2017  11:04 AM  ..
>
> 07/16/2016  06:47 AM  Desktop
>
> 03/31/2017  11:04 AM  Documents
>
> 07/16/2016  06:47 AM  Downloads
>
> 07/16/2016  06:47 AM  Favorites
>
> 07/16/2016  06:47 AM  Links
>
> 07/16/2016  06:47 AM  Music
>
> 07/16/2016  06:47 AM  Pictures
>
> 07/16/2016  06:47 AM  Saved Games
>
> 07/16/2016  06:47 AM  Videos
>
>   0 File(s)  0 bytes
>
>  11 Dir(s)  291,787,771,904 bytes free
>
>
> -bash-4.2$ 
>
> So now, I manually create some inventory in the default directories/files 
> for ansible (not Tower). Works perfectly:
>
> -bash-4.2$ cat /etc/ansible/group_vars/windows.yml 
>
> ansible_connection: winrm
>
> ansible_user: ansi...@home.cartewright.com
>
> ansible_password: R1pflash
>
> ansible_winrm_server_cert_validation: ignore
>
>
> -bash-4.2$ 
>
> -bash-4.2$ ansible windows -m win_ping -v
>
> Using /etc/ansible/ansible.cfg as config file
>
> louis.home.cartewright.com | SUCCESS => {
>
> "changed": false, 
>
> "ping": "pong"
>
> }
>
>
> Now, I create the exact same inventory in tower, exact same credentials (
> ansi...@home.cartewright.com) and now matter how I tweak it, always the 
> same thing:
>
> Using /etc/ansible/ansible.cfg as config file SSH password: Using module 
> file 
> /usr/lib/python2.7/site-packages/ansible/modules/core/windows/win_ping.ps1 
>  ESTABLISH WINRM CONNECTION FOR USER: 
> ansi...@home.cartewright.com on PORT 5986 TO louis.home.cartewright.com <
> louis.home.cartewright.com> WINRM CONNECT: transport=kerberos endpoint=
> https://louis.home.cartewright.com:5986/wsman  
> WINRM CONNECTION ERROR: authGSSClientInit() failed: (('Unspecified GSS 
> failure. Minor code may provide more information', 851968), ("Can't find 
> client principal ansi...@home.cartewright.com in cache collection", 
> -1765328243)) Traceback (most recent call last): File 
> "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", 
> line 154, in _winrm_connect self.shell_id = 
> protocol.open_shell(codepage=65001) # UTF-8 File 
> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", 
> line 132, in open_shell res = self.send_message(xmltodict.unparse(req)) 
> File 
> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/protocol.py", 
> line 207, in send_message return self.transport.send_message(message) File 
> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/winrm/transport.py", 
> line 181, in send_message prepared_request = 
> self.session.prepare_request(request) File 
> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/sessions.py", 
> line 394, in prepare_request hooks=merge_hooks(request.hooks, self.hooks), 
> File 
> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/models.py", 
> line 298, in prepare self.prepare_auth(auth, url) File 
> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/models.py", 
> line 500, in prepare_auth r = auth(self) File 
> "/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests_kerberos/kerberos_.py",
>  
> line 308, in

Re: [ansible-project] Kerberos Auth - the specified credentials were rejected by the server

[Matt Davis]

Something like this will do it: 
https://social.technet.microsoft.com/wiki/contents/articles/18996.list-all-spns-used-in-your-active-directory.aspx

Oftentimes it's some random piece of software that reassigns a host's HTTP 
SPNs to do Kerberos in IIS with a custom user account. Normally the HTTP 
SPN is "implicit", so it shouldn't be assigned anywhere.

On Thursday, March 30, 2017 at 10:37:09 AM UTC-7, Michael Eaton wrote:
>
> Hey.
>
> How do I check the spn? I've already applied that pull to pywinrm...
>
> Thanks.
>
> Michael 
>
>  Original message 
> From: Matt Davis  
> Date: 30/03/2017 18:08 (GMT+00:00) 
> To: Ansible Project  
> Subject: Re: [ansible-project] Kerberos Auth - the specified credentials 
> were rejected by the server 
>
> Is the target host's HTTP SPN assigned to a user (instead of the computer 
> account) in AD? Pywinrm isn't currently patching the service override 
> through to the kerb layer (see https://github.com/diyan/pywinrm/pull/144), 
> so if you're in that situation, you'll have to wait for the next pywinrm 
> release that includes that bugfix.
>
> On Thursday, March 30, 2017 at 9:36:50 AM UTC-7, Michael Eaton wrote:
>>
>> Thanks, 
>>
>> That allowed me to get a bit further: 
>>
>>
>> TASK [Gathering Facts] 
>> ***
>>  
>>
>> Using module file /root/ansible/lib/ansible/modules/windows/setup.ps1 
>>  ESTABLISH WINRM CONNECTION FOR USER: 
>> ansi...@iom.domain.com on PORT 5986 TO appt-001-iom.IOM.DOMAIN.COM 
>> creating Kerberos CC at /tmp/tmppm3JWz 
>> calling kinit for principal ansi...@iom.domain.com 
>> kinit succeeded for principal ansi...@iom.domain.com 
>>  WINRM CONNECT: transport=kerberos endpoint=
>> https://appt-001-iom.IOM.DOMAIN.COM:5986/wsman 
>>  WINRM CONNECTION ERROR: 
>> authGSSClientStep() failed: (('Unspecified GSS failure.  Minor code may 
>> provide more information', 851968), ('Server not found in Kerberos 
>> database', -1765328377)) 
>> Traceback (most recent call last): 
>>   File "/root/ansible/lib/ansible/plugins/connection/winrm.py", line 211, 
>> in _winrm_connect 
>> self.shell_id = protocol.open_shell(codepage=65001)  # UTF-8 
>>   File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in 
>> open_shell 
>> res = self.send_message(xmltodict.unparse(req)) 
>>   File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in 
>> send_message 
>> return self.transport.send_message(message) 
>>   File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 181, 
>> in send_message 
>> prepared_request = self.session.prepare_request(request) 
>>   File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 407, 
>> in prepare_request 
>> hooks=merge_hooks(request.hooks, self.hooks), 
>>   File "/usr/lib/python2.7/site-packages/requests/models.py", line 306, 
>> in prepare 
>> self.prepare_auth(auth, url) 
>>   File "/usr/lib/python2.7/site-packages/requests/models.py", line 543, 
>> in prepare_auth 
>> r = auth(self) 
>>   File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", 
>> line 308, in __call__ 
>> auth_header = self.generate_request_header(None, host, 
>> is_preemptive=True) 
>>   File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", 
>> line 148, in generate_request_header 
>> raise KerberosExchangeError("%s failed: %s" % (kerb_stage, 
>> str(error.args))) 
>> KerberosExchangeError: authGSSClientStep() failed: (('Unspecified GSS 
>> failure.  Minor code may provide more information', 851968), ('Server not 
>> found in Kerberos database', -1765328377)) 
>>
>> fatal: [appt-001-iom.IOM.DOMAIN.COM]: UNREACHABLE! => { 
>> "changed": false, 
>> "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS 
>> failure.  Minor code may provide more information', 851968), ('Server not 
>> found in Kerberos database', -1765328377))", 
>> "unreachable": true 
>> } 
>> to retry, use: --limit @/root/ansible-iom/windows.retry 
>>
>>
>> As 

[ansible-project] Re: Ansible DSC integration - coming to main release?

[Matt Davis]

The other to-be-solved issue that might hold up meaningful DSC support in 
Ansible proper is around generated modules- we've thus far been very 
resistant to ship them in the box, as PR/change/attribution are very 
problematic. We're still juggling options around external module hosting, 
which might be one way to solve that, but at least currently, we're saying 
"no" to shipping generated modules in the box with Ansible.

On Thursday, March 30, 2017 at 10:26:27 AM UTC-7, Matt Davis wrote:
>
> Big-picture, I have no problem shipping modules that require a greater 
> Powershell/Windows version than our baselines if they're baked on tech that 
> requires it. No sense in keeping Ansible in the relative "dark ages" and 
> ignoring all the great stuff that's happening in the PS community around 
> DSC and other things. However, before we open the door to that, I want to 
> make sure that we've got clear and consistent ways to both document the 
> requirements, and to fail clearly when they're not met.
>
> In 2.4, we'll be using Powershell's native #Requires syntax to drive 
> module imports and PS version testing (but ATM we have to roll our own 
> checking for it), so the runtime failure side should be covered. We just 
> need to extend the doc metadata and rendering to show that it has external 
> requirements beyond our baseline stuff. Off the top of my head, I think we 
> already have a requirements keyword, but can't remember how/if it renders 
> to HTML. 
>
> -Matt
>
> On Sunday, March 26, 2017 at 2:27:29 PM UTC-7, Trond Hindenes wrote:
>>
>> I'm actually getting a steady trickle of prs and feedbacks on the 
>> dsc-related stuff I wrote - which is great! 
>>
>> These were written when dsc still was a bit flakey and more than anything 
>> as proof of concept pieces. But yeah, we run these things in production - 
>> and they work really great. I haven't made any effort to get them merged in 
>> to main, mostly since Ansible's "main" powershell requirement is for psv3 
>> and my modules require psv5. 
>>
>> Happy to submit them tho, but that would mean that we (as in the Ansible 
>> project) first take an "official" stance on powershell version support. eg, 
>> do we allow v5-only modules into ansible core?
>>
>> I'm open to suggestions!
>>
>> On Thursday, March 23, 2017 at 10:08:57 AM UTC+1, J Hawkesworth wrote:
>>>
>>> Trond certainly is - see this entry on his blog: 
>>> http://hindenes.com/trondsworking/2016/12/21/ansible-windows-what-weve-learned-from-6-months-in-production/
>>>
>>>
>>> On Thursday, March 23, 2017 at 8:39:23 AM UTC, Sam wrote:
>>>>
>>>>
>>>> Matt's insight regarding the roadmap is very useful, however is anyone 
>>>> using the win_dsc5 module in the wild? I am due to start some testing 
>>>> today 
>>>> so if there are any glaring gotchas that I can avoid please do share - it 
>>>> will be much appreciated.
>>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/5f1ed11a-6549-479a-a4c1-e4ef9b2070e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Ansible DSC integration - coming to main release?

[Matt Davis]

Big-picture, I have no problem shipping modules that require a greater 
Powershell/Windows version than our baselines if they're baked on tech that 
requires it. No sense in keeping Ansible in the relative "dark ages" and 
ignoring all the great stuff that's happening in the PS community around 
DSC and other things. However, before we open the door to that, I want to 
make sure that we've got clear and consistent ways to both document the 
requirements, and to fail clearly when they're not met.

In 2.4, we'll be using Powershell's native #Requires syntax to drive module 
imports and PS version testing (but ATM we have to roll our own checking 
for it), so the runtime failure side should be covered. We just need to 
extend the doc metadata and rendering to show that it has external 
requirements beyond our baseline stuff. Off the top of my head, I think we 
already have a requirements keyword, but can't remember how/if it renders 
to HTML. 

-Matt

On Sunday, March 26, 2017 at 2:27:29 PM UTC-7, Trond Hindenes wrote:
>
> I'm actually getting a steady trickle of prs and feedbacks on the 
> dsc-related stuff I wrote - which is great! 
>
> These were written when dsc still was a bit flakey and more than anything 
> as proof of concept pieces. But yeah, we run these things in production - 
> and they work really great. I haven't made any effort to get them merged in 
> to main, mostly since Ansible's "main" powershell requirement is for psv3 
> and my modules require psv5. 
>
> Happy to submit them tho, but that would mean that we (as in the Ansible 
> project) first take an "official" stance on powershell version support. eg, 
> do we allow v5-only modules into ansible core?
>
> I'm open to suggestions!
>
> On Thursday, March 23, 2017 at 10:08:57 AM UTC+1, J Hawkesworth wrote:
>>
>> Trond certainly is - see this entry on his blog: 
>> http://hindenes.com/trondsworking/2016/12/21/ansible-windows-what-weve-learned-from-6-months-in-production/
>>
>>
>> On Thursday, March 23, 2017 at 8:39:23 AM UTC, Sam wrote:
>>>
>>>
>>> Matt's insight regarding the roadmap is very useful, however is anyone 
>>> using the win_dsc5 module in the wild? I am due to start some testing today 
>>> so if there are any glaring gotchas that I can avoid please do share - it 
>>> will be much appreciated.
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/36444008-9e12-4cf9-8c11-361b4da6511f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Shutdown a Windows server

[Matt Davis]

win_reboot isn't a module, it's a Python action that runs on the 
controller- you have to stick it in an action_plugins dir (not library, as 
I assume you did, since it looks like it's trying to run the python code on 
the Windows target). 

I don't think we'd accept win_shutdown as a discrete module, but I might 
consider a new "state" arg for win_reboot that defaults to "rebooted" but 
would accept "shutdown" instead... 

-Matt

On Wednesday, March 29, 2017 at 7:59:53 AM UTC-7, MKPhil wrote:
>
> I'm trying to create a Playbook to *Shutdown *a Windows server.  I am 
> aware of win_reboot but that does a *Reboot *(i.e. shutdown /r) - I want 
> to do shutdown /s to turn a machine completely off.  I've made a copy of 
> win_reboot.py and changed the Python code so it does a shutdown /s  but 
> when I call it, the playbook seems to think it's a PowerShell command: 
> "The term '/usr/bin/python' is not recognized as the name of a cmdlet 
> etc..."
>
> I can use the raw module: raw: shutdown /s /t 2 but I'd prefer the 
> variable and error handling of a module.
>
> Any ideas?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/9475b539-93ac-4888-880d-7d64ef531d59%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] Kerberos Auth - the specified credentials were rejected by the server

[Matt Davis]

Is the target host's HTTP SPN assigned to a user (instead of the computer 
account) in AD? Pywinrm isn't currently patching the service override 
through to the kerb layer (see https://github.com/diyan/pywinrm/pull/144), 
so if you're in that situation, you'll have to wait for the next pywinrm 
release that includes that bugfix.

On Thursday, March 30, 2017 at 9:36:50 AM UTC-7, Michael Eaton wrote:
>
> Thanks, 
>
> That allowed me to get a bit further: 
>
>
> TASK [Gathering Facts] 
> ***
>  
>
> Using module file /root/ansible/lib/ansible/modules/windows/setup.ps1 
>  ESTABLISH WINRM CONNECTION FOR USER: 
> ansi...@iom.domain.com on PORT 5986 TO appt-001-iom.IOM.DOMAIN.COM 
> creating Kerberos CC at /tmp/tmppm3JWz 
> calling kinit for principal ansi...@iom.domain.com 
> kinit succeeded for principal ansi...@iom.domain.com 
>  WINRM CONNECT: transport=kerberos endpoint=
> https://appt-001-iom.IOM.DOMAIN.COM:5986/wsman 
>  WINRM CONNECTION ERROR: authGSSClientStep() 
> failed: (('Unspecified GSS failure.  Minor code may provide more 
> information', 851968), ('Server not found in Kerberos database', 
> -1765328377)) 
> Traceback (most recent call last): 
>   File "/root/ansible/lib/ansible/plugins/connection/winrm.py", line 211, 
> in _winrm_connect 
> self.shell_id = protocol.open_shell(codepage=65001)  # UTF-8 
>   File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in 
> open_shell 
> res = self.send_message(xmltodict.unparse(req)) 
>   File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in 
> send_message 
> return self.transport.send_message(message) 
>   File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 181, in 
> send_message 
> prepared_request = self.session.prepare_request(request) 
>   File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 407, 
> in prepare_request 
> hooks=merge_hooks(request.hooks, self.hooks), 
>   File "/usr/lib/python2.7/site-packages/requests/models.py", line 306, in 
> prepare 
> self.prepare_auth(auth, url) 
>   File "/usr/lib/python2.7/site-packages/requests/models.py", line 543, in 
> prepare_auth 
> r = auth(self) 
>   File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", 
> line 308, in __call__ 
> auth_header = self.generate_request_header(None, host, 
> is_preemptive=True) 
>   File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", 
> line 148, in generate_request_header 
> raise KerberosExchangeError("%s failed: %s" % (kerb_stage, 
> str(error.args))) 
> KerberosExchangeError: authGSSClientStep() failed: (('Unspecified GSS 
> failure.  Minor code may provide more information', 851968), ('Server not 
> found in Kerberos database', -1765328377)) 
>
> fatal: [appt-001-iom.IOM.DOMAIN.COM]: UNREACHABLE! => { 
> "changed": false, 
> "msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS 
> failure.  Minor code may provide more information', 851968), ('Server not 
> found in Kerberos database', -1765328377))", 
> "unreachable": true 
> } 
> to retry, use: --limit @/root/ansible-iom/windows.retry 
>
>
> As you can see the ticket request succeeds but I still get the error about 
> the server not being found. DNS looks good - I can resolve both ways,, 
> WinRM config... 
>
>
>
> Config 
> MaxEnvelopeSizekb = 500 
> MaxTimeoutms = 6 
> MaxBatchItems = 32000 
> MaxProviderRequests = 4294967295 
> Client 
> NetworkDelayms = 5000 
> URLPrefix = wsman 
> AllowUnencrypted = false 
> Auth 
> Basic = true 
> Digest = true 
> Kerberos = true 
> Negotiate = true 
> Certificate = true 
> CredSSP = false 
> DefaultPorts 
> HTTP = 5985 
> HTTPS = 5986 
> TrustedHosts 
> Service 
> RootSDDL = 
> O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD) 
> MaxConcurrentOperations = 4294967295 
> MaxConcurrentOperationsPerUser = 1500 
> EnumerationTimeoutms = 24 
> MaxConnections = 300 
> MaxPacketRetrievalTimeSeconds = 120 
> AllowUnencrypted = true 
> Auth 
> Basic = true 
> Kerberos = true 
> Negotiate = true 
> Certificate = false 
> CredSSP = false 
> CbtHardeningLevel = Relaxed 
> DefaultPorts 
> HTTP = 5985 
> HTTPS = 5986 
> IPv4Filter = * 
> IPv6Filter = * 
> EnableCompatibilityHttpListener = false 
> EnableCompatibilityHttpsListener = false 
> CertificateThumbprint 
> Allo

[ansible-project] Re: Override the Ansible_ssh_password set in the dynamic inventory script

[Matt Davis]

Sure- you can override an inventory-set ansible_password with the vars 
keyword on a play or task:

# for the whole play
- hosts: thing_whose_password_has_changed
  vars:
ansible_password: "{{ new_target_password }}"
  tasks:
  - ping:

or 

# on a specific task
- hosts: thing_whose_password_has_changed
  tasks:
  - ping:
vars:
  ansible_password: "{{ new_target_password }}"




If you're 

On Thursday, March 23, 2017 at 5:50:09 PM UTC-7, Levi Blaney wrote:
>
> Hey,
>
>  I have a dynamic inventory script. The script sets these variables...
>
> "Server01"{
> "ansible_host": "xxx.xxx.xxx.xxx",
> "ansible_ssh_host": "xxx.xxx.xxx.xxx",
> "ansible_ssh_pass": "",
> }
>
> That way when you spin up a new cloud host you can immediately call a role 
> or playbook on it. I have set up a role using the user module and have used 
> it to set up a new ansible user and ssh key and tested it by sshing from 
> the cmd line to the machine. The problem I have is that I changed the root 
> password on that box and now all ansible task's fail because it's 
> defaulting to the ansible_ssh_pass.
>
> ansible Test -m ping
> Server01 | UNREACHABLE! => {
> "changed": false,
> "msg": "ERROR! Authentication failure.",
> "unreachable": true
> }
>
>
>
>  Do I have something I can change in mmy playbook or cmd line to make it 
> try ssh via key and not password? 
>
> Thanks,
> Levi
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/86eac39b-030d-403c-bf74-9492172175f4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: ansible 2.3 win_copy fails when trying to get file from network drive

[Matt Davis]

Sorry, that should've been:

- win_copy:
... (whatever args to win_copy)
  become: yes
  become_method: runas
  become_user: "{{ ansible_user }}"
  vars:
ansible_become_password: "{{ ansible_password }}"

On Thursday, March 23, 2017 at 5:54:55 PM UTC-7, Matt Davis wrote:
>
> The new Windows become stuff in 2.3 creates an "interactive" type logon 
> session, so credential caches and transparent multi-hop works- it should 
> take care of the auth issue (so it behaves like it would if you were 
> sitting in front of the machine). There's currently a bug that only allows 
> it to work under Basic and CredSSP (not NTLM/Kerb), but I'm hoping to have 
> that nailed down by 2.3RC2.
>
> Just do:
> - win_copy:
> ... (whatever args to win_copy)
>   become: yes
>   become_method: runas
>   become_user: "{{ ansible_user }}"
>   become_password: "{{ ansible_password }}"
>
> This *should* take care of it for you...
>
> -Matt
>
>
> On Thursday, March 23, 2017 at 11:35:03 AM UTC-7, patrick korsnick wrote:
>>
>> Hi Jon,
>>
>> Thanks for the input. You're correct about the number of authentication 
>> hops- the client machine is not on a domain, but uses domain credentials to 
>> map the network share. So in the group_vars file there are only the 
>> non-domain credentials. I was able to use win_copy to copy a local file to 
>> another local file, but even after upgrading pywinrm to 0.2.0 and 
>> installing the credssp and re-running the ConfigureRemotingForAnsible.ps1 
>> script on the client with the credssp argument it still doesn't work. I'm 
>> thinking it's because I need to figure out how to pass it the credentials 
>> for the second-hop authentication.
>>
>> thanks again!
>> pat
>>
>> On Wednesday, March 22, 2017 at 11:30:49 PM UTC-6, J Hawkesworth wrote:
>>>
>>> Not tried it yet myself but can you establish if it works for a file 
>>> that isn't on a mapped drive first?
>>> If so then its possible you are getting into a second hop authentication 
>>> scenario (by default windows doesn't allow more than a single hop (ansible 
>>> controller -> windows box, but you may have 2 hops here (ansible -> windows 
>>> box -> mapped drive on another windows box).  There are ways around this 
>>> (either by using a domain user or credssp).  If you are already connecting 
>>> as a domain user, make sure you are using pywinrm==0.2.0 or later, and add 
>>> ansible_winrm_kerberos_delegation=true to the inventory vars for the 
>>> Windows host in question.
>>>
>>> If CredSSP is an option for you, you'll need to check your systems meet 
>>> the requirements (see 
>>> http://docs.ansible.com/ansible/intro_windows.html#credssp ) install 
>>> the requests-credssp library on your ansible controller and run the 
>>> ConfigureForRemoting.. script with the EnableCredSSP option as described 
>>> here: 
>>> http://docs.ansible.com/ansible/intro_windows.html#windows-system-prep 
>>>
>>> Please let us know how you get on.
>>>
>>> (oh and thanks for testing 2.3 Release candidate).
>>>
>>> Jon
>>>
>>> On Wednesday, March 22, 2017 at 11:16:29 PM UTC, patrick korsnick wrote:
>>>>
>>>> Hi all,
>>>>
>>>> Has anyone had any luck using the new in 2.3 feature of win_copy 
>>>> (remote_src) to copy files to/from a mapped network drive?  
>>>>
>>>> essentially I'm trying to do this:
>>>>
>>>> - name: copy from share
>>>>   win_copy:
>>>> src: w:\foo
>>>> dest: c:\
>>>> remote_src: True
>>>>
>>>> and I get a message saying the src path doesn't exist. I tried using a 
>>>> UNC path instead of the drive letter also.
>>>>
>>>> The way I've been getting around this is to use a bat file that maps 
>>>> the drive and then does the copy, but I'd like to be able to do it with 
>>>> only the playbook and no bat file.
>>>>
>>>> Thanks for any input!
>>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/0d7bfd90-4b7d-45e9-a6b2-03471b22a46d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: ansible 2.3 win_copy fails when trying to get file from network drive

[Matt Davis]

The new Windows become stuff in 2.3 creates an "interactive" type logon 
session, so credential caches and transparent multi-hop works- it should 
take care of the auth issue (so it behaves like it would if you were 
sitting in front of the machine). There's currently a bug that only allows 
it to work under Basic and CredSSP (not NTLM/Kerb), but I'm hoping to have 
that nailed down by 2.3RC2.

Just do:
- win_copy:
... (whatever args to win_copy)
  become: yes
  become_method: runas
  become_user: "{{ ansible_user }}"
  become_password: "{{ ansible_password }}"

This *should* take care of it for you...

-Matt


On Thursday, March 23, 2017 at 11:35:03 AM UTC-7, patrick korsnick wrote:
>
> Hi Jon,
>
> Thanks for the input. You're correct about the number of authentication 
> hops- the client machine is not on a domain, but uses domain credentials to 
> map the network share. So in the group_vars file there are only the 
> non-domain credentials. I was able to use win_copy to copy a local file to 
> another local file, but even after upgrading pywinrm to 0.2.0 and 
> installing the credssp and re-running the ConfigureRemotingForAnsible.ps1 
> script on the client with the credssp argument it still doesn't work. I'm 
> thinking it's because I need to figure out how to pass it the credentials 
> for the second-hop authentication.
>
> thanks again!
> pat
>
> On Wednesday, March 22, 2017 at 11:30:49 PM UTC-6, J Hawkesworth wrote:
>>
>> Not tried it yet myself but can you establish if it works for a file that 
>> isn't on a mapped drive first?
>> If so then its possible you are getting into a second hop authentication 
>> scenario (by default windows doesn't allow more than a single hop (ansible 
>> controller -> windows box, but you may have 2 hops here (ansible -> windows 
>> box -> mapped drive on another windows box).  There are ways around this 
>> (either by using a domain user or credssp).  If you are already connecting 
>> as a domain user, make sure you are using pywinrm==0.2.0 or later, and add 
>> ansible_winrm_kerberos_delegation=true to the inventory vars for the 
>> Windows host in question.
>>
>> If CredSSP is an option for you, you'll need to check your systems meet 
>> the requirements (see 
>> http://docs.ansible.com/ansible/intro_windows.html#credssp ) install the 
>> requests-credssp library on your ansible controller and run the 
>> ConfigureForRemoting.. script with the EnableCredSSP option as described 
>> here: 
>> http://docs.ansible.com/ansible/intro_windows.html#windows-system-prep 
>>
>> Please let us know how you get on.
>>
>> (oh and thanks for testing 2.3 Release candidate).
>>
>> Jon
>>
>> On Wednesday, March 22, 2017 at 11:16:29 PM UTC, patrick korsnick wrote:
>>>
>>> Hi all,
>>>
>>> Has anyone had any luck using the new in 2.3 feature of win_copy 
>>> (remote_src) to copy files to/from a mapped network drive?  
>>>
>>> essentially I'm trying to do this:
>>>
>>> - name: copy from share
>>>   win_copy:
>>> src: w:\foo
>>> dest: c:\
>>> remote_src: True
>>>
>>> and I get a message saying the src path doesn't exist. I tried using a 
>>> UNC path instead of the drive letter also.
>>>
>>> The way I've been getting around this is to use a bat file that maps the 
>>> drive and then does the copy, but I'd like to be able to do it with only 
>>> the playbook and no bat file.
>>>
>>> Thanks for any input!
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/429aba4b-7eb7-459b-9470-d6e9b3faf640%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: win_feature--Choose only selective sub features

[Matt Davis]

That's the default behavior- just don't specify include_sub_features or 
include_management_tools, and specify the exact features you want.

On Thursday, March 23, 2017 at 11:49:35 AM UTC-7, Suporter wrote:
>
> is it possible to choose only selective sub features ? for example: IIS 
> has so many sub features, if we install them all , there would be 
> unnecessary footprint, so is it possible to pick and choose and install the 
> required sub features?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/30cebadd-3ce5-4c4f-9446-9be75e5b0f50%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: windows domain controller(s) set up

[Matt Davis]

Oh, and for the second DC once the domain exists, you'll need to use 
win_dns_client to point the 2nd host at the new DC's DNS server first, then 
use win_domain_controller to promote it (I haven't tried promoting a 
non-member server in awhile, but it worked at one point, so you *probably* 
don't need to use win_domain_membership to join the would-be-2nd-DC to the 
domain first). 

On Wednesday, March 22, 2017 at 4:07:49 PM UTC-7, Matt Davis wrote:
>
> I probably could've done a better job with the actual docs descriptions on 
> these (PRs welcome ;) )...
>
> win_domain is for "ensuring that the given domain exists", creating a new 
> forest/domain on the target machine if not.
> win_domain_controller is for switching a host between domain controller 
> and member server status on an existing domain.
> win_domain_membership is for switching a host between a workgroup member 
> and a domain member.
>
> The domain admin creds for the DC and Membership modules are to specify 
> existing domain admin credentials used to join/leave the domain or promote 
> to a DC (since you can't connect with domain creds to a workgroup host, and 
> the DC promotion module doesn't require that you're already a member of the 
> domain). When creating a new domain, all admin accounts that exist on the 
> host are automatically domain admins for the new domain.
>
> These modules are nowhere near exhaustive WRT the capabilities for 
> creating a new domain, they just scratched an itch I had for doing this 
> under our CI. We're currently not testing domain anything, something I'm 
> hoping to change for 2.4, but it requires "throwaway" domains, which we now 
> have the capability to create.
>
> -Matt
>
> On Wednesday, March 22, 2017 at 10:09:43 AM UTC-7, J Hawkesworth wrote:
>>
>> Hello,
>>
>> There are 3 new modules in ansible 2.3 to do with creating and setting up 
>> Windows Active Directory domain controllers.
>>
>> https://docs.ansible.com/ansible/win_domain_module.html
>> https://docs.ansible.com/ansible/win_domain_membership_module.html
>> https://docs.ansible.com/ansible/win_domain_controller_module.html
>>
>> Is anyone else experimenting with these yet?
>>
>> I am trying to set up a pair of domain controllers but not sure the order 
>> I should be doing things in.
>> Looks like call win_domain on primary to create a forest first, but after 
>> that I am a bit confused as it seems I need to make secondary dc a member 
>> of the domain first, but I am unable to get the second machine to join the 
>> new domain created on the primary as the win_domain_membership call fails 
>> with.
>>
>> "failed to join domain 'testdomain.local' from its current workgroup 
>> \r\n'WORKGROUP' with following error message: The specified domain either 
>> does not exist or could not be contacted."
>>
>> Also both this module and win_domain_controller ask for a domain 
>> adminstrator user/password but I'm not sure how to create the domain admin 
>> user (being something of a programmer I've not had to set up my own domain 
>> before).  Maybe I just need to call Add-ADUser ?
>>
>> Any pointers would be gratefully received.
>>
>> Many thanks,
>>
>> Jon
>>
>>  
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/49fadc47-c3a2-46e1-81c8-36cd371867b7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Ansible DSC integration - coming to main release?

[Matt Davis]

That was me. :) Exploring "first-class" DSC support is on the Ansible 2.4 
roadmap (still in draft), but we haven't yet committed to what form it will 
take. If you've got opinions, or want to "grab a shovel", please stop by a 
Windows 
Working Group 

 IRC 
meeting- we'll probably start discussing that kind of stuff once 2.3 has 
shipped.

-Matt

On Wednesday, March 22, 2017 at 6:29:34 AM UTC-7, Sam wrote:
>
> Hi all,
>
> I have just started to look at using Ansible as the orchestration engine 
> for DSC resources on Windows; Ansible modules for Windows are a bit too 
> thin on the ground at the moment. I have found a couple of options both 
> developed by Trond Hindenes: one is a wrapper module that invokes DSC 
> expressions (https://github.com/trondhindenes/Ansible-win_dsc) and 
> another is a script that generates Ansible modules from DSC resources (
> https://github.com/trondhindenes/AnsibleDscModuleGenerator).
>
> I was wondering if anyone had insight into whether this or something 
> similar is in the pipeline for the main Ansible release? I might be wrong 
> but Ansible support doesn't look to be a priority, and listening to a 
> recent-ish powershell.org podcast with someone from the Ansible team I 
> didn't get the feeling that fuller Windows/Powershell/WMF functionality was 
> at the heart of the roadmap (or particularly easy to implement!).
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/cdefa4b1-de63-48a2-9fad-64c4cb58c608%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: windows domain controller(s) set up

[Matt Davis]

I probably could've done a better job with the actual docs descriptions on 
these (PRs welcome ;) )...

win_domain is for "ensuring that the given domain exists", creating a new 
forest/domain on the target machine if not.
win_domain_controller is for switching a host between domain controller and 
member server status on an existing domain.
win_domain_membership is for switching a host between a workgroup member 
and a domain member.

The domain admin creds for the DC and Membership modules are to specify 
existing domain admin credentials used to join/leave the domain or promote 
to a DC (since you can't connect with domain creds to a workgroup host, and 
the DC promotion module doesn't require that you're already a member of the 
domain). When creating a new domain, all admin accounts that exist on the 
host are automatically domain admins for the new domain.

These modules are nowhere near exhaustive WRT the capabilities for creating 
a new domain, they just scratched an itch I had for doing this under our 
CI. We're currently not testing domain anything, something I'm hoping to 
change for 2.4, but it requires "throwaway" domains, which we now have the 
capability to create.

-Matt

On Wednesday, March 22, 2017 at 10:09:43 AM UTC-7, J Hawkesworth wrote:
>
> Hello,
>
> There are 3 new modules in ansible 2.3 to do with creating and setting up 
> Windows Active Directory domain controllers.
>
> https://docs.ansible.com/ansible/win_domain_module.html
> https://docs.ansible.com/ansible/win_domain_membership_module.html
> https://docs.ansible.com/ansible/win_domain_controller_module.html
>
> Is anyone else experimenting with these yet?
>
> I am trying to set up a pair of domain controllers but not sure the order 
> I should be doing things in.
> Looks like call win_domain on primary to create a forest first, but after 
> that I am a bit confused as it seems I need to make secondary dc a member 
> of the domain first, but I am unable to get the second machine to join the 
> new domain created on the primary as the win_domain_membership call fails 
> with.
>
> "failed to join domain 'testdomain.local' from its current workgroup 
> \r\n'WORKGROUP' with following error message: The specified domain either 
> does not exist or could not be contacted."
>
> Also both this module and win_domain_controller ask for a domain 
> adminstrator user/password but I'm not sure how to create the domain admin 
> user (being something of a programmer I've not had to set up my own domain 
> before).  Maybe I just need to call Add-ADUser ?
>
> Any pointers would be gratefully received.
>
> Many thanks,
>
> Jon
>
>  
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/1a8122f7-45a8-4432-bad3-56a8af2fd330%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Ansible for Windows: strange behavior

[Matt Davis]

The only time I've ever seen that behavior is on the first request to a 
brand-new Windows AWS instance. For some reason, the shell creation can 
take up to 30s, much longer than our default operation timeout of ~5s.

You can try increasing the operation and read timeouts by adjusting the 
ansible_winrm_operation_timeout_sec and ansible_winrm_read_timeout_sec 
inventory vars (the read timeout must be > than operation timeout). They're 
set to relatively low values to minimize the "dead host" detection 
interval, and this doesn't typically cause problems in normal operation.

-Matt

On Friday, March 17, 2017 at 3:17:19 AM UTC-7, Michele Viviani wrote:
>
> Hi,
> I do have some problems using Ansible with Windows.
> For many of my servers it works, but for some I'm receiving 
> "HTTPConnectionPool(host='10.10.193.180', port=5985): Read timed out" even 
> if the WinRM configuration is correct. (it's the same as several others)
> More over, if I run a Enter-PSSession myhost.domain.com from another 
> Windows server, it works and after that command also ansible win_ping is 
> responding.
>
> Below my test case
> *
> [r...@ansible.domain.com ~]# ansible windows -m win_ping
> 10.10.193.180 | UNREACHABLE! => {
> "changed": false,
> "msg": "ntlm: HTTPConnectionPool(host='10.229.193.180', port=5985): 
> Read timed out. (read timeout=30)",
> "unreachable": true
> }
> *
> Executing successfully  Enter-PSSession myhost.domain.com from a Windows 
> server
> *
> [r...@ansible.domain.com ~]# ansible windows -m win_ping
> 10.10.193.180 | SUCCESS => {
> "changed": false,
> "ping": "pong"
> }
> *
> here my settings
>
> [r...@ansible.domain.com ~]# ansible --version
> ansible 2.2.1.0
>   config file = /etc/ansible/ansible.cfg
>   configured module search path = Default w/o overrides
> [r...@ansible.domain.com ~]# python -V
> Python 2.7.5
> [r...@ansible.domain.com ~]#
>
> Any ideas/help?
>
> Thanks a lot!!
> Mike
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/fe223b53-dbc0-490a-a33b-6b44135a3995%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: WinRM configuration script

[Matt Davis]

You mean this one 
?
 
;)

On Thursday, March 16, 2017 at 11:43:11 AM UTC-7, Erick Sevmont wrote:
>
> Hi Trond! 
>
> I'm very interested, I just joined a project where I need this exactly, 
> wondering if you still have that available, the link sends 404, I snooped a 
> bit in https://github.com/trondhindenes but I didn't see it! Would you 
> mind sharing this again if you have it handy?
>
> Thanks! Erick
>
> On Saturday, July 5, 2014 at 10:56:59 AM UTC-5, Trond Hindenes wrote:
>>
>> If anyone else in here are interested in Windows support, I've published 
>> an updated version of the winrm configuration script which basically 
>> performs a fire-and-forget setup of WinRM for https.
>>
>> I'm trying to be as smart as possible and do as little as possible, so if 
>> WinRM over https is already enabled (like it is on VMs running in Azure) 
>> i'm skipping that part. The script should also work on Windows 2008R2 hosts 
>> where PowerShell 3.0 is enabled (I've made that a hard requirement as 
>> Ansible won't run on lower versions of PowerShell).
>>
>> In any case, I'd be happy to take feedback on it, and if Michael wants to 
>> add this to the "scripts" folder inside the source at some point then I'd 
>> be all for that of course.
>>
>> https://gist.github.com/trondhindenes/b9b5b25b11273cc35659
>>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/73952461-7d2c-42a9-a970-69462f50ea45%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Ansible managing Windows hosts with non admin user

[Matt Davis]

You have to grant the non-admin user/group "Shut down the system" 
privileges on the machine(s) in question- default setting only allows that 
for Administrators and Backup Operators.

On Sunday, March 5, 2017 at 2:36:08 PM UTC-8, Zubair Saeed wrote:
>
> Hi,
>
> I've added my non-admin user to *winrm configSDDL default* and when I 
> win_ping my windows host, I can get a reply. But when I run win_reboot 
> command, it gives me access denied error.
>
> Do any one have any idea on this?
>
> Regards,
> Zubair
>
>
> On Tuesday, 7 June 2016 12:30:50 UTC+5, helpde...@gmail.com wrote:
>>
>> Thanks a lot,
>> That was it 
>>
>> Have a nice day.
>>
>> Patrick
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/e4e6697e-2de2-4410-b7a4-3e55f7eb4c6f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Ansible Windows become_user per task?

[Matt Davis]

Yeah, docs forthcoming for this stuff, but you need to specify a couple 
more things to make it work (since the global *nix defaults don't make 
sense under Windows):

First and foremost, you never actually said you want to "become", just 
"who" you want to become- you need to add "become: yes" (this is not 
Windows-specific). Then you need to tell us which become method to use 
(become_method: runas), as the default "sudo" isn't implemented on Windows. 
You can set these at either the play or task level, as necessary, but 
"become: yes" is the key to actually making a task run as someone else- the 
rest is just "how". See below for a sample.

Also, there's a bug right now that's preventing become from working under 
NTLM and Kerberos auth (fails with "Access is denied"), so you can only use 
it with Basic, CredSSP, and Certificate auth (hoping to nail this one down 
in the next few days).

Hope that helps...

-Matt

(ansible-dev) [mdavis@mdavis-t460p win2012r2-domain]$ cat become.yml
- hosts: member1
  gather_facts: no
  become_method: runas
  tasks:
  - name: as default user
win_shell: whoami

  - name: as administrator
become: yes
become_user: administrator
win_shell: whoami



(ansible-dev) [mdavis@mdavis-t460p win2012r2-domain]$ ansible-playbook -i 
hosts become.yml -vv -K
No config file found; using defaults
SUDO password: 

PLAYBOOK: become.yml 
***
1 plays in become.yml

PLAY [member1] 
*
META: ran handlers

TASK [as default user] 
*
task path: /home/mdavis/vm/win2012r2-domain/become.yml:5
changed: [member1] => {"changed": true, "cmd": "whoami", "delta": 
"0:00:00.156427", "end": "2017-03-02 11:29:12.986398", "rc": 0, "start": 
"2017-03-02 11:29:12.829970", "stderr": "", "stderr_lines": [], "stdout": 
"ansible\\testguy\r\n", "stdout_lines": ["ansible\\testguy"]}

TASK [as administrator] 

task path: /home/mdavis/vm/win2012r2-domain/become.yml:8
changed: [member1] => {"changed": true, "cmd": "whoami", "delta": 
"0:00:00.187422", "end": "2017-03-02 11:29:13.876657", "rc": 0, "start": 
"2017-03-02 11:29:13.689234", "stderr": "", "stderr_lines": [], "stdout": 
"ansible\\testguy\r\n", "stdout_lines": ["ansible\\testguy"]}
META: ran handlers
META: ran handlers

PLAY RECAP 
*
member1: ok=2changed=2unreachable=0failed=0 
  



On Wednesday, March 1, 2017 at 10:32:21 PM UTC-8, b...@tanners.org wrote:
>
> Is there a way to "become_user" per task on a Windows?
>
> - name: Install programs (win_shell)
>   win_shell: "{{ item.dest }}/{{ item.program }} {{ item.arguments }}"
>   register: cmd
>   when:
> - window_packages is defined
>   with_items:
> - "{{ window_packages }}"
>   become_user: bob
>   tags: win_workstation2
>
> Running the command with - shows I'm still WINRM as the Administrator
>
>  ESTABLISH WINRM CONNECTION FOR USER: 
> Administrator@CORP.LOCAL on PORT 5986 TO PC130.corp.local EXEC (via 
> pipeline wrapper)
>
> Not sure how to check what user the task is running as but I don't find 
> the stuff I'd expect in AppData\Local
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/bad6e83e-066c-42d2-98eb-f79457920d62%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Windows Working Group IRC meetings

[Matt Davis]

We're pleased to announce that the Ansible Windows Working Group will begin 
biweekly IRC meetings in the Freenode #ansible-meeting channel on March 
13/14, 2017 (depending on your time zone). This will be a regular developer 
forum to discuss and guide the overall direction of Ansible's support for 
managing Windows hosts, as well as to talk over specific pull requests and 
feature ideas. As with all Ansible working groups, the intent is to keep 
the meetings development-focused, so support questions and other discussion 
will be redirected to the public #ansible IRC channel and mailing list.

In an attempt to accommodate the wide home-timezone range of Ansible 
Windows contributors, we're initially scheduling the meetings to occur 
every other week, on Monday afternoons and Friday mornings (Pacific Time). 
More details, including calendar, agenda links, and minutes, can be found 
at https://github.com/ansible/community/blob/master/MEETINGS.md.

This has been a long time coming- we're looking forward to engaging with 
the community in a more regular and realtime fashion. Hope to see you there!

- Matt Davis, Principal Software Engineer, Ansible Core / Red Hat

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/26d12852-98dd-456a-a16b-86b112fb813f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: windows, secrets, and remote plays

[Matt Davis]

That's pretty much all you can do today- WinRM doesn't support any useful 
agent/key-based auth (WinRM certificate auth is nearly useless). It'd be 
cool if Microsoft could implement something akin to smartcard auth for RDP 
(which works transparently across remote connections like an ssh agent), 
but alas, nothing there yet. Microsoft's OpenSSH build has apparently 
recently added support for key-based auth for both local and domain users, 
but getting Windows module support working over SSH isn't even on the 
roadmap yet.

-Matt

On Saturday, February 18, 2017 at 3:24:36 PM UTC-8, pixel fairy wrote:
>
> how does one manage secrets and remote plays? when we only had linux to 
> deal with, no big deal to ssh -A to a control node, tmux, and have no 
> secrets stored there at all. 
>
> but now, we have to deal with windows, which doesnt speak ssh. of course 
> we can keep a vault remotely, and copy paste the passphrase over the ssh 
> connection, or just run from your laptop and hope the connections stay up. 
> is there a better way? what do the remote windows admins around here do?
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/37e3c528-8b55-49f7-899a-9d0a7961d6b7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: win_command problems

[Matt Davis]

You're using the wrong module. 'dir' isn't a command, it's a shell 
directive- you need to give that to Powershell or cmd.exe, so you need to 
use win_shell. win_command is for running an executable.

-Matt

On Tuesday, February 21, 2017 at 7:20:57 AM UTC-8, norricorp wrote:
>
> Hi,
> so if I run on the command line, having used the inventory file to add 
> user/password details under windows:vars
> ansible mesh -u user1 -m win_shell -a "dir chdir=C:\Temp"
>
> then I get
>
> mesh | SUCCESS | rc=0 >>
>
> Directory: C:\Temp
>
> ModeLastWriteTime Length Name 
>
> But with a playbook
>
> - name: Run a series of debug tasks to see the value of variables
>   hosts: mesh
>   user: user1
>   tasks:
> - name: list all the files in temp on c drive
>   win_command: dir
>   args:
>  chdir: c:\temp
>
> I get
> TASK [list all the files in temp on c drive] 
> ***
> fatal: [mesh]: FAILED! => {"changed": false, "cmd": "dir", "failed": true, 
> "msg": "The system cannot find the file specified", "rc": 2}
>
> The win_command module docs show do not show escaping of backslashes or 
> quotes.
>
> What am I doing wrong?
>
> Regards,
> John
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/72fdcd04-7b87-4fc2-9631-1de648beaf84%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: ansible not reading group_vars/windows.yml

[Matt Davis]

(especially since you installed from pip)

On Monday, February 6, 2017 at 2:50:13 PM UTC-8, Matt Davis wrote:
>
> Fedora 25, but shouldn't matter unless somebody horribly broke something 
> in packaging...
>
> On Monday, February 6, 2017 at 2:41:47 PM UTC-8, pixel fairy wrote:
>>
>> my control machine is ubuntu 16.04, ansible and winrm installed with pip. 
>> whats yours? ill try from source.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/51bbd0ba-1fee-40b3-94bd-4388e5bff7ca%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: ansible not reading group_vars/windows.yml

[Matt Davis]

Fedora 25, but shouldn't matter unless somebody horribly broke something in 
packaging...

On Monday, February 6, 2017 at 2:41:47 PM UTC-8, pixel fairy wrote:
>
> my control machine is ubuntu 16.04, ansible and winrm installed with pip. 
> whats yours? ill try from source.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/fc2c71aa-cd4a-4830-bf25-1405354cdb9f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: ansible not reading group_vars/windows.yml

[Matt Davis]

Hrm, running this exact stuff works fine for me on 2.2.1 (from source).

On Monday, February 6, 2017 at 6:05:09 AM UTC-8, pixel fairy wrote:
>
> seems ansible is not reading group_vars/windows.yml 
> tried renaming to group_vars/windows same result
>
> $ ansible --version
> ansible 2.2.1.0
>
> $ ansible windows --list-hosts
>   hosts (1):
> ex-domain1
>
> $ cat group_vars/windows.yml 
> ansible_user: Administrator
> ansible_port: 5986
> ansible_connection: winrm
> ansible_winrm_server_cert_validation: ignore
>
>
> $ ansible windows -m debug -a msg="{{ansible_user}}"
> ex-domain1 | SUCCESS => {
> "msg": "root"
> }
>
> $ cat ansible.cfg 
> [defaults]
> inventory = ./inventory
> remote_user = root
> roles_path = ./roles
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/6f10a554-0a83-411c-b56f-df037d59e47f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Windows module - including PS script before transfering to the remote.

[Matt Davis]

There's some stuff coming in 2.3 that will help address this- the Windows 
exec wrapper is getting completely overhauled, and one of the new things it 
can do is include arbitrary PS module files from the controller along with 
the Ansible module code (instead of just module_utils/powershell.ps1 like 
today). The *nix module subsystem is getting support for pluggable 
module_utils (eg, add new module_utils files outside the core Ansible 
install), and if I have time, I'll add the same support to the Windows exec 
wrapper (if not, definitely for 2.4). Stay tuned for the new 2.3 exec 
wrapper- this should be landing in devel next week unless I run into any 
major blockers.

-Matt

On Monday, February 6, 2017 at 6:41:41 AM UTC-8, Bernard Landon wrote:
>
> Hello all!
>
> I'm writing a number of Powershell Ansible modules and facing an issue.
> Say you have a module A and a module B and some functions defined in 
> include.ps1.
> I would like module A and B to include include.ps1.
>
> My understanding is Ansible will transfer only module A. Which means a 
> regular include will fail because include.ps1 won't be on the remote.
> Is it possible to make Ansible to include "include.ps1" in the module A 
> *before 
> *transfering it to the remote?
>
> Would be super convenient. At the moment I have to copy/paste include.ps1 
> in module A, B and so on.
> As you can imagine this leads to a number of problems :-)
>
> Thanks!
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/c079b774-fd11-41f3-8d56-bc73f1e4ffae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: playbook syntax

[Matt Davis]

PS: Alan Batie of Agora fame? 

On Thursday, January 19, 2017 at 10:00:18 AM UTC-8, Alan Batie wrote:
>
> I'm giving ansible a try, and it seems the examples aren't quite right - 
> using authorized_keys as a starting point:
>
> http://docs.ansible.com/ansible/authorized_key_module.html
>
> # cat e.yml
> - name: Set authorized key took from file 
>   authorized_key: 
> user: charlie 
> state: present 
> key: "{{ lookup('file', '/home/charlie/.ssh/id_rsa.pub') }}" 
> # ansible-playbook e.yml 
> ERROR! 'authorized_key' is not a valid attribute for a Play 
>
> The error appears to have been in '/etc/ansible/e.yml': line 1, column 3, 
> but may 
> be elsewhere in the file depending on the exact syntax problem. 
>
> The offending line appears to be: 
>
> - name: Set authorized key took from file 
> ^ here
>
>
> I use a yaml syntax validator, which didn't like the comment after name: 
> but removing that doesn't change anything.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/b74597f5-2c18-47d7-b70c-53ae0e83014c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: How to specify a virtual network in a different resource group when creating a new Azure VM?

[Matt Davis]

I know I tested this back when we first wrote it, so unless it got broken 
along the way somewhere, if you pass the full resource URI for the vnet 
(regardless of whether or not it's in the same RG), it should do the right 
thing...

On Thursday, January 12, 2017 at 6:38:18 PM UTC-8, Vincent Ngan wrote:
>
> Hi,
>
> I am trying to create a VM in Azure using Ansible. The setup of our Azure 
> configuration is that the virtual network is created in a different 
> resource manager from the virtual machines'. When I using 
> azure_rm_virtualmachine module to create a virtual machine in Azure, the 
> module complains that the virtual network does not exist in the resource 
> manager of the virtual machine to be created. Is there any way I can do 
> that? Can I specify a virtual network with a fully qualified name including 
> its resource manager name so that the module would not confuse it with the 
> resource manager of the virtual machine?
>
> Vincent
>  
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/3854a59f-0c1d-4372-9b32-54265767808b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Run multiple tasks with different Ansible users for Windows hosts

[Matt Davis]

(ie, vars set by --extra-vars on the command-line cannot be overridden)

On Friday, January 13, 2017 at 12:19:16 PM UTC-8, Matt Davis wrote:
>
> The problem is that vars set on the command-line have the highest possible 
> precedence. If you were to set the initial value in inventory, or someplace 
> else with a lower precedence than a play/task var, it'd work fine 
> (verified).
>
> See 
> http://docs.ansible.com/ansible/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable
>  for 
> more details.
>
> -Matt
>
> On Friday, January 13, 2017 at 10:28:33 AM UTC-8, davidfof wrote:
>>
>> Hi all,
>>
>>
>> I have role that contains several tasks that should be run by different 
>> Ansible users. The playbook that uses this role should run on Windows hosts 
>> and I do this using a command similar to the following:
>>
>>
>>  ansible-playbook --limit windows -i hosts --extra-vars 
>> "ansible_user=my_username ansible_password=my_password" site.yaml
>>
>> Most of the tasks in the role should be done through the user specified 
>> in the command above while others should use another Windows user. For 
>> these other tasks, I try to override the user credential variables as shown 
>> below:
>>
>>
>>
>>
>>  - include: task_for_other_windows_user.yml
>>  vars:
>>  ansible_user: "{{other_windows_user_name}}"
>>  ansible_password: "{{other_windows_user_pw}}"
>>
>>
>> This unfortunately doesn't work as the playbook appears to use the same 
>> user initially defined, on all the plays. How do I implement what I'm 
>> trying to achieve here?
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/94abd169-67f3-4878-ba42-a2295517e1c5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Run multiple tasks with different Ansible users for Windows hosts

[Matt Davis]

The problem is that vars set on the command-line have the highest possible 
precedence. If you were to set the initial value in inventory, or someplace 
else with a lower precedence than a play/task var, it'd work fine 
(verified).

See 
http://docs.ansible.com/ansible/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable
 for 
more details.

-Matt

On Friday, January 13, 2017 at 10:28:33 AM UTC-8, davidfof wrote:
>
> Hi all,
>
>
> I have role that contains several tasks that should be run by different 
> Ansible users. The playbook that uses this role should run on Windows hosts 
> and I do this using a command similar to the following:
>
>
>  ansible-playbook --limit windows -i hosts --extra-vars 
> "ansible_user=my_username ansible_password=my_password" site.yaml
>
> Most of the tasks in the role should be done through the user specified in 
> the command above while others should use another Windows user. For these 
> other tasks, I try to override the user credential variables as shown below:
>
>
>
>
>  - include: task_for_other_windows_user.yml
>  vars:
>  ansible_user: "{{other_windows_user_name}}"
>  ansible_password: "{{other_windows_user_pw}}"
>
>
> This unfortunately doesn't work as the playbook appears to use the same 
> user initially defined, on all the plays. How do I implement what I'm 
> trying to achieve here?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/983066e9-0286-4943-9dd8-2f048b39bbd2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Ansible upgrades for Routers

[Matt Davis]

Ansible is inherently parallel when executing the same task across multiple 
hosts (eg, "ensure firmware version X.Y.Z on - it defaults to a fairly low 
number of "forks", but if you run it on beefy enough hardware, can easily 
manage hundreds (and in some cases thousands) of devices/hosts in parallel. 

I don't think we ship any integrated firmware upgrade modules "in the box", 
but I've successfully written and deployed custom Ansible modules for ASA 
and Catalyst firmware upgrades and used them to manage devices at scale 
(this was before we had command modules for any of those devices). You can 
probably manage a firmware upgrade using the stuff we have in the box now 
(check version, make room for + push new binary if necessary, issue upgrade 
command, reboot), but I've never tried it that way.


On Thursday, January 12, 2017 at 2:24:38 PM UTC-8, Abhinav Sanakkayala 
wrote:
>
> Hi All, 
>
> Can we perform the code upgrades for the Cisco or Juniper routers? Say if 
> we have 600 routers in the network, the way it worked is to upgrade one by 
> one and it would take forever to upgrade all of them. As Ansible doesn't 
> have to be installed on the client machine, can we upgrade the network 
> elements like 10 at a time? 
>
> Can someone share a usecase. I know we can run the show commands but 
> interested to know if we can perform the actual code upgrades. 
>
> Thanks,
> Abhinav 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/aea01368-39ca-4475-991b-5b31fc5a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] Re: How to loop thru win_updates until no updates left

[Matt Davis]

That post is really old- include looping has worked for a long time...

On Thursday, January 12, 2017 at 1:28:05 AM UTC-8, Danny Rehelis wrote:
>
> Hi Matt,
>
> Dag's solution was something I really hoped to work but then I found this 
> post by Brian Coca - 
> https://groups.google.com/forum/#!topic/ansible-project/xGGe6WADtH0
>
> Seems like this is not possible because "Include is not a module, more 
> like a preprocessing macro."
>
> On Thu, Jan 12, 2017 at 4:02 AM, Matt Davis  wrote:
>
>> The solution Dag posted is what I've always done, and it works great for 
>> me. I've been advocating for block loop support (as a cleaner solution to 
>> exactly this issue) since before it shipped, but I don't have the bandwidth 
>> to implement myself right now, and around here it's kinda "put up or shut 
>> up". ;) If it doesn't work for you, let us know why and maybe we can get it 
>> figured out.
>>
>> I really wouldn't recommend the "run the playbook in a loop" thing- you 
>> lose a lot of output fidelity and error handling, and it's really just a 
>> way more expensive way to do what Dag suggested.
>>
>> I actually originally wrote win_updates with a wrapper action that would 
>> handle the reboots automatically, but for various reasons (that I can't 
>> recall) decided to abandon the wrapper before I shipped it...
>>
>> -Matt
>>
>>
>> On Monday, January 2, 2017 at 7:39:48 AM UTC-8, auto...@gmail.com wrote:
>>>
>>> Hi,
>>>
>>> I'm using win_updates module to carry out windows patching and it works 
>>> pretty good.
>>> Sometime, updates have dependencies and multiple playbook execution 
>>> required.
>>>
>>> I was thinking, if possible, to loop the playbook until 
>>> "found_update_count > 0" without the need of running ansible-playbook 
>>> multiple time after each finish.
>>>
>>> My playbook looks like this:
>>>
>>> - hosts: win_server_1
>>>   ignore_errors: true
>>>   gather_facts: true
>>>
>>>   tasks:
>>> - name: search wu
>>>   win_updates:
>>> category_names:
>>>   - UpdateRollups
>>>   - CriticalUpdates
>>>   - SecurityUpdates
>>> state:
>>>   - searched
>>> log_path:
>>>   - c:/temp/ansible_wu.txt
>>>   register: searched
>>> 
>>> - name: install wu
>>>   win_updates:
>>> category_names:
>>>   - UpdateRollups
>>>   - CriticalUpdates
>>>   - SecurityUpdates
>>> state:
>>>   - installed
>>> log_path:
>>>   - c:/temp/ansible_wu.txt
>>>   register: installed
>>>   when: searched.found_update_count > 0
>>> 
>>> - name: reboot
>>>   win_reboot:
>>> pre_reboot_delay_sec: 0
>>> test_command: whoami
>>> reboot_timeout_sec: 300
>>>   when: installed.reboot_required = 'true'
>>>   register: reboot
>>>
>>>
>>> I cant figure out how to put this in playbook by myself, seeking for 
>>> some guidance.
>>>
>>> Thanks,
>>>
>>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ansible-project+unsubscr...@googlegroups.com.
>> To post to this group, send email to ansible-project@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ansible-project/2ebf7ecd-8da0-4b1d-99ba-f886721a9d2c%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/ansible-project/2ebf7ecd-8da0-4b1d-99ba-f886721a9d2c%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Danny Rehelis - autogun [AT] gmail.com
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/bb72d56a-d8ba-42b1-a60c-d5004bcb98a9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: How to loop thru win_updates until no updates left

[Matt Davis]

The solution Dag posted is what I've always done, and it works great for 
me. I've been advocating for block loop support (as a cleaner solution to 
exactly this issue) since before it shipped, but I don't have the bandwidth 
to implement myself right now, and around here it's kinda "put up or shut 
up". ;) If it doesn't work for you, let us know why and maybe we can get it 
figured out.

I really wouldn't recommend the "run the playbook in a loop" thing- you 
lose a lot of output fidelity and error handling, and it's really just a 
way more expensive way to do what Dag suggested.

I actually originally wrote win_updates with a wrapper action that would 
handle the reboots automatically, but for various reasons (that I can't 
recall) decided to abandon the wrapper before I shipped it...

-Matt

On Monday, January 2, 2017 at 7:39:48 AM UTC-8, auto...@gmail.com wrote:
>
> Hi,
>
> I'm using win_updates module to carry out windows patching and it works 
> pretty good.
> Sometime, updates have dependencies and multiple playbook execution 
> required.
>
> I was thinking, if possible, to loop the playbook until 
> "found_update_count > 0" without the need of running ansible-playbook 
> multiple time after each finish.
>
> My playbook looks like this:
>
> - hosts: win_server_1
>   ignore_errors: true
>   gather_facts: true
>
>   tasks:
> - name: search wu
>   win_updates:
> category_names:
>   - UpdateRollups
>   - CriticalUpdates
>   - SecurityUpdates
> state:
>   - searched
> log_path:
>   - c:/temp/ansible_wu.txt
>   register: searched
> 
> - name: install wu
>   win_updates:
> category_names:
>   - UpdateRollups
>   - CriticalUpdates
>   - SecurityUpdates
> state:
>   - installed
> log_path:
>   - c:/temp/ansible_wu.txt
>   register: installed
>   when: searched.found_update_count > 0
> 
> - name: reboot
>   win_reboot:
> pre_reboot_delay_sec: 0
> test_command: whoami
> reboot_timeout_sec: 300
>   when: installed.reboot_required = 'true'
>   register: reboot
>
>
> I cant figure out how to put this in playbook by myself, seeking for some 
> guidance.
>
> Thanks,
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/2ebf7ecd-8da0-4b1d-99ba-f886721a9d2c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Run Ansible against a standalone Windows server

[Matt Davis]

Kerberos only functions on domain-joined hosts. The default authtype is 
Basic, so as long as you have Basic auth enabled in your WinRM config (our 
setup script does this), you're fine to use local users with 
ansible_user/ansible_password. You can also change the authtype to NTLM via 
ansible_winrm_transport=ntlm. 

On Wednesday, January 11, 2017 at 7:19:16 AM UTC-8, Eric Chong wrote:
>
> Is there a way to run Ansible against a standalone Windows server that is 
> not in a domain?  The document shows how to setup kerberos with Windows 
> domain.  What if the Windows server is not in any domain?
>
> Thanks
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/d912eee6-467c-4e94-ba4c-3199948e7b3f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Problems with Async commands

[Matt Davis]

You don't want to match the sleep/async values- the ansible watchdog 
wrapper will always kill it during the sleep if you do that. The async 
value is the *maximum* allowed exec time in seconds for the task, and is 
enforced on both the control side and the managed side. The sleep 
beforehand can be very short (and oftentimes isn't needed at all), but you 
want an async value that's at least several seconds longer than the max 
time you think the command will take to return (doesn't really matter how 
high you set it, as the watchdog will get nuked on the reboot anyway in the 
"happy path").

I haven't run into a distro where I couldn't get this working *fairly* 
reliably, but the only guaranteed way is via a control-side action where 
you can handle/ignore the race where the shutdown occurs before the command 
output has returned to the controller (this is exactly how both win_reboot 
and the forthcoming reboot actions work, though the new one works at a 
little higher level). 

-Matt

On Monday, December 19, 2016 at 5:07:09 PM UTC-8, Chris Parish wrote:
>
> What is frustrating is that this used to work. Then my Raspberry PI's 
> upgraded to Jessie and ansible to 2.2 and none of my reboots will work any 
> more.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/82716d71-d5fe-42a8-89dd-a2e22d988b9f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Problems with Async commands

[Matt Davis]

Sorry, that should've been: you'll need to set async to a high value (at 
least 30s) to prevent the module process from being killed prematurely by 
the watchdog, then set *poll* to 0 for fire-and-forget.

On Monday, December 19, 2016 at 1:47:38 PM UTC-8, Matt Davis wrote:
>
> The async wrapper is notoriously slow about daemonizing the module process 
> and capturing its output, so you'll need to increase the sleep delay to 
> probably at least 5s to reliably get this working. You'll also definitely 
> want async: 0 (which makes it "fire and forget" instead of polling for a 
> result, which will never succeed). Then you'll need to use wait_for on the 
> next task and watch for the ssh port to come back up before continuing your 
> playbook. Even this is not 100% reliable- there are several different 
> shutdown/startup races involved that can make it flaky, depending on what 
> your target OS is.
>
> I wrote the windows reboot action (win_reboot), and I just finished 
> (re)writing a *nix-friendly version that will likely ship in Ansible 2.3- 
> I've tested against several popular distros with success... Unfortunately 
> to work properly, it needs a change to the base connection layer, so you 
> won't be able to just drop the action plugin into Ansible 2.2.x and have it 
> work.
>
> -Matt
>
>
> On Monday, December 19, 2016 at 12:17:30 PM UTC-8, Chris Parish wrote:
>>
>> Hi,
>>
>> I am trying to get my remote machine to reboot using the following code
>>
>> - name: restart machine
>>   shell: sleep 2 && shutdown -r now "Ansible updates triggered"
>>   async: 1
>>   poll: 0
>>   sudo: true
>>   ignore_errors: true
>>
>> - name: waiting for server to come back
>>   local_action: wait_for host={{ static_ip }} state=started delay=30 
>> timeout=300
>>   sudo: false
>>
>> No matter what I try I keep getting the following error:
>>
>>
>> fatal: [192.168.0.11]: FAILED! => {
>> "changed": false,
>> "failed": true,
>> "module_stderr": "Shared connection to 192.168.0.11 closed.\r\n",
>> "module_stdout": "\r\n/bin/sh: 1: 
>> /home/pi/.ansible/tmp/ansible-tmp-1481969769.79-144484795431651/async_wrapper.py:
>>  
>> not found\r\n",
>> "msg": "MODULE FAILURE"
>> }
>>
>> I cannot find any information about this and I have no idea where to 
>> start.
>> I have tried:
>>
>>
>>- changing the shell command
>>- increasing the async value
>>
>> If you set async to 0 then it doesn't generate the error, but you get a 
>> different error because you can't reboot on a synchronous command.
>>
>>
>> Ideas?
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/25a3fc38-6dec-4efd-98ca-24ee5aeb777f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Problems with Async commands

[Matt Davis]

The async wrapper is notoriously slow about daemonizing the module process 
and capturing its output, so you'll need to increase the sleep delay to 
probably at least 5s to reliably get this working. You'll also definitely 
want async: 0 (which makes it "fire and forget" instead of polling for a 
result, which will never succeed). Then you'll need to use wait_for on the 
next task and watch for the ssh port to come back up before continuing your 
playbook. Even this is not 100% reliable- there are several different 
shutdown/startup races involved that can make it flaky, depending on what 
your target OS is.

I wrote the windows reboot action (win_reboot), and I just finished 
(re)writing a *nix-friendly version that will likely ship in Ansible 2.3- 
I've tested against several popular distros with success... Unfortunately 
to work properly, it needs a change to the base connection layer, so you 
won't be able to just drop the action plugin into Ansible 2.2.x and have it 
work.

-Matt


On Monday, December 19, 2016 at 12:17:30 PM UTC-8, Chris Parish wrote:
>
> Hi,
>
> I am trying to get my remote machine to reboot using the following code
>
> - name: restart machine
>   shell: sleep 2 && shutdown -r now "Ansible updates triggered"
>   async: 1
>   poll: 0
>   sudo: true
>   ignore_errors: true
>
> - name: waiting for server to come back
>   local_action: wait_for host={{ static_ip }} state=started delay=30 
> timeout=300
>   sudo: false
>
> No matter what I try I keep getting the following error:
>
>
> fatal: [192.168.0.11]: FAILED! => {
> "changed": false,
> "failed": true,
> "module_stderr": "Shared connection to 192.168.0.11 closed.\r\n",
> "module_stdout": "\r\n/bin/sh: 1: 
> /home/pi/.ansible/tmp/ansible-tmp-1481969769.79-144484795431651/async_wrapper.py:
>  
> not found\r\n",
> "msg": "MODULE FAILURE"
> }
>
> I cannot find any information about this and I have no idea where to start.
> I have tried:
>
>
>- changing the shell command
>- increasing the async value
>
> If you set async to 0 then it doesn't generate the error, but you get a 
> different error because you can't reboot on a synchronous command.
>
>
> Ideas?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/a71b56d6-60a8-4315-8044-463cea0f63bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] Module "Warning" after upgrade to v. 2.2

[Matt Davis]

It's nothing you need to worry about- due to some changes in the module 
JSON sanitizer in 2.2, it's a little more sensitive than it used to be, so 
some modules are tripping it that didn't used to. Those warnings are there 
because sometimes there is actual spurious output from the module guts that 
signifies an error (you'd see the actual output in the message too, if 
there were anything to worry about). 

We don't currently have a consistent way to fail module tests when one of 
those warnings gets shown, but it's on the list of things to do, so 
meantime it's a game of whack-a-mole to find them and clean them up as we 
see them. If you want to file bugs for them when you spot them, it'd be 
helpful for us (since we're not in the habit of running all modules 
interactively looking for warnings). If you're willing to do thay, you 
might want to wait for the module repo consolidation that's happening next 
week (after which you can file it on http://github.com/ansible/ansible).

-Matt

On Friday, December 2, 2016 at 4:23:39 AM UTC-8, Danny Rehelis wrote:
>
> I got the same JSON junk warnings with win_updates after updating... What 
> this warning mean? What junk exactly?
>
> On Wed, Nov 30, 2016 at 11:40 PM, Dimitri Yioulos  
> wrote:
>
>> Hello, all.
>>
>> Today, I upgraded Ansible to version 2.2 from version 2.1 via RPM on a 
>> CentOS 6.x server.  The first playbook I ran post-upgrade contained a play 
>> using the win_updates module.  It appears the module worked, but I saw the 
>> following "Warning" during execution (I could only run the playbook again 
>> against a test server that was up-to-date so as to get verbose output) :
>>
>> Using module file 
>> /usr/lib/python2.6/site-packages/ansible/modules/extras/windows/win_updates.ps1
>>  ESTABLISH WINRM CONNECTION FOR USER: ansible on PORT 5986 
>> TO sawintest02
>>  EXEC Set-StrictMode -Version Latest
>> (New-Item -Type Directory -Path $env:temp -Name 
>> "ansible-tmp-1480539501.17-123206679591223").FullName | Write-Host 
>> -Separator '';
>>  PUT "/tmp/tmpxodTis" TO 
>> "C:\Users\ansible\AppData\Local\Temp\ansible-tmp-1480539501.17-123206679591223\win_updates.ps1"
>>  EXEC Set-StrictMode -Version Latest
>> Try
>> {
>> & 
>> 'C:\Users\ansible\AppData\Local\Temp\ansible-tmp-1480539501.17-123206679591223\win_updates.ps1'
>> }
>> Catch
>> {
>> $_obj = @{ failed = $true }
>> If ($_.Exception.GetType)
>> {
>> $_obj.Add('msg', $_.Exception.Message)
>> }
>> Else
>> {
>> $_obj.Add('msg', $_.ToString())
>> }
>> If ($_.InvocationInfo.PositionMessage)
>> {
>> $_obj.Add('exception', $_.InvocationInfo.PositionMessage)
>> }
>> ElseIf ($_.ScriptStackTrace)
>> {
>> $_obj.Add('exception', $_.ScriptStackTrace)
>> }
>> Try
>> {
>> $_obj.Add('error_record', ($_ | ConvertTo-Json | ConvertFrom-Json))
>> }
>> Catch
>> {
>> }
>> Echo $_obj | ConvertTo-Json -Compress -Depth 99
>> Exit 1
>> }
>> * [WARNING]: Module invocation had junk after the JSON data:*
>>
>> ok: [sawintest02] => {
>> "changed": false, 
>> "found_update_count": 0, 
>> "installed_update_count": 0, 
>> "invocation": {
>> "module_name": "win_updates"
>> }, 
>> "reboot_required": false, 
>> "updates": {}
>> }
>>
>> What's the error about, and how can I fix it?
>>
>> As always, thanks.
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ansible-project+unsubscr...@googlegroups.com.
>> To post to this group, send email to ansible-project@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ansible-project/4c7242ad-6630-4763-9bd3-5b7475f98be2%40googlegroups.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Danny Rehelis - autogun [AT] gmail.com
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/6a2435f0-5434-45fa-8a94-7ccf6ee6923b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Set the "changed" value when using the raw module

[Matt Davis]

Though for what you're doing, you should probably use win_chocolatey or 
win_package, as they'll actually give you idempotency.

On Thursday, November 17, 2016 at 11:40:33 AM UTC-8, Matt Davis wrote:
>
> We changed raw in 2.2 to return changed: true for consistency with the 
> other non-idempotent modules (shell/script/command/etc). You can override 
> with changed_when if you're not on 2.2 yet.
>
> On Thursday, November 17, 2016 at 11:18:04 AM UTC-8, Justin Dugan wrote:
>>
>> Hi all,
>>
>> I am using the following task in a playbook:
>>
>> - name: Install .Net 4.6.2
>>   raw: c:/temp/NDP462-KB3151800-x86-x64-AllOS-ENU.exe /q /norestart
>>   when: raw_output.stdout | version_compare('394806', '<')
>>   notify:
>> - reboot
>>
>> Everything works with the exception of the "notify". I'm assuming this is 
>> because the "changed" value returned by the raw module is false. Is there a 
>> way to force "changed" to be true?
>>
>> Thanks,
>>
>> Justin
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/5deb1a70-2531-45ec-8d59-29d30323a34f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Set the "changed" value when using the raw module

[Matt Davis]

We changed raw in 2.2 to return changed: true for consistency with the 
other non-idempotent modules (shell/script/command/etc). You can override 
with changed_when if you're not on 2.2 yet.

On Thursday, November 17, 2016 at 11:18:04 AM UTC-8, Justin Dugan wrote:
>
> Hi all,
>
> I am using the following task in a playbook:
>
> - name: Install .Net 4.6.2
>   raw: c:/temp/NDP462-KB3151800-x86-x64-AllOS-ENU.exe /q /norestart
>   when: raw_output.stdout | version_compare('394806', '<')
>   notify:
> - reboot
>
> Everything works with the exception of the "notify". I'm assuming this is 
> because the "changed" value returned by the raw module is false. Is there a 
> way to force "changed" to be true?
>
> Thanks,
>
> Justin
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/c1709025-3d23-4a81-a3f2-ef3024d36617%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Ansible 2.2.0 - Module shell & win_shell - possible issue when output is empty

[Matt Davis]

Nope, not a bug. The shell/command modules by default consider a nonzero 
return code a failure. Grep returns 1 if it didn't find anything (see 
"rc=1" in the response?). 

You can alter this behavior using a combination of register and failed_when 
to specify your own conditions for failure on the task(s) in question.

-Matt

On Thursday, November 17, 2016 at 8:14:59 AM UTC-8, 
fabrice.pe...@socrambanque.fr wrote:
>
> Hello,
> I encounter a bizarre behavior with these the shell module and the new 
> win_shell module.
>
> It appears that, if the execution of the shell command does not produce 
> anything in the standard output, the module considers that it is in failure.
>
> In my opinion, this should not be the case. Is this behavior an error or 
> is it voluntary?
>
> I can use "ignore_errors: yes" to continue the playbook but it is not very 
> clean.
>
> Here are some tasks to illustrate the problem :
>
> # --
> -   name: "Use Case 1"
> shell: grep "log" /etc/fstab
> ignore_errors: yes
> register: shell_result
> 
> -   debug: var=shell_result
>
> # --
> -   name: "Use Case 2"
> shell: grep "xxx" /etc/fstab
> ignore_errors: yes
> register: shell_result
> 
> -   debug: var=shell_result
>
> # --
> -   name: "Use Case 3"
> shell: grep "log" /etc/fstab > 
> /tmp/test_ansible/use_case_3_result.txt
> ignore_errors: yes
> register: shell_result
> 
> -   debug: var=shell_result
>
> # --
> -   name: "Use Case 4"
> shell: grep "xxx" /etc/fstab > 
> /tmp/test_ansible/use_case_4_result.txt
> ignore_errors: yes
> register: shell_result
> 
> -   debug: var=shell_result
>
>
> Here are the results :
> 
>
> TASK [Use Case 1] 
> **
> changed: [lnildt01]
>
> TASK [debug] 
> ***
> ok: [lnildt01] => {
> "shell_result": {
> "changed": true,
> "cmd": "grep \"log\" /etc/fstab",
> "delta": "0:00:00.003975",
> "end": "2016-11-17 09:35:15.918729",
> "rc": 0,
> "start": "2016-11-17 09:35:15.914754",
> "stderr": "",
> "stdout": "/dev/mapper/rootvg-lv_logs /app/logs 
> \text4defaults1 2",
> "stdout_lines": [
> "/dev/mapper/rootvg-lv_logs /app/logs \text4
> defaults1 2"
> ],
> "warnings": []
> }
> }
>
> TASK [Use Case 2] 
> **
> fatal: [lnildt01]: FAILED! => {"changed": true, "cmd": "grep \"xxx\" 
> /etc/fstab", "delta": "0:00:00.003907", "end": "2016-11-17 
> 09:35:16.234674", "failed": true, "rc": 1, "start": "2016-11-17 
> 09:35:16.230767", "stderr": "", "stdout": "", "stdout_lines": [], 
> "warnings": []}
> ...ignoring
>
> TASK [debug] 
> ***
> ok: [lnildt01] => {
> "shell_result": {
> "changed": true,
> "cmd": "grep \"xxx\" /etc/fstab",
> "delta": "0:00:00.003907",
> "end": "2016-11-17 09:35:16.234674",
> "failed": true,
> "rc": 1,
> "start": "2016-11-17 09:35:16.230767",
> "stderr": "",
> "stdout": "",
> "stdout_lines": [],
> "warnings": []
> }
> }
>
> TASK [Use Case 3] 
> **
> changed: [lnildt01]
>
> TASK [debug] 
> ***
> ok: [lnildt01] => {
> "shell_result": {
> "changed": true,
> "cmd": "grep \"log\" /etc/fstab > 
> /tmp/test_ansible/use_case_3_result.txt",
> "delta": "0:00:00.004247",
> "end": "2016-11-17 09:35:16.547488",
> "rc": 0,
> "start": "2016-11-17 09:35:16.543241",
> "stderr": "",
> "stdout": "",
> "stdout_lines": [],
> "warnings": []
> }
> }
>
> TASK [Use Case 4] 
> **
> fatal: [lnildt01]: FAILED! => {"changed": true, "cmd": "grep \"xxx\" 
> /etc/fstab > /tmp/test_ansible/use_case_4_result.txt", "delta": 
> "0:00:00.004442", "end": "2016-11-17 09:35:16.859715", "failed": true, 
> "rc": 1, "start": "2016-11-17 09:35:16.855273", "stderr": "", "stdout": "", 
> "stdout_lines": [], "warnings": []}
> ...ignoring
> TASK [debug] 
> ***
> ok: [lnildt01] => {
> "shell_result": {
> "changed": true,
> "cmd": "grep \"xxx\" /e

[ansible-project] Re: Use dynamic inventory with windows ec2

[Matt Davis]

Yep, that's exactly what we tell folks to do. You can also use a 
conditional meta: refresh_inventory with the same technique (and map the 
tag-based groups into "human-readable" group names in the static inventory) 
when the task returns new hosts created instead of the add_host. That way 
you don't have to worry about dynamically mapping groups in your playbook- 
you can keep it all abstracted in the inventory. Functionally about the 
same...

-Matt

On Monday, November 14, 2016 at 2:40:27 AM UTC-8, J Hawkesworth wrote:
>
> I don't have any examples but I think you could have a static 
> group_vars/windows.yml file that sets the windows connection settings and 
> then add_host the windows instance(s) to your pre-existing static windows 
> group.
>
> Hope this helps,
>
> Jon
>
> On Monday, November 14, 2016 at 1:30:36 AM UTC, chall...@gmail.com wrote:
>>
>> Can any one suggest me with best way for using dynamic inventory for ec2 
>> windows.
>> Usually for linux ec2.i have a play which goes like
>>
>> 1) creates a ec2 instance  ---first play
>> 2) refresh dynamic inventory ---2nd play
>> 3) connect to linux instance --3rd play
>>
>> but when i do the same thing with windows ec2...ansible is trying to ssh 
>> into the windows host and failing..
>>
>> can any one post a sample play that i can use to create ec2 
>> windows,,,refresh dynamic inventory and connect and configure the windows 
>> in the same playbook without having to create a static inventory for 
>> windows.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/3b7168ab-78d9-4036-b745-f00bb63b15d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Using Ansible w/ Windows with strict security

[Matt Davis]

I'm actually curious how you got LocalAccountTokenFilterPolicy to cause 
restriction under WinRM- I've tried many combos of 2008R2/2012R2/2016 under 
full UAC prompt requirements, domain-joined/not, various users, etc, to no 
avail- I can't get it to restrict the admin group for a local user in a 
WinRM session. I'm actually running into UAC issues under the become 
prototypes (since we're now using interactive logons instead of batch), but 
I can't get that particular one to break.

On Monday, November 14, 2016 at 2:29:43 AM UTC-8, J Hawkesworth wrote:
>
> I'm guessing that applying the LocalAccountTokenFilterPolicy kicks your 
> ansible connection out before it can respond.
>
> Since you are on 2.2 you should be able to use async, which might let you 
> switch from from 0 - 1
>
> There isn't a way to become another user yet on windows but it is slated 
> for 2.3 - see 
> https://github.com/ansible/ansible/blob/devel/docsite/rst/roadmap/ROADMAP_2_3.rst
>
> Hope this helps,
>
> Jon
>
> On Friday, November 11, 2016 at 4:14:22 PM UTC, bigb...@gmail.com wrote:
>>
>> Our environment is under some pretty strict security requirements and 
>> it's causing lots of issues. First, we don't have an active directory set 
>> up (all local accounts, I know it's stupid but I'm just the idiot trying to 
>> clean it up). Then, we have this LocalAccountTokenFilterPolicy registry 
>> setting set to 1 so every time I try to run something I get permission 
>> errors as it lowers permissions. 
>>
>> I am allowed to temporarily disable the LocalAccountTokenFilterPolicy to 
>> do what I need to do, but need a mechanism to do that. I'm able to use 
>> win_command to do switch it from 1 to 0 but can't switch it from 0 - 1. 
>>
>> Is there any way to get in with WinRM through ansible then run a command 
>> as an elevated user? 
>>
>> Thanks!
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/82704bb5-c6f2-456e-9cb5-62f939d310dd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Wrong username being used with kerberos authentication

[Matt Davis]

Pre-2.1, Ansible *only* supported the "default" Kerberos principal, so 
folks needing more than one Kerberos principal at a time (eg, multiple 
principals in parallel or the ability to switch principals mid-run) were 
hosed. With 2.1 and later (and some associated fixes to pykerberos and 
requests_kerberos), we actually use ansible_user (when specified) to look 
up the right user. If it's not specified, we revert to the default 
principal behavior that 2.0 and previous used.

Why are you specifying a nonsensical value for ansible_user instead of just 
leaving it blank?

If you need to set it back to null at the host level for some reason, you 
can do that in YAML (eg host_vars) with the ~ character as the value, or by 
using !!null. I don't believe those work in .ini inventory, though. I'd 
strongly suggest you just not set it to a garbage value, though.

-Matt

On Monday, November 14, 2016 at 7:42:52 AM UTC-8, mmcgrellis mmcgrellis 
wrote:
>
> We have a current setup that works using Ansible v2.0.0 in which we 
> specify ansible_ssh_user in inventory exactly as follows.
>
> ansible_ssh_user: user@realm
>
> When running playbooks we use kinit to get a kerberos ticket using real 
> credentials (myrealn...@myrealdomain.com) and everything works.
> That is ansible uses the kerberos ticket for myrealn...@myrealdomain.com 
> and we can successfully connect to Windows servers.
>
>
> However, behavior in Ansible 2.1 and 2.2 is different.  When using the 
> newer versions, Ansible tries to connect with the fake user@realm username, 
> ignoring our kerberos ticket and hence failing to connect.
> - changing ansible_ssh_user to ansible_user makes no difference
> - specifying the myrealn...@myrealdomain.com with the -u option on the 
> command line makes no difference
>
> What does work is setting ansible_user to myrealn...@myrealdomain.com in 
> the inventory.  However, this is problematic as we have several users and 
> don't want to have to constantly change our inventory depending on which 
> user is actually running playbooks.
>
> Am I missing something or did something change in regards to behavior?  Is 
> there some way to get the old behavior?
>
> Thanks.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/14c56364-10a5-46f5-a199-b5d7b37a77ac%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Win-Command throwing syntax error

[Matt Davis]

"no action detected in task" usually means the module you want wasn't 
found. In your case, I'm guessing you're not using Ansible 2.2 (check the 
docs for win_command, it was only added in 2.2).

-Matt

On Friday, November 11, 2016 at 12:32:21 PM UTC-8, challa@gmail.com 
wrote:
>
> I have a role to install different softwares on win host.
>  i am getting this error:
>  
>
> ERROR! no action detected in task. This often indicates a misspelled 
> module name, or incorrect module path.
>
> The error appears to have been in 
> '/etc/ansible/playbooks/windows/roles/config/tasks/main.yml': line 41, 
> column 3, but may
> be elsewhere in the file depending on the exact syntax problem.
>
> The offending line appears to be:
>> #
>> - name: installing qualys
>>   ^ here
>
>
>
> The role has following command:
>
> - name: installing qualys
>>   win_command: 'C:\Users\Administrator\Downloads\QualysCloudAgent.exe 
>> CustomerId={a8c4085a-07e0-c2ac-82e0-d34bc40c6f72} 
>> ActivationId={98041a26-0e07-44eb-96cc-02196bf7d46d}'
>>   args:
>> creates: C:\Program Files (x86)\Qualys\QualysAgent\QualysAgent.exe
>
>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/677e6d52-d956-427d-ad1a-28fa0b5fff52%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Targeting Windows 2008 R2 machines with Ansible?

[Matt Davis]

We're still regularly swatting away the places that want us to support 
Server 2003 / PS 2...

On Monday, November 7, 2016 at 10:17:54 AM UTC-8, J Hawkesworth wrote:
>
> Hello,
>
> I'm curious if anyone is making use of Server 2008/R2 versions of Windows 
> Server any more.
>
> I am setting up a S2008R2 VM at the moment to test a PR and I'm wondering 
> how much use this version of windows is getting these days.
>
> Jon
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/0d499d3d-7a4b-4cff-9e2c-43455f9f42b3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ansible-project] Re: Libcloud supports >50 cloud providers… fallback and use it?

[Matt Davis]

If I understand you correctly, I think that would cause a lot of problems 
and trip-hazards for maintaining the existing cloud modules. Also, to 
expand on what bcoca said- you can't assume you're always running from the 
control host. *Most* people run the cloud modules under localhost / 
local_action, but there's nothing precluding you from running them on other 
hosts (and there are sometimes legitimate reasons to do so). The ansiballz 
module packager will almost certainly not do the right thing in the 
fallback case you're describing (again, assuming I understand what you're 
doing). Plus, I don't see how you could do it without touching the import 
logic in all the existing modules and running extra round-trips to the 
module exec host.

I don't think it's as simple as you make it out to be, and I suspect there 
are a lot of gotchas that would keep us from shipping it as a feature. That 
said, nothing stopping you if you want to take a stab at it. :)

-Matt

On Tuesday, November 1, 2016 at 5:48:45 PM UTC-7, Brian Coca wrote:
>
> The modules should not try to import from each other, since they can 
> execute on different machines than the one in which Ansible is installed.
>
>
> --
> Brian Coca
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/68b0d375-6036-4f38-83d9-632dd980f407%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Escape space in Windows directory path in playbook

[Matt Davis]

Stick to YAML syntax instead of Ansible key=value syntax and you don't have 
to quote or escape at all:

- win_copy
src: somelocalfile.bin
dest: c:\windows\somelocalfile.bin

If you're in a situation where you need to quote, YAML single-quotes are 
also escape-free. Double-quoting allows escape characters, which means 
you'll either need to double your backslashes or switch to forward slashes 
(*most* modules are OK with this, but there are a handful that fix the 
paths up correctly).

-Matt


On Wednesday, November 2, 2016 at 8:52:54 AM UTC-7, Tim wrote:
>
> Hi,
>
> I want to copy some files to the Startup folder using "win_copy". The 
> problem is, that the destination directory is 
> "dest=C:/ProgramData/Microsoft/Windows/Start 
> Menu/Programs/StartUp/link.lnk" which has a space between "Start" and 
> "Menu".
> I tried to escape that with quotation marks, but that didn't work. Is 
> there another way to escape space?
>
> Thanks,
> Tim
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/33d0e082-05eb-4270-981a-498b94494793%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Libcloud supports >50 cloud providers… fallback and use it?

[Matt Davis]

By "fallback" I assume you basically mean just a generic libcloud module? 
My personal experience with the "provider agnostic" aspects of libcloud has 
not been great, and our current usage of it in the GCE modules is about to 
go away in favor of Google's Python API... 

That said, if you're willing to maintain one or more provider-generic 
libcloud modules that are decently written and can be shown to do useful 
things with clouds we don't currently support, I'm sure we'd take them into 
extras.

-Matt

On Tuesday, November 1, 2016 at 6:14:55 AM UTC-7, Samuel Marks wrote:
>
> Greetings Ansible! - I like your philosophy, although enjoy reinventing 
> the wheel also ;) as you can see from my [open-source] Fabric-centric DSL.
>
> However I don't like being one of [the only?] that supports so many 
> clouds. So I'm thinking about contributing to Ansible, but don't know if 
> you'd be interested.
>
> FYI: Apache Libcloud is an open-source Python library supporting over 50 
> different cloud providers. Ansible lists 9 
> 
> .
>
> I note you're aware 
>  of it, 
> even utilising it in your Google Compute Engine (GCE) Ansible cloud module.
>
> Without touching your existing cloud modules, if I prepared a PR that took 
> a catch-all fallback approach would you be interested in accepting?
> - So if it's not AWS, GCE, Azure, Digital Ocean, Docker, linode, 
> OpenStack, Rackspace or vSphere; then check libcloud.
>
> If yes, then I should get some time over Christmas to make the contribution
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/20450873-fb2b-4151-bf64-92fb8c6bfa08%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Kerberos Delegation Issues

[Matt Davis]

Don't know what else to say- works for everyone I know that's tried it, so 
I'm suspecting some sort of local configuration or installation issue that 
hasn't been covered yet.

On Monday, October 31, 2016 at 8:09:02 AM UTC-7, Surred wrote:
>
> Thanks for the response Matt! I did verify we are running ansible version 
> 2.1.1.0
>
> user@ansible:~> ansible --version
> ansible 2.1.1.0
>   config file = /etc/ansible/ansible.cfg
>   configured module search path = Default w/o overrides
>
> I ran the klist command on the windows host (DC1) that ansible directly 
> connects to via winrm and I do not see a cached ticket for the service 
> account ansible is using. Your thoughts?
>
>
> On Friday, October 28, 2016 at 1:07:11 PM UTC-5, Matt Davis wrote:
>>
>> You mentioned you were using ansible 2.1.0 and that you'd switched to 
>> group_vars- that version has an inventory bug where any ansible_winrm_X 
>> connection vars are ignored if they live in group_vars. Either upgrade to 
>> at least 2.1.1, or move them back. Also, try doing a raw: klist on the 
>> Windows host with delegation enabled- you should see a TGT listed.
>>
>> On Friday, October 28, 2016 at 10:10:45 AM UTC-7, Surred wrote:
>>>
>>> Apologies for the delayed response... I've been looking for ways to work 
>>> around this issue, but I hit a roadblock so I really need to figure this 
>>> out. Below are the logs from the server hosting the network share. 
>>> Apparently the login was successful, but it was as an anonymous user using 
>>> NTLM. I'm still receiving the same Access Denied message in ansible. Any 
>>> further assistance would be greatly appreciated. Thanks.
>>>
>>> Log Name:  Security
>>> Source:Microsoft-Windows-Security-Auditing
>>> Date:  10/28/2016 11:50:35 AM
>>> Event ID:  4624
>>> Task Category: Logon
>>> Level: Information
>>> Keywords:  Audit Success
>>> User:  N/A
>>> Computer:  SCCM01.domain.com
>>> Description:
>>> An account was successfully logged on.
>>>
>>> Subject:
>>> Security ID: NULL SID
>>> Account Name: -
>>> Account Domain: -
>>> Logon ID: 0x0
>>>
>>> Logon Type: 3
>>>
>>> Impersonation Level: Impersonation
>>>
>>> New Logon:
>>> Security ID: ANONYMOUS LOGON
>>> Account Name: ANONYMOUS LOGON
>>> Account Domain: NT AUTHORITY
>>> Logon ID: 0x614767F6
>>> Logon GUID: {----}
>>>
>>> Process Information:
>>> Process ID: 0x0
>>> Process Name: -
>>>
>>> Network Information:
>>> Workstation Name: DC1.domain.com
>>> Source Network Address: x.x.x.x
>>> Source Port: 59019
>>>
>>> Detailed Authentication Information:
>>> Logon Process: NtLmSsp 
>>> Authentication Package: NTLM
>>> Transited Services: -
>>> Package Name (NTLM only): NTLM V1
>>> Key Length: 128
>>>
>>> This event is generated when a logon session is created. It is generated 
>>> on the computer that was accessed.
>>>
>>> The subject fields indicate the account on the local system which 
>>> requested the logon. This is most commonly a service such as the Server 
>>> service, or a local process such as Winlogon.exe or Services.exe.
>>>
>>> The logon type field indicates the kind of logon that occurred. The most 
>>> common types are 2 (interactive) and 3 (network).
>>>
>>> The New Logon fields indicate the account for whom the new logon was 
>>> created, i.e. the account that was logged on.
>>>
>>> The network fields indicate where a remote logon request originated. 
>>> Workstation name is not always available and may be left blank in some 
>>> cases.
>>>
>>> The impersonation level field indicates the extent to which a process in 
>>> the logon session can impersonate.
>>>
>>> The authentication information fields provide detailed information about 
>>> this specific logon request.
>>> - Logon GUID is a unique identifier that can be used to correlate this 
>>> event with a KDC event.
>>> - Transited services indicate which intermediate services have 
>>> participated in this logon request.
>>> - Package name indicates which sub-protocol was used among the NTLM 
>>> protocols.
>>> - Key length indicates the length of the gener

[ansible-project] Re: Public meeting on core/extras repo merges

[Matt Davis]

This meeting has been postponed. We'll reschedule soon.

On Thursday, October 27, 2016 at 9:36:02 AM UTC-7, Matt Davis wrote:
>
> Hi all,
>
> The Ansible core team will be holding a public meeting on Monday Oct 31 at 
> 1700 UTC regarding logistics and timing around merging the 
> ansible-modules-core and ansible-modules-extras GitHub repos back into the 
> main ansible/ansible repo. We'll be streaming our discussion via Youtube 
> live at https://www.youtube.com/watch?v=wiq2dLjzOUw, and live chat will 
> be in Freenode IRC #ansible-meeting. Feel free to join us and participate 
> via IRC!
>
>
> Matt Davis
> Principal Software Engineer (Ansible Core)
> Red Hat
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/2f99f5bb-1520-4c8c-b21d-1739a8c25682%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Kerberos Delegation Issues

[Matt Davis]

You mentioned you were using ansible 2.1.0 and that you'd switched to 
group_vars- that version has an inventory bug where any ansible_winrm_X 
connection vars are ignored if they live in group_vars. Either upgrade to 
at least 2.1.1, or move them back. Also, try doing a raw: klist on the 
Windows host with delegation enabled- you should see a TGT listed.

On Friday, October 28, 2016 at 10:10:45 AM UTC-7, Surred wrote:
>
> Apologies for the delayed response... I've been looking for ways to work 
> around this issue, but I hit a roadblock so I really need to figure this 
> out. Below are the logs from the server hosting the network share. 
> Apparently the login was successful, but it was as an anonymous user using 
> NTLM. I'm still receiving the same Access Denied message in ansible. Any 
> further assistance would be greatly appreciated. Thanks.
>
> Log Name:  Security
> Source:Microsoft-Windows-Security-Auditing
> Date:  10/28/2016 11:50:35 AM
> Event ID:  4624
> Task Category: Logon
> Level: Information
> Keywords:  Audit Success
> User:  N/A
> Computer:  SCCM01.domain.com
> Description:
> An account was successfully logged on.
>
> Subject:
> Security ID: NULL SID
> Account Name: -
> Account Domain: -
> Logon ID: 0x0
>
> Logon Type: 3
>
> Impersonation Level: Impersonation
>
> New Logon:
> Security ID: ANONYMOUS LOGON
> Account Name: ANONYMOUS LOGON
> Account Domain: NT AUTHORITY
> Logon ID: 0x614767F6
> Logon GUID: {----}
>
> Process Information:
> Process ID: 0x0
> Process Name: -
>
> Network Information:
> Workstation Name: DC1.domain.com
> Source Network Address: x.x.x.x
> Source Port: 59019
>
> Detailed Authentication Information:
> Logon Process: NtLmSsp 
> Authentication Package: NTLM
> Transited Services: -
> Package Name (NTLM only): NTLM V1
> Key Length: 128
>
> This event is generated when a logon session is created. It is generated 
> on the computer that was accessed.
>
> The subject fields indicate the account on the local system which 
> requested the logon. This is most commonly a service such as the Server 
> service, or a local process such as Winlogon.exe or Services.exe.
>
> The logon type field indicates the kind of logon that occurred. The most 
> common types are 2 (interactive) and 3 (network).
>
> The New Logon fields indicate the account for whom the new logon was 
> created, i.e. the account that was logged on.
>
> The network fields indicate where a remote logon request originated. 
> Workstation name is not always available and may be left blank in some 
> cases.
>
> The impersonation level field indicates the extent to which a process in 
> the logon session can impersonate.
>
> The authentication information fields provide detailed information about 
> this specific logon request.
> - Logon GUID is a unique identifier that can be used to correlate this 
> event with a KDC event.
> - Transited services indicate which intermediate services have 
> participated in this logon request.
> - Package name indicates which sub-protocol was used among the NTLM 
> protocols.
> - Key length indicates the length of the generated session key. This will 
> be 0 if no session key was requested.
> Event Xml:
> http://schemas.microsoft.com/win/2004/08/events/event";>
>   
>  Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
> 4624
> 1
> 0
> 12544
> 0
> 0x8020
> 
> 2087408
> 
> 
> Security
> SCCM01.domain.com
> 
>   
>   
> S-1-0-0
> -
> -
> 0x0
> S-1-5-7
> ANONYMOUS LOGON
> NT AUTHORITY
> 0x614767f6
> 3
> NtLmSsp 
> NTLM
> DC1.domain.com
> {----}
> -
> NTLM V1
> 128
> 0x0
> -
> x.x.x.x
> 59019
> %%1833
>   
> 
>
>
>
>
> Log Name:  Security
> Source:Microsoft-Windows-Security-Auditing
> Date:  10/28/2016 11:50:35 AM
> Event ID:  5140
> Task Category: File Share
> Level: Information
> Keywords:  Audit Success
> User:  N/A
> Computer:  SCCM01.domain.com
> Description:
> A network share object was accessed.
> Subject:
> Security ID: ANONYMOUS LOGON
> Account Name: ANONYMOUS LOGON
> Account Domain: NT AUTHORITY
> Logon ID: 0x614767F6
>
> Network Information: 
> Object Type: File
> Source Address: x.x.x.x
> Source Port: 59019
> Share Information:
> Share Name: \\*\IPC$
> Share Path: 
>
> Access Request Information:
> Access Mask: 0x1
> Accesses: ReadData (or ListDirectory)
>
> Event Xml:
> http://schemas.microsoft.com/win/2004/08/events/event";>
>   
>  Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
> 5140
> 1
> 0
> 12808
> 0
> 0x8020
> 
> 2087409
> 
> 
> Security
> SCCM01.domain.com
> 
>   
>   
> S-1-5-7
> ANONYMOUS LOGON
> NT AUTHORITY
> 0x614767f6
> File
> x.x.x.x
> 59019
> \\*\IPC$
>   

[ansible-project] Public meeting on core/extras repo merges

[Matt Davis]

Hi all,

The Ansible core team will be holding a public meeting on Monday Oct 31 at 
1700 UTC regarding logistics and timing around merging the 
ansible-modules-core and ansible-modules-extras GitHub repos back into the 
main ansible/ansible repo. We'll be streaming our discussion via Youtube 
live at https://www.youtube.com/watch?v=wiq2dLjzOUw, and live chat will be 
in Freenode IRC #ansible-meeting. Feel free to join us and participate via 
IRC!


Matt Davis
Principal Software Engineer (Ansible Core)
Red Hat

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/838096bd-4ce0-4fc6-aceb-252dd255317d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: modifying members of local groups in windows

[Matt Davis]

Not currently- a set of AD management modules are on the roadmap for 2.3, 
and adding a group_members capability to win_group would probably be the 
sanest way to deal with that particular request...

-Matt

On Wednesday, October 26, 2016 at 3:16:44 PM UTC-7, Mike Devlin wrote:
>
> the win_group module looks like it only lets you create or remove a group, 
> and win_user is for add/modify/removing local users.  Is there a way to add 
> an active directory group as a member of a local group that I am not seeing?
>
> Thanks
> Mike
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/a83340a5-c277-41c5-9d3d-7270e666d86b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Ansible powershell module to be run on remote powershell on Linux machine.

[Matt Davis]

Some aspects of Ansible's Powershell support are currently built under the 
assumption that it would only ever run on Windows / over WinRM. There are a 
few things that would need to be moved around in order to allow "real" 
Ansible Powershell modules to work on Linux. By "real", I mean so that the 
module generation stuff works correctly whether the WinRM connection plugin 
runs it or something else, and that you can use our Powershell module API.

You can probably make Powershell modules work today by setting the shebang 
to your powershell path and dealing with the low-level module stuff 
yourself (or patching powershell.ps1 into the module manually). Now that 
Powershell for Linux has been released, we'll take a look at the 
feasibility of doing this for real, but the likelihood of most existing 
Ansible Powershell modules working unmodified on Linux seems pretty low. 

My intent is to build some other cross-platform modules around Powershell 
though (for instance, a set of SQL Server modules that could work on either 
Windows or Linux hosts with .NET Core/Powershell), but that's probably not 
going to happen until the 2.4 timeframe.

Good luck!

-Matt

On Friday, October 21, 2016 at 10:09:41 AM UTC-7, Rajendra Adhikari wrote:
>
> Has anybody successfully run powershell on Linux as an ansible module? 
> Well, I have an ansible on one machine ServerAnsible. And, I have a 
> powershell and powercli core installed on my linux machine ServerPS.  I 
> would like to execute ansible module written in powershell from ansible 
> machine to the powershell machine. I followed the ansible doc here, 
> http://docs.ansible.com/ansible/intro_windows.html#developers-supported-modules-and-how-it-works
>  
> But it looks like it is specific to Windows or works only when Powershell 
> is on Windows machine.
> My end goal is to develop a vmware powercli modules that are delegated 
> through a linux box running powershell and powercli instead of Windows 
> machine.
> Here are what I did:
> Powershell machine: ServerPS
> Ansible machine: ServerAnsible
>
> File mymodule.ps1 at module directory:
> *#!/usr/bin/powershell*
> *# POWERSHELL_COMMON*
> *# WANT_JSON*
>
> *$resullt = Get-Date*
>
> *Exit-Json $result*
>
> ServerAnsible$ansible ServerPS -m mymodule.ps1
> ServerPS | FAILED! => {
> "changed": false,
> "failed": true,
> "module_stderr": "",
> "module_stdout": 
> "\u001b[?1h\u001b=\u001b[39;49m\u001b[31m\u001b[39;49m\u001b[31mThe 
> variable '$result' cannot be retrieved because it has not been 
> set.\u001b[39;49m\u001b[39;49m\r\n\u001b[39;49m\u001b[31m\u001b[39;49m\u001b[31mAt
>  
> /home/**/.ansible/tmp/ansible-tmp-1477059401.24-235352349739057/mymod\u001b[39;49m\u001b[39;49m\r\n\u001b[39;49m\u001b[31m\u001b[39;49m\u001b[31mules.ps1:233
>  
> char:11\u001b[39;49m\u001b[39;49m\r\n\u001b[39;49m\u001b[31m\u001b[39;49m\u001b[31m+
>  
> Exit-Json 
> $result\u001b[39;49m\u001b[39;49m\r\n\u001b[39;49m\u001b[31m\u001b[39;49m\u001b[31m+
>  
>   
> ~~~\u001b[39;49m\u001b[39;49m\r\n\u001b[39;49m\u001b[31m\u001b[39;49m\u001b[31m
>  
>+ CategoryInfo  : InvalidOperation: (result:String) [], 
> RuntimeExc 
> \u001b[39;49m\u001b[39;49m\r\n\u001b[39;49m\u001b[31m\u001b[39;49m\u001b[31m 
>   
> eption\u001b[39;49m\u001b[39;49m\r\n\u001b[39;49m\u001b[31m\u001b[39;49m\u001b[31m
>  
>+ FullyQualifiedErrorId : 
> VariableIsUndefined\u001b[39;49m\u001b[39;49m\r\n\u001b[39;49m\u001b[31m\u001b[39;49m\u001b[31m
>  
> \u001b[39;49m\u001b[39;49m\r\n",
> "msg": "MODULE FAILURE",
> "parsed": false
> }
>
> or, if I set the variable as:
> #!/usr/bin/powershell
> # POWERSHELL_COMMON
> # WANT_JSON
>
>
> $result="test"
> $resullt = Get-Date
>
> Exit-Json $result
>
> I am getting something like:
> ServerPS | FAILED! => {
> "changed": false,
> "failed": true,
> "module_stderr": "",
> "module_stdout": "\u001b[?1h\u001b=\"test\"\r\n",
> "msg": "MODULE FAILURE",
> "parsed": false
> }
>
> With verbose mode, looks like ansible is pushing the file to the remote 
> server at least and trying to execute the powershell module.
>  ESTABLISH SSH CONNECTION FOR USER: ***
>  SSH: EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=60s 
> -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o 
> PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey 
> -o PasswordAuthentication=no -o User=*** -o ConnectTimeout=10 -o 
> ControlPath=/home/***/.ansible/cp/ansible-ssh-%h-%p-%r ServerPS 
> '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo 
> $HOME/.ansible/tmp/ansible-tmp-1477059699.61-150822866162574 `" && echo 
> ansible-tmp-1477059699.61-150822866162574="` echo 
> $HOME/.ansible/tmp/ansible-tmp-1477059699.61-150822866162574 `" ) && sleep 
> 0'"'"''
>  PUT /tmp/tmpGt6Vr_ TO 
> /home/***/.ansible/tmp/ansible-tmp-1477059699.61-150822866162574/mymodules.ps1
>  SSH: EXEC sftp -b - -C -o ControlMaster=auto -o 
> ControlPersist=60s -o StrictHostKeyChecki

[ansible-project] Re: Copying or moving files on Windows systems

[Matt Davis]

The win_robocopy extras module should probably cover your needs...

On Thursday, October 20, 2016 at 10:56:25 PM UTC-7, Mike Fennemore wrote:
>
> When using a Centos Ansible control machine connecting to Windows server, 
> is there a way to copy/move files on the Windows system? Win_copy works 
> well for copying to the Windows system but doesn't seem to be able to fit 
> this use. In particular I have tried moving/copying files using 
> raw,win_command and win_shell with the catch that the file paths have 
> spaces in them. i.e copy \*.* c:\program files\app\*.*

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/32b17a9f-3e86-4ca3-a16b-b9fa2001d344%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Server not found in Kerberos Database

[Matt Davis]

Kerberos is highly dependent on DNS and name->realm mapping; you need to 
use the host's FQDN, not its IP, unless you've hacked up your krb5.conf and 
DNS infra significantly to support that.

On Thursday, October 20, 2016 at 10:00:45 AM UTC-7, Alf Normann Klausen 
wrote:
>
> Hi,
>
> I think I have the exact same problem. 
> Running ansible 2.1.1.0-1.el7 on CentOS 7.2.1511
>
> Here is an example of ansible command output:
>
>
> [alf...@webdmz.no@tvm-alfkla ~]$ ansible -i hosts TVM-ALF2012R2 -m 
> win_ping -v
> Using /etc/ansible/ansible.cfg as config file
> Loaded callback minimal of type stdout, v2.0
> <192.168.4.225> ESTABLISH WINRM CONNECTION FOR USER: alf...@webdmz.no on 
> PORT 5985 TO 192.168.4.225
> <192.168.4.225> WINRM CONNECT: transport=kerberos endpoint=http://
> 192.168.4.225:5985/wsman
> <192.168.4.225>
>  WINRM CONNECTION ERROR: authGSSClientStep() failed: (('Unspecified GSS 
> failure.  Minor code may provide more information', 851968), ('Server 
> not found in Kerberos database', -1765328377))
> Traceback (most recent call last):
>   File 
> "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", 
> line 151, in _winrm_connect
> self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
>   File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 132, in 
> open_shell
> res = self.send_message(xmltodict.unparse(req))
>   File "/usr/lib/python2.7/site-packages/winrm/protocol.py", line 207, in 
> send_message
> return self.transport.send_message(message)
>   File "/usr/lib/python2.7/site-packages/winrm/transport.py", line 170, in 
> send_message
> prepared_request = self.session.prepare_request(request)
>   File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 394, 
> in prepare_request
> hooks=merge_hooks(request.hooks, self.hooks),
>   File "/usr/lib/python2.7/site-packages/requests/models.py", line 298, in 
> prepare
> self.prepare_auth(auth, url)
>   File "/usr/lib/python2.7/site-packages/requests/models.py", line 500, in 
> prepare_auth
> r = auth(self)
>   File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", 
> line 318, in __call__
> auth_header = self.generate_request_header(None, host, is_preemptive=
> True)
>   File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", 
> line 158, in generate_request_header
> raise KerberosExchangeError("%s failed: %s" % (kerb_stage, str(error.
> args)))
> KerberosExchangeError:
>  authGSSClientStep() failed: (('Unspecified GSS failure.  Minor code may
>  provide more information', 851968), ('Server not found in Kerberos 
> database', -1765328377))
>
> TVM-ALF2012R2 | UNREACHABLE! => {
> "changed": false, 
>  
>"msg": "kerberos: authGSSClientStep() failed: (('Unspecified GSS 
> failure.  Minor code may provide more information', 851968), ('Server 
> not found in Kerberos database', -1765328377))", 
> "unreachable": true
> }
>
>
>
>
> The kerberos ticket is ok:
> [alf...@webdmz.no@tvm-alfkla ~]$ klist
> Ticket cache: KEYRING:persistent:1015602603:1015602603
> Default principal: alf...@webdmz.no
>
> Valid starting   Expires  Service principal
> 20. okt. 2016 13:06  20. okt. 2016 23:06  krbtgt/webdmz...@webdmz.no
> renew until 27. okt. 2016 13:06
>
> The inventory is like this:
>
> [alf...@webdmz.no@tvm-alfkla ~]$ grep ^TVM-ALF2012R2 hosts
>
> TVM-ALF2012R2 ansible_host=192.168.4.225 ansible_user=alf...@webdmz.no 
> ansible_password=xXxXxXxXx ansible_port=5985 ansible_connection=winrm 
> ansible_winrm_transport=kerberos ansible_winrm_kerberos_delegation=yes
>
> Any clue why this happens?
>
> All help will be highly appreciated!  :o)
>
>
> Vennlig hilsen,
>
> Alf Normann Klausen
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/55a81803-c4f8-4646-b816-78c39f430df0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Problems Connecting To Windows 2012 R2

[Matt Davis]

In 2.1 we had to back off on some of the automatic transport detection 
stuff with the advent of NTLM and support for things like Microsoft 
accounts- try adding

ansible_winrm_transport=kerberos

to your inventory...

On Thursday, October 20, 2016 at 10:01:29 AM UTC-7, bwieb...@gmail.com 
wrote:
>
>
>
>
> I am new to Ansible, so please bear with me I am trying to bring up an 
> Ansible test environment whereby I can test config management against a 
> Windows environment. The environment consists of an Ansible management 
> server running Linux Red Hat Enterprise Linux Server release 6.7 and a test 
> Windows 2012 R2 server. I believe I have all the necessary packages 
> installed to support the WinRM/Kerberos connection from the Ansible 
> management server to the Windows server. Here are the packages I believe to 
> have been installed on the Ansible management server to support Windows:
>
> pywinrm
> python-devel
> krb5-devel
> krb5-libs
> krb5-workstation
> kerberos
> requests-kerberos
>
> I have updated /etc/krb5.conf file. When I run a "kinit '
> user'@MY.DOMAIN.COM" on the Ansible management server I get the following:
>
> ansible@servername:/home/ansible # kinit xxx...@my.domain.com
> Password for ...@my.domain.com:
> ansible@servername:/home/ansible #
>
> I then ran a "klist" to ensure the kerberos connection was made:
>
>
> ansible@servername:/home/ansible # klist
> Ticket cache: FILE:/tmp/krb5cc_5000
> Default principal: xxx...@my.domain.com
>
> Valid starting ExpiresService principal
> 10/20/16 07:17:28  10/20/16 17:17:58  krbtgt/my.domain@my.domain.com
> renew until 10/21/16 07:17:28
> ansible@servername:/home/ansible #
>
> I then created a /group_vars/windows.yml file consisting of the following:
>
> ansible_user: xxx...@my.domain.com
> ansible_password: x
> ansible_port: 5986
> ansible_connection: winrm
> ansible_winrm_server_cert_validation: ignore
>
> but when I go to run a "ansible winTest -m win_ping -" it appears the 
> it is trying an SSL connection instead of a winrm connection, possibly?:
>
>
> ansible@servername:/home/ansible # ansible winTest -m win_ping -v
> Using /home/ansible/.ansible.cfg as config file
> Loaded callback minimal of type stdout, v2.0
> <172.31.0.166> ESTABLISH SSH CONNECTION FOR USER: None
> <172.31.0.166> SSH: ansible.cfg set ssh_args: 
> (-o)(ControlMaster=auto)(-o)(ControlPersist=60s)
> <172.31.0.166> SSH: ansible_password/ansible_ssh_pass not set: 
> (-o)(KbdInteractiveAuthentication=no)(-o)(PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey)(-o)(PasswordAuthentication=no)
> <172.31.0.166> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10)
> <172.31.0.166> SSH: PlayContext set ssh_common_args: ()
> <172.31.0.166> SSH: PlayContext set ssh_extra_args: ()
> <172.31.0.166> SSH: found only ControlPersist; added ControlPath: 
> (-o)(ControlPath=/home/ansible/.ansible/cp/ansible-ssh-%h-%p-%r)
> <172.31.0.166> SSH: EXEC ssh -C -vvv -o ControlMaster=auto -o 
> ControlPersist=60s -o KbdInteractiveAuthentication=no -o 
> PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey 
> -o PasswordAuthentication=no -o ConnectTimeout=10 -o 
> ControlPath=/home/ansible/.ansible/cp/ansible-ssh-%h-%p-%r xxx.xx.x.xxx 
> '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo 
> $HOME/.ansible/tmp/ansible-tmp-1476962695.95-263373308192487 `" && echo 
> ansible-tmp-1476962695.95-263373308192487="` echo 
> $HOME/.ansible/tmp/ansible-tmp-1476962695.95-263373308192487 `" ) && sleep 
> 0'"'"''
> xxx.xx.x.xxx | UNREACHABLE! => {
> "changed": false,
> "msg": "Failed to connect to the host via ssh.",
> "unreachable": true
> }
> ansible@servername:/home/ansible #
>
>
> If I telnet to the windows server it appears the port is open:
>
> ansibleservername:/home/ansible # telnet xxx.xx.x.xxx 5985
> Trying xxx.xx.x.xxx...
> Connected to xxx.xx.x.xxx.
> Escape character is '^]'.
>
>
> and if I verify that remoting is working on the windows server it appears 
> to be working locally:
>
> PS C:\Users\XX> $Credential = Get-Credential
>
> cmdlet Get-Credential at command pipeline position 1
> Supply values for the following parameters:
> Credential
> PS C:\Users\XX> $Session = New-PSSession -Credential $Credential 
> -ComputerName xxx.xx.x.xxx
> PS C:\Users\XX> Invoke-Command -Session $Session -ScriptBlock {gci e:\}
>
>
> Directory: E:\
>
>
> ModeLastWriteTime Length Name 
>  PSComputerName
> - --  
>  --
> d10/19/2016   1:11 PMApplications 
>  xxx.xx.x.xxx
> da---10/19/2016   1:06 PMLogs 
>  xxx.xx.x.xxx
> d10/19/2016   1:11 PMtemp 
>  xxx.xx.x.xxx
>
>
> PS C:\Users\XX>
>
>
> I also tried to 

Re: [ansible-project] Re: Version (and other) problems with Ansible Azure Modules

[Matt Davis]

Everything 2.1.1+ should work with either rc5 or rc6 (TMK there were no 
breaking changes against our Azure footprint in rc6).

On Wednesday, October 19, 2016 at 8:08:23 AM UTC-7, Andrea Dixon wrote:
>
> Thanks! Uninstalling every azure-* package certainly helped me get one of 
> my environments working! That's now running 2.1-stable from source with 
> 2.0.0rc5.
> Is there a stable version of ansible that works with azure 2.0.0rc5?
>
> On Thursday, 1 September 2016 17:03:47 UTC+1, Matt Davis wrote:
>>
>> That's not us calling that, it's the Azure Python SDK calling itself, so 
>> something is internally out of sync (possibly stale .pyc files?). The way 
>> they package "azure" as a empty meta-package that depends on lots of other 
>> packages makes it really easy for things to get out of sync, especially 
>> with some older busted versions of pip that can mask dependency failures. 
>> I'd suggest pip uninstalling every azure-* package (uninstalling "azure" by 
>> itself is useless) and see if you can reinstall.
>>
>> On Tuesday, August 30, 2016 at 1:28:22 PM UTC-7, Andrea Dixon wrote:
>>>
>>> The issue is not on the constructor line though it's at line 146 of 
>>> ComputeManagementClient which is the Serializer (inside the constructor)
>>>
>>> On Tuesday, 30 August 2016 01:58:12 UTC+1, Matt Davis wrote:
>>>>
>>>> It doesn't look like your Azure SDK is at the correct version- the rc5 
>>>> version of ComputeManagementClient 
>>>> <https://github.com/Azure/azure-sdk-for-python/blob/master/azure-mgmt-compute/azure/mgmt/compute/compute_management_client.py#L66>
>>>>  
>>>> does indeed take two positional args, and the version you have installed 
>>>> clearly only takes one. 
>>>>
>>>> On Monday, August 29, 2016 at 7:24:57 AM UTC-7, Andrea Dixon wrote:
>>>>>
>>>>> Is azure 2.0.0rc5 + ansible stable-2.1 supposed to work now? I have 
>>>>> azure python sdk 2.0.0rc5 installed and I'm trying to run the azure_rm.py 
>>>>> inventory file that I plucked from the head of stable-2.1 but I get the 
>>>>> following error:
>>>>>
>>>>> [cafex@cfx-ansible stable-2.1]$ ./azure_rm.py --list
>>>>> Traceback (most recent call last):
>>>>>   File "./azure_rm.py", line 763, in 
>>>>> main()
>>>>>   File "./azure_rm.py", line 760, in main
>>>>> AzureInventory()
>>>>>   File "./azure_rm.py", line 369, in __init__
>>>>> self._compute_client = rm.compute_client
>>>>>   File "./azure_rm.py", line 353, in compute_client
>>>>> self._compute_client = 
>>>>> ComputeManagementClient(self.azure_credentials, self.subscription_id)
>>>>>   File 
>>>>> "/usr/lib/python2.7/site-packages/azure/mgmt/compute/compute_management_client.py",
>>>>>  
>>>>> line 146, 
>>>>> in
>>>>>  
>>>>> __init__
>>>>> self._serialize = Serializer(client_models)
>>>>> TypeError: __init__() takes exactly 1 argument (2 given)
>>>>>
>>>>> I'm assuming this azure_rm.py just has a dependency on the azure sdk 
>>>>> and not my ansible install? As my ansible is not from stable-2.1.
>>>>>
>>>>> On Friday, 8 July 2016 20:06:08 UTC+1, Matt Davis wrote:
>>>>>>
>>>>>> I've cherry-picked everything back to 2.1 that's been fixed in devel, 
>>>>>> so it *should* all work on current stable-2.1 (slash 2.1.1 RC2). If 
>>>>>> there's 
>>>>>> stuff that still isn't working, please file issues so we can get it 
>>>>>> fixed.
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> -Matt
>>>>>>
>>>>>> On Thursday, July 7, 2016 at 6:25:25 PM UTC-7, Steven Carter wrote:
>>>>>>>
>>>>>>> That worked!  I really appreciate it!  Should the other functions 
>>>>>>> work at this point or will that still take some time?
>>>>>>>
>>>>>>> Steven.
>>>>>>>
>>>>>>> On Thu, Jul 7, 2016 at 2:02 PM, Matt Davis  
>>>>

[ansible-project] Re: delegate_to and winrm is broken

[Matt Davis]

Where are you setting the connection types to winrm then?

On Tuesday, October 18, 2016 at 10:26:18 AM UTC-7, Stephen Bunn wrote:
>
> I'm not sure how.  Can you provide a complete working example? My 
> inventory file is pretty straight forward.  My inventory looks like this
>
> [box1]
> ip.address
>
> [box2]
> another.ip.address
>
> [alpha:children]
> ip.address
>
> [beta:children]
> another.ip.address
>
> [somewindowshosts]
> alpha
> beta
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/f3e8f3a5-8c2c-4b57-8474-4137fad3b522%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: [Windows] Is there a way to install a single Windows Update by KB article ID?

[Matt Davis]

Thanks Jon- that's a great workaround!

On Tuesday, October 18, 2016 at 6:13:39 AM UTC-7, J Hawkesworth wrote:
>
> You can install hotfixes if necessary, although its a bit of a faff.
>
> see https://support.microsoft.com/en-us/kb/27738398
>
> You have to use wusa with /extract to unpack the update file (which does 
> work over winrm) and then use dism.exe to install the cab.
>
> Example below.
>
> Hope this helps,
>
> Jon
>
> - name: check if Windows8.1-KB2999226-x64.msu hotfix has been applied
>   raw: Get-Hotfix -Id KB2999226
>   register: hotfix_status
>   ignore_errors: true
>
> - name: show hotfix status
>   debug:
> var: hotfix_status
>
> # Unfortunately you can't use wusa directly to install windows updates.
> # see https://support.microsoft.com/en-us/kb/2773898 for details
> # you have to unpack the update file and then use dism.exe to install the 
> cab
>
> - name: unpack the hotfix if needed
>   raw: 'wusa C:\deployment\current\Windows8.1-KB2999226-x64.msu 
> /extract:C:\deployment\archive'
>   when: "hotfix_status.rc == 1"
>
> - name: use dism to install the cab containing the hotfix
>   raw: 'dism.exe /online /add-package 
> /PackagePath:C:\deployment\archive\Windows8.1-KB2999226-x64.cab'
>   when: "hotfix_status.rc == 1"
>
>
>
> On Thursday, October 13, 2016 at 4:34:50 PM UTC+1, Matt Davis wrote:
>>
>> This functionality isn't currently implemented on win_updates. I've had a 
>> few people ask for it, and I might have time to implement it for 2.3, as 
>> it's not terribly difficult so long as we stick to "limit the update 
>> search/install to these KBs" and not "force install exactly these KBs". 
>>
>> Unfortunately I believe KB2842230 is a hotfix, and thus not available on 
>> Windows Update- we don't yet have a supported method to install hotfixes 
>> under WinRM. wusa.exe is the only supported method, and it fails under 
>> WinRM (likely for the same reason that makes the win_updates module so 
>> complex). If you have to touch the box anyway, you might do better to just 
>> upgrade to Powershell 4 or 5.
>>
>> -Matt
>>
>> On Wednesday, October 12, 2016 at 11:15:42 AM UTC-7, Brian Jackson wrote:
>>>
>>> I don't see this functionality in the `win_updates` module, but I wanted 
>>> to ask. I have a prerequisite on Windows 7 to install KB2999226 and 
>>> KB2842230. I'd prefer to not install every available update to preserve 
>>> consistency, portability, reproducibility, etc. Is there an easy way to do 
>>> this?
>>>
>>> P.S. I need those KBs so Ansible itself can install/upgrade Chocolatey 
>>> properly. I've installed them manually on a test box to verify they fix my 
>>> Ansible/Chocolatey issues.
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/a6d3eafa-d192-49f2-a5d7-ac488142f1a4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Error: "ImportError: No module named grp" when running playbook against windows

[Matt Davis]

Not sure why you're using ssh/Python to talk to Windows- you *might* be 
able to get it to work, but the native Windows management transport that 
Ansible supports is Powershell over WinRM. 

"shell" is still a module, so it requires that Ansible's basic.py module 
API and the shell module code itself are functional on the target machine 
(which is not tested, and clearly has issues). 

If you really want to use SSH to just run commands on Windows/cygwin, just 
do raw: (whatever command)- that won't subject you to any Python 
requirements on the Windows side. But if you're really going to use Ansible 
the way it was intended, light up WinRM and use the native Windows 
transport and modules that actually get tested.

On Friday, October 14, 2016 at 6:48:32 AM UTC-7, Sam Brelsfoard wrote:
>
> All I'm trying to do is run a shell command though. Am I approaching this 
> wrong?
> Here's my playbook:
>
> ---
> - hosts: samtestwin
>   gather_facts: false
>   tasks:
> - name: get server.db from devopscoms
>   shell: mv devopscoms/server.db ~/server.db
>
>
>
> On Thursday, October 13, 2016 at 2:24:33 PM UTC-4, Matt Davis wrote:
>>
>> Running python modules on Windows isn't supported or tested (and in most 
>> cases just plain won't work)- would strongly suggest you find a win_ 
>> equivalent to whatever you're trying to do...
>>
>> On Thursday, October 13, 2016 at 11:17:53 AM UTC-7, Sam Brelsfoard wrote:
>>>
>>> I've seen a couple of other folks have this issue, but I've not found 
>>> any answers/solutions. 
>>>
>>> I have a playbook that runs fine from an ansible server (CentOS) to a 
>>> Mac OSX node, however, when I run the same playbook against a Windows node 
>>> I get an ImportError. Any thoughts?
>>> example:
>>>
>>> ansible-playbook playbooks/getserverdb.yml -vvv
>>> Using /etc/ansible/ansible.cfg as config file
>>> PLAYBOOK: getserverdb.yml 
>>> **
>>> 1 plays in playbooks/getserverdb.yml
>>> PLAY [samtestwin] 
>>> **
>>> TASK [get server.db from devopscoms] 
>>> ***
>>> task path: /etc/ansible/playbooks/getserverdb.yml:5
>>>  ESTABLISH SSH CONNECTION FOR USER: izodev
>>>  SSH: EXEC sshpass -d12 ssh -C -q -o ControlMaster=no -o 
>>> User=izodev -o ConnectTimeout=10 sbrelsfoard-pc '/bin/sh -c 
>>> '"'"'LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 
>>> C:/Python27/python.exe && sleep 0'"'"''
>>> An exception occurred during task execution. The full traceback is:
>>> Traceback (most recent call last):
>>>   File 
>>> "c:\cygwin64\home\izodev\ansible_qajniv\ansible_module_command.py", line 
>>> 247, in 
>>> from ansible.module_utils.basic import *
>>>   File 
>>> "c:\cygwin64\home\izodev\ansible_qajniv\ansible_modlib.zip\ansible\module_utils\basic.py",
>>>  
>>> line 52, in 
>>> ImportError: No module named grp
>>> fatal: [sbrelsfoard-pc]: FAILED! => {"changed": false, "failed": true, 
>>> "invocation": {"module_name": "command"}, "module_stderr": "Traceback (most 
>>> recent call last):\r\r\n  File 
>>> \"c:\\cygwin64\\home\\izodev\\ansible_qajniv\\ansible_module_command.py\", 
>>> line 247, in \r\r\nfrom ansible.module_utils.basic import 
>>> *\r\r\n  File 
>>> \"c:\\cygwin64\\home\\izodev\\ansible_qajniv\\ansible_modlib.zip\\ansible\\module_utils\\basic.py\",
>>>  
>>> line 52, in \r\r\nImportError: No module named grp\r\r\n", 
>>> "module_stdout": "", "msg": "MODULE FAILURE", "parsed": false}
>>> NO MORE HOSTS LEFT 
>>> *
>>> to retry, use: --limit @playbooks/getserverdb.retry
>>> PLAY RECAP 
>>> *
>>> sbrelsfoard-pc : ok=0changed=0unreachable=0   
>>>  failed=1
>>>
>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/314474ac-6193-492c-b789-4b10b85c3aa2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: delegate_to and winrm is broken

[Matt Davis]

I suspect you may have an inventory or command issue that's reassigning 
localhost's connection type to winrm (you're not adding -c winrm, are you?) 
- this sample works fine for me on both 2.1.1 and devel. The connection: 
local is not necessary, and works fine for me with either local_action or 
delegate_to: localhost. 

There are definitely some issues with cross-connection delegation with 
pseudo-connection-var rewriting when going the other way (delegating from 
Linux hosts to Windows), but this one looks like a busted inventory to me.


On Thursday, October 13, 2016 at 5:06:39 PM UTC-7, Stephen Bunn wrote:
>
> It seems that it is impossible to run a local task when talking to windows 
> hosts.  This is pretty much a show stopper for my current use case of 
> Ansbile.
>
> ansible version:  ansible 2.1.1.0
>
> using any of the following, all result in the same error
>
> - name: deploy some stuff
>   hosts: somewindowshosts
>   gather_facts: True
>   serial: 1
>   pre_tasks:
> - name: disable {{ inventory_hostname }} from LB
>   delegate_to: localhost
>   connection: local
>   command: /usr/bin/magic_lb_removal_script
>   #local_action: command foo
>   #delegate_to: 127.0.0.1
>   roles:
>  - { role: foo }
>  - { role: bar }
>
>
>  ESTABLISH WINRM CONNECTION FOR USER: Administrator on PORT 
> 5985 TO localhost
> fatal: [172.28.18.158]: UNREACHABLE! => {"changed": false, "msg": 
> "plaintext: HTTPConnectionPool(host='localhost', port=5985): Max retries 
> exceeded with url: /wsman (Caused by 
> NewConnectionError(' object at 0x21aa610>: Failed to establish a new connection: [Errno 111] 
> Connection refused',))", "unreachable": true}
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/df145269-2819-4e44-b6d1-fd4f02ff2328%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: win_copy failing (timeout)

[Matt Davis]

Yeah, I never found a packaged Mac python that did the right thing. 
Recompiling Python against a compiled-by-me latest OpenSSL was the only way 
I got the issue to go away (I had also tweaked the default cipher list to 
"best practices" using IISCrypto, but that alone won't fix it with the 
Apple-supplied Xcode python). 

I added some diagnostic stuff to urllib3 to dump the actual cipher/proto 
that were negotiated to see if I could narrow it down to specific combos of 
working/failing between the different versions, but at least from my 
initial research, it didn't seem to matter (though it wasn't exactly what 
you'd call scientific or exhaustive).

This one is hairy- I wish there were something more we could do with it, 
but I'm not sure what that would be.

On Thursday, October 13, 2016 at 3:20:37 PM UTC-7, Peter Rebholz wrote:
>
> Thanks for the info, Matt.
>
> I've tried a number of versions of OpenSSL without any luck:
>
> macOS El Capitan (where I originally had this problem) has Python 2.7.10 
> with OpenSSL 0.9.8zh
> FreeBSD 11.0-RELEASE has Python 2.7.12 with OpenSSL 1.0.2j
> FreeBSD 11.0-RELEASE with manual build of Python 2.7 (latest) with manual 
> build of OpenSSL 1.1.0b
>
> Peter
>
> On Thursday, October 13, 2016 at 12:53:02 PM UTC-5, Matt Davis wrote:
>>
>> Every case I've seen of this issue has come down to a problem deep in an 
>> SSL/TLS implementation that causes the tunnel to get wedged. I've not dug 
>> in far enough with the packet sniffer/TLS debugging to be sure which side 
>> is the problem (Windows SChannel or OpenSSL), but on the machines I've seen 
>> it on, it's 100% reproducible. There's not really anything we can do about 
>> it at the Ansible level, as it's many dependencies away from us 
>> (Ansible->pywinrm->requests->urllib3->pyopenssl->OpenSSL). 
>>
>> The only way I've been able to correct the problem on machines I've seen 
>> it on is by recompiling Python against a newer OpenSSL build. Switching up 
>> allowed ciphers on the Windows or OpenSSL side generally seems to just move 
>> the problem around (ie, it fails in a different place but still quite 
>> predictably). Switching to HTTP instead of HTTPS also makes the problem go 
>> away, but, well, don't do that. Hoping to get some of the message-level 
>> HTTP encryption stuff going in pywinrm soon (at least for Kerberos, and 
>> jborean93 has done it for CredSSP), which could be another way to make this 
>> go away in the future.
>>
>> -Matt
>>
>>
>> On Thursday, October 13, 2016 at 8:10:34 AM UTC-7, Peter Rebholz wrote:
>>>
>>> I'm also running into this issue and spent some time troubleshooting. In 
>>> my case, the host I'm pushing the file to is on a separate network without 
>>> incoming access to where we host the files, thus the proposed workaround of 
>>> using `get_url` does not work.
>>>
>>> In my troubleshooting, I've found out the following details:
>>>
>>> 1. The timeout used by `pywinrm` is not relevant because the files are 
>>> transferred via many small requests. You can play with this setting by 
>>> defining the vars: `ansible_winrm_read_timeout_sec` and 
>>> `ansible_winrm_operation_timeout_sec`. While the timeout was reflected in 
>>> the error message, it had no effect.
>>> 2. The temp file created by the `win_copy` always tops out at the same 
>>> size: 110,840 KB
>>> 3. The `winrm` connector uses 250,000 byte chunks to transfer the file. 
>>> If you change the `buffer_size` parameter in 
>>> `ansible/plugins/connection/winrm.py` to something larger, then the temp 
>>> file on the windows size will be larger than the 110,840 KB mentioned 
>>> previously
>>> 4. If you bump that `buffer_size` up enough, you can successfully 
>>> transfer the whole file.
>>> 5. By running the following command, I've always received the result 
>>> "457" when the process fails, regardless of `buffer_size`. This seems to 
>>> indicate that there is some bound that is being exceeded but I have not 
>>> been able to figure out if it's a problem with ansible code or the WinRM 
>>> service configuration on the server.
>>>
>>> ansible-playbook -v -l windows -i inventory playbook.yml | grep 
>>> "WINRM PUT" | wc -l
>>>
>>> That's as far as I've gone... Hopefully someone more familiar with the 
>>> WinRM connector may have some ideas...
>>>
>>> Peter
>>>
>>&

[ansible-project] Re: Error: "ImportError: No module named grp" when running playbook against windows

[Matt Davis]

Running python modules on Windows isn't supported or tested (and in most 
cases just plain won't work)- would strongly suggest you find a win_ 
equivalent to whatever you're trying to do...

On Thursday, October 13, 2016 at 11:17:53 AM UTC-7, Sam Brelsfoard wrote:
>
> I've seen a couple of other folks have this issue, but I've not found any 
> answers/solutions. 
>
> I have a playbook that runs fine from an ansible server (CentOS) to a Mac 
> OSX node, however, when I run the same playbook against a Windows node I 
> get an ImportError. Any thoughts?
> example:
>
> ansible-playbook playbooks/getserverdb.yml -vvv
> Using /etc/ansible/ansible.cfg as config file
> PLAYBOOK: getserverdb.yml 
> **
> 1 plays in playbooks/getserverdb.yml
> PLAY [samtestwin] 
> **
> TASK [get server.db from devopscoms] 
> ***
> task path: /etc/ansible/playbooks/getserverdb.yml:5
>  ESTABLISH SSH CONNECTION FOR USER: izodev
>  SSH: EXEC sshpass -d12 ssh -C -q -o ControlMaster=no -o 
> User=izodev -o ConnectTimeout=10 sbrelsfoard-pc '/bin/sh -c 
> '"'"'LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 
> C:/Python27/python.exe && sleep 0'"'"''
> An exception occurred during task execution. The full traceback is:
> Traceback (most recent call last):
>   File "c:\cygwin64\home\izodev\ansible_qajniv\ansible_module_command.py", 
> line 247, in 
> from ansible.module_utils.basic import *
>   File 
> "c:\cygwin64\home\izodev\ansible_qajniv\ansible_modlib.zip\ansible\module_utils\basic.py",
>  
> line 52, in 
> ImportError: No module named grp
> fatal: [sbrelsfoard-pc]: FAILED! => {"changed": false, "failed": true, 
> "invocation": {"module_name": "command"}, "module_stderr": "Traceback (most 
> recent call last):\r\r\n  File 
> \"c:\\cygwin64\\home\\izodev\\ansible_qajniv\\ansible_module_command.py\", 
> line 247, in \r\r\nfrom ansible.module_utils.basic import 
> *\r\r\n  File 
> \"c:\\cygwin64\\home\\izodev\\ansible_qajniv\\ansible_modlib.zip\\ansible\\module_utils\\basic.py\",
>  
> line 52, in \r\r\nImportError: No module named grp\r\r\n", 
> "module_stdout": "", "msg": "MODULE FAILURE", "parsed": false}
> NO MORE HOSTS LEFT 
> *
> to retry, use: --limit @playbooks/getserverdb.retry
> PLAY RECAP 
> *
> sbrelsfoard-pc : ok=0changed=0unreachable=0failed=1
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/5afe7fec-110e-4a48-ac74-1b2c2df64b68%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: win_copy failing (timeout)

[Matt Davis]

Every case I've seen of this issue has come down to a problem deep in an 
SSL/TLS implementation that causes the tunnel to get wedged. I've not dug 
in far enough with the packet sniffer/TLS debugging to be sure which side 
is the problem (Windows SChannel or OpenSSL), but on the machines I've seen 
it on, it's 100% reproducible. There's not really anything we can do about 
it at the Ansible level, as it's many dependencies away from us 
(Ansible->pywinrm->requests->urllib3->pyopenssl->OpenSSL). 

The only way I've been able to correct the problem on machines I've seen it 
on is by recompiling Python against a newer OpenSSL build. Switching up 
allowed ciphers on the Windows or OpenSSL side generally seems to just move 
the problem around (ie, it fails in a different place but still quite 
predictably). Switching to HTTP instead of HTTPS also makes the problem go 
away, but, well, don't do that. Hoping to get some of the message-level 
HTTP encryption stuff going in pywinrm soon (at least for Kerberos, and 
jborean93 has done it for CredSSP), which could be another way to make this 
go away in the future.

-Matt


On Thursday, October 13, 2016 at 8:10:34 AM UTC-7, Peter Rebholz wrote:
>
> I'm also running into this issue and spent some time troubleshooting. In 
> my case, the host I'm pushing the file to is on a separate network without 
> incoming access to where we host the files, thus the proposed workaround of 
> using `get_url` does not work.
>
> In my troubleshooting, I've found out the following details:
>
> 1. The timeout used by `pywinrm` is not relevant because the files are 
> transferred via many small requests. You can play with this setting by 
> defining the vars: `ansible_winrm_read_timeout_sec` and 
> `ansible_winrm_operation_timeout_sec`. While the timeout was reflected in 
> the error message, it had no effect.
> 2. The temp file created by the `win_copy` always tops out at the same 
> size: 110,840 KB
> 3. The `winrm` connector uses 250,000 byte chunks to transfer the file. If 
> you change the `buffer_size` parameter in 
> `ansible/plugins/connection/winrm.py` to something larger, then the temp 
> file on the windows size will be larger than the 110,840 KB mentioned 
> previously
> 4. If you bump that `buffer_size` up enough, you can successfully transfer 
> the whole file.
> 5. By running the following command, I've always received the result "457" 
> when the process fails, regardless of `buffer_size`. This seems to indicate 
> that there is some bound that is being exceeded but I have not been able to 
> figure out if it's a problem with ansible code or the WinRM service 
> configuration on the server.
>
> ansible-playbook -v -l windows -i inventory playbook.yml | grep 
> "WINRM PUT" | wc -l
>
> That's as far as I've gone... Hopefully someone more familiar with the 
> WinRM connector may have some ideas...
>
> Peter
>
> On Wednesday, August 31, 2016 at 9:21:36 AM UTC-5, Justin Dugan wrote:
>>
>> I am using this in the playbook:
>>
>> - name: copy {{eap_dir}}.0.zip
>>   win_copy: src="{{eap_dir}}.0.zip" dest="c:/temp/{{eap_dir}}.0.zip"
>>
>>
>> And it's failing with:
>>
>> TASK [win_JBoss : copy jboss-eap-6.4.0.zip] 
>> 
>>  [WARNING]: FATAL ERROR DURING FILE TRANSFER: Traceback (most recent call 
>> last):   File
>> "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", 
>> line 204, in _winrm_exec
>> self._winrm_send_input(self.protocol, self.shell_id, command_id, data, 
>> eof=is_last)   File
>> "/usr/lib/python2.7/site-packages/ansible/plugins/connection/winrm.py", 
>> line 185, in
>> _winrm_send_input rs = protocol.send_message(xmltodict.unparse(rq))   
>> File "/usr/lib/python2.7
>> /site-packages/winrm/protocol.py", line 207, in send_message return
>> self.transport.send_message(message)   File 
>> "/usr/lib/python2.7/site-packages/winrm/transport.py",
>> line 173, in send_message response = 
>> self.session.send(prepared_request,
>> timeout=self.read_timeout_sec)   File 
>> "/usr/lib/python2.7/site-packages/requests/sessions.py", line
>> 596, in send r = adapter.send(request, **kwargs)   File 
>> "/usr/lib/python2.7/site-
>> packages/requests/adapters.py", line 499, in send raise 
>> ReadTimeout(e, request=request)
>> ReadTimeout: HTTPSConnectionPool(host='host', port=5986): Read timed
>> out. (read timeout=30)
>>
>> fatal: [jcinstalltest]: FAILED! => {"failed": true, "msg": "winrm 
>> send_input failed"}
>>
>> Is there any way to adjust the timeout? This file is ~200Mb. I also have 
>> a patch to copy which is ~400Mb so 30 seconds is probably too short.
>>
>> Thanks,
>>
>> Justin
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view th

[ansible-project] Re: java.lang.OutOfMemoryError: Metaspace error installing Atlassian JIRA using Ansible

[Matt Davis]

WinRM enforces a job memory quota (documented here 
) that 
you'll probably need to adjust upward for a heavyweight installer like 
Jira. Also, if you're running Powershell 3.0, there's a hotfix that fixes 
that setting on some OSs, though I'd recommend just upgrading to PS4 or 5 
instead of messing with the hotfix.

-Matt

On Thursday, October 13, 2016 at 8:10:44 AM UTC-7, Jim Reprogle wrote:
>
> Greetings. I realize that much of this is going to sound crazy and a 
> little noob-ish, but...
> I'm playing with Ansible for the first time, and I'm trying to automate 
> the installation of a JIRA server (on Windows, mind you). I went through 
> all the rigmarole of enabling WinRM with a self-signed certificate, and 
> Ansible is now communicating with hosts in the inventory.
>
> The JIRA installer uses an install4j executable with a response.varfile 
> for unattended installations. So I built a quick and dirty jira.yaml file 
> that runs the JIRA installer with arguments "-q -varfile response.varfile" 
> using the 'raw' module. I have successfully gotten it to download the JIRA 
> installer from Atlassian using the win_get_url module. I have successfully 
> gotten Ansible to copy the response.varfile to the destination server. 
> However, when I call the 'raw' module to run the install I get 
> java.lang.OutOfMemoryError: Metaspace and the installer quits. Any ideas? 
> Running the installer from the command line with the same arguments works 
> without the out of memory errors.
>
> Thank you in advance.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/53699cdd-b7e9-4540-8fd0-b7d94f778d18%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Ansible unable to ping to windows host error Failed command was: PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand

[Matt Davis]

Usually when I've seen that error, it's because Powershell is not on the 
system path (ie, C:\Windows\System32\WindowsPowerShell\v1.0). Unfortunately 
the error message comes from a much higher level (a failure creating the 
tempdir), so the error message isn't specific to failures that might occur 
on Windows (hence the somewhat misleading text). 

On Thursday, October 13, 2016 at 8:10:33 AM UTC-7, arnabs...@gmail.com 
wrote:
>
>
> Hi
>
> When run this ansible command " ansible windows  -m win_ping"  I am  
> getting the below error , please can anyone help to fix this issue
>
> 10.51.239.192 | UNREACHABLE! => {
> "changed": false,
> "msg": "Authentication or permission failure. In some cases, you may 
> have been able to authenticate and did not have permissions on the remote 
> directory. Consider changing the remote temp path in ansible.cfg to a path 
> rooted in \"/tmp\". Failed command was: PowerShell -NoProfile 
> -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand 
> UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgAoAE4AZQB3AC0ASQB0AGUAbQAgAC0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAE4AYQBtAGUAIAAiAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADYAMwA2ADYANgAwADEALgA1ADgALQAyADAANwA1ADgANgA1ADMANAA4ADQANgA3ADEAMgAiACkALgBGAHUAbABsAE4AYQBtAGUAIAB8ACAAVwByAGkAdABlAC0ASABvAHMAdAAgAC0AUwBlAHAAYQByAGEAdABvAHIAIAAnACcAOwA=,
>  
> exited with result 1",
> "unreachable": true
> }
>
> I am trying to connect to windows (windows 2012 R2) host ip  10.51.239.192
>
> I have created a windows.yml  under /etc/ansible/group_vars  , below is 
> the connect of the yml file , in my inventory file I have added the ip of 
> this windows host 10.51.239.192
>
> ansible_user: Administrator
> ansible_password: P@ssw0rd
> ansible_port: 5986
> ansible_connection: winrm
> # The following is necessary for Python 2.7.9+ when using default WinRM 
> self-signed certificates:
> ansible_winrm_server_cert_validation: ignore
> #ansible_winrm_transport: ssl
>
> using this same setting I am able to ping to another windows machine which 
> is also windows server 2012
>
> Thanks
> Arnab Chowdhury
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/23d9b691-9c3c-4f7b-9d98-497fac51ac6b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: [Windows] Is there a way to install a single Windows Update by KB article ID?

[Matt Davis]

This functionality isn't currently implemented on win_updates. I've had a 
few people ask for it, and I might have time to implement it for 2.3, as 
it's not terribly difficult so long as we stick to "limit the update 
search/install to these KBs" and not "force install exactly these KBs". 

Unfortunately I believe KB2842230 is a hotfix, and thus not available on 
Windows Update- we don't yet have a supported method to install hotfixes 
under WinRM. wusa.exe is the only supported method, and it fails under 
WinRM (likely for the same reason that makes the win_updates module so 
complex). If you have to touch the box anyway, you might do better to just 
upgrade to Powershell 4 or 5.

-Matt

On Wednesday, October 12, 2016 at 11:15:42 AM UTC-7, Brian Jackson wrote:
>
> I don't see this functionality in the `win_updates` module, but I wanted 
> to ask. I have a prerequisite on Windows 7 to install KB2999226 and 
> KB2842230. I'd prefer to not install every available update to preserve 
> consistency, portability, reproducibility, etc. Is there an easy way to do 
> this?
>
> P.S. I need those KBs so Ansible itself can install/upgrade Chocolatey 
> properly. I've installed them manually on a test box to verify they fix my 
> Ansible/Chocolatey issues.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/eedef7e2-d85b-48a2-a19f-9b21079276fd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Ansible with winrm to WindowsServer 2008 with Exchange 2010 (Command Powershell)

[Matt Davis]

Any of them can work- the key is making sure that kerberos delegation is 
working correctly. I'd suggest using something simple like "win_shell: 
Get-ChildItem \\someserver\share" to smoke-test that delegation is working. 
 

You probably don't want win_command (which just launches a process, so 
you'd be running Powershell and pointing it at a script yourself). Any of 
the other three should be fine and assume Powershell by default- script 
will expect to push a script over from the controller and exec it, while 
raw/win_shell will execute whatever you use just as if you'd typed it in 
Powershell. Raw runs with less overhead (since it's basically just running 
a Powershell command remotely without pushing any code to the target), but 
win_shell supports the creates/removes args and switchable executables (and 
may support other goodies down the line where raw never will).


On Monday, October 10, 2016 at 10:27:40 AM UTC-7, Christian Sarazin wrote:
>
> I'm already at the point where i nearly know what to do. The question is, 
> how should i do this.
>
> I think there is a mistake by me inside my "powershell" script to run...i 
> would like to know, what exactly win_command and win_shell makes the 
> difference, or raw...or script...
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/eb37d461-e2e5-469d-aec0-3425f8f1f12b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Ansible with winrm to WindowsServer 2008 with Exchange 2010 (Command Powershell)

[Matt Davis]

The underlying issue you're probably hitting is that Microsoft doesn't 
really support using Exchange cmdlets outside a PSRP session. I did some 
prototyping recently against building/managing Exchange 2016 with Ansible, 
and got it working. What you have to do is inject a PS-native PSRP session 
in the middle (which is why you need to have Kerberos delegation turned on 
via ansible_winrm_kerberos_delegtion=true). You'll have to use kerberos 
delegation + Invoke-Command via raw or win_shell, eg: 

win_shell: Invoke-Command -ConnectionUri $cu -Authentication Kerberos 
-ConfigurationName Microsoft.Exchange -ScriptBlock { Get-ExchangeServer }

Ansible/pywinrm aren't currently PSRP-based, just straight WinRM/WinRS 
(analogous to running stuff via winrs.exe). 

-Matt

On Monday, October 10, 2016 at 7:52:12 AM UTC-7, Christian Sarazin wrote:
>
> Hi Guys,
>
> i'm getting crazy about this setup. 
>
> Maybe you got an idea.
>
> I'm connecting to our Exchange/Windows servers by winrm with the domain 
> admin user. This is working.
>
> Running a role with the task
>
> - name: Testname
>   win_command: ipconfig /all
>
> this is also working.
>
> But i need to use winrm to execute a commad (cmdlet) inside the Exchange 
> Management Shell...
>
> So i tried to upload a script.ps1 to my %HOMEPATH% for the domain admin 
> and tried to run this script there - not working, script is not found for 
> example when i'm using full paths like c:\users\administrator.DOMAIN
>
> So i switched back to simple names without any paths and then i got 
> everything under my current domain admin users folder 
> c:\users\administrator.DOMAIN\ …ok.
>
> I uploaded a powershell script like
>
> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -version 2.0 -
> NonInteractive -command ". 'C:\Program Files\Microsoft\Exchange 
> Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; 
> Get-Mailbox"
>
>
> This is what's inside the role/tasks/main.yml
>
> - win_file: path=ansible state=directory
>
> - win_copy: src=script.ps1 dest=script.ps1 force=yes
>
> - name: Get information about a user
>   script: script.ps1
>   register: output
>
> - debug: msg={{output}}
>
>
>
> When running the task above i get 
>
> ok: [my_windows_host] => {
> "msg": {
> "changed": true, 
> "rc": 0, 
> "stderr": "TryLoadExchangeTypes : Exception calling 
> \"TryLoadExchangeTypes\" with \"2\" argument(s): \"Exception of type 
> 'System.OutOfM\r\nemoryException' was thrown.\"\r\nAt C:\\Program 
> Files\\Microsoft\\Exchange Server\\V14\\bin\\RemoteExchange.ps1:75 
> char:92\r\n+ $typeLoadResult = 
> [Microsoft.Exchange.Configuration.Tasks.TaskHelper]::TryLoadExchangeTypes 
>  ($ManagementPath, $t\r\nypeListToCheck)\r\n+ CategoryInfo 
>  : NotSpecified: (:) [], MethodInvocationException\r\n+ 
> FullyQualifiedErrorId : DotNetMethodException\r\n 
> \r\nRegisterAssemblyResolver : Exception calling 
> \"RegisterAssemblyResolver\" with \"0\" argument(s): \"The type initializer 
> for\r\n 'Microsoft.Exchange.Data.SerializationTypeConverter' threw an 
> exception.\"\r\nAt C:\\Program Files\\Microsoft\\Exchange 
> Server\\V14\\bin\\RemoteExchange.ps1:87 char:79\r\n+ 
> [Microsoft.Exchange.Data.SerializationTypeConverter]::RegisterAssemblyResolver
>  
>  ()\r\n+ CategoryInfo  : NotSpecified: (:) [], 
> MethodInvocationException\r\n+ FullyQualifiedErrorId : 
> DotNetMethodException\r\n \r\nUpdate-TypeData : \r\nAt C:\\Program 
> Files\\Microsoft\\Exchange Server\\V14\\bin\\RemoteExchange.ps1:104 
> char:16\r\n+ Update-TypeData   -PrependPath $partialTypeFile \r\n+ 
> CategoryInfo  : InvalidOperation: (:) [Update-TypeData], 
> RuntimeException\r\n+ FullyQualifiedErrorId : 
> TypesXmlUpdateException,Microsoft.PowerShell.Commands.UpdateTypeDataCommand\r\n
>  
> \r\nwrite-host : \r\nAt C:\\Program Files\\Microsoft\\Exchange 
> Server\\V14\\bin\\RemoteExchange.ps1:170 char:16\r\n+ write-host -no 
>   $RemoteExchange_LocalizedStrings.res_full_list\r\n+ CategoryInfo 
>  : WriteError: (:) [Write-Host], ParameterBindingException\r\n+ 
> FullyQualifiedErrorId : 
> ParameterBindingFailed,Microsoft.PowerShell.Commands.WriteHostCommand\r\n 
> \r\nwrite-host : \r\nAt C:\\Program Files\\Microsoft\\Exchange 
> Server\\V14\\bin\\RemoteExchange.ps1:171 char:16\r\n+ write-host -no 
>   \" \"\r\n+ CategoryInfo  : WriteError: (:) [Write-Host], 
> ParameterBindingException\r\n+ FullyQualifiedErrorId : 
> ParameterBindingFailed,Microsoft.PowerShell.Commands.WriteHostCommand\r\n 
> \r\nwrite-host : \r\nAt C:\\Program Files\\Microsoft\\Exchange 
> Server\\V14\\bin\\RemoteExchange.ps1:174 char:16\r\n+ write-host -no 
>   $RemoteExchange_LocalizedStrings.res_only_exchange_cmdlets\r\n+ 
> CategoryInfo  : WriteError: (:) [Write-Host], 
> ParameterBindingException\r\n+ FullyQualifiedErrorId : 
> ParameterBindingFailed,Microsoft.PowerShell.

[ansible-project] Re: Output on Windows shows carriage return and new line feed

[Matt Davis]

There are numerous places where output is displayed- can you be more 
specific? The only place I'm aware of that attempts to "prettify" output 
like that is the "ansible" ad-hoc runner, and it works fine for me:

(ansiblev2) mdavis-mac:win-domain mdavis$ ansible winclient-basic -i hosts 
-m raw -a "Get-ChildItem c:\ "
winclient-basic | SUCCESS | rc=0 >>


Directory: C:\


ModeLastWriteTime Length Name
- -- 
d  9/9/2015   4:01 PMinetpub
d  1/4/2016   4:04 PMmy
d 8/30/2016  10:32 AMnew
d 8/30/2016  10:32 AMnew2
d 10/7/2015   1:15 PMnewpath
d 8/22/2013   8:52 AMPerfLogs
d-r-- 9/22/2016   3:48 PMProgram Files
d  9/2/2016   5:50 PMProgram Files (x86)
d  7/5/2016   5:17 PMPython26
d  9/5/2016   9:09 PMtemp
d 5/12/2016   3:18 PMtools
d-r-- 9/23/2016   2:04 PMUsers
d 10/6/2016   1:14 PMvagrant
d 8/22/2016   4:10 PMWindows
d 5/16/2016  10:07 PMこんにちは
-a---  8/8/2016  10:08 AM  104857600 bigfile.txt
-a--- 10/6/2016   1:44 PM 50 bla.inf
-a---  9/9/2016   4:40 PM824 out.txt
-a---  9/2/2016   5:50 PM 233320 pslog.txt
-a---  9/2/2016   5:50 PM   1992 wrapperlog.txt



On Thursday, October 6, 2016 at 12:48:45 PM UTC-7, Cory Coager wrote:
>
> When looking at the output from a Windows host, all of the lines are 
> appended together onto one line. You can see a "\r\n" instead of a new 
> line. Is there an option to fix this for the output so they display as new 
> lines correctly?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/8a5a8618-c1ef-4c01-8a46-ed1bab83cebd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Azure China Cloud

[Matt Davis]

There isn't currently a way to override the built-in Python SDK endpoints 
from the Ansible azure_rm_* modules to use the China Cloud ones. I see 
where it could be done via the Python SDK, so we could add that support in 
azure_rm_common. I've created a feature idea for 
it: https://github.com/ansible/ansible/issues/17925 - no guarantees on when 
it might be implemented...

On Thursday, October 6, 2016 at 10:05:03 AM UTC-7, Maciek Dolny wrote:
>
> Hi there,
>
> I cannot connect Ansible to AzureChinaCloud, is there any manual o can 
> someone help me with that issue ?
>
> I know that authentication site, servers are different than the other 
> Azure instances.
>
> For normal user https://portal.azure.com
> For china cloud https://portal.azure.cn 
>
> Accounts are separate to.
>
> Is there way to connect to China Cloud or where can i find option like -e 
> parameter from azure-cli (azure login -e AzureChinaCloud)
>
> Thanks 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/200b64c7-cfec-4e66-94a8-468e1cb794d0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Connecting to Windows host fails

[Matt Davis]

You've got an old version of requests that's probably owned by an OS 
package (IIRC Ubuntu 14.04 has this issue out of the box). pip won't 
uninstall OS-owned packages, even though pywinrm declares it requires it.

You can usually fix this with:

pip install "requests>=2.10.0"


On Thursday, September 29, 2016 at 9:41:57 AM UTC-7, JayB wrote:
>
> Hi Guys,
>
> I'm new to Ansible. I'm trying to connect to ansible windows host. I have 
> configured for windows by following the link (
> http://darrylcauldwell.com/how-to-setup-an-ansible-test-lab-for-windows-managed-nodes-custom-windows-modules/).
>  
> Now, I'm not able to ping the windows server and getting the below error.
>
> # ansible windows -i hosts -m win_ping
> 10.20.10.179 | FAILED! => {
> "failed": true,
> "msg": "ssl: 'Session' object has no attribute 
> 'merge_environment_settings'"
>
> My intention to copy a file from my Ubuntu Ansible Controller machine and 
> run the file on Windows host. Can anyone suggest me on this?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/4b8974d1-dad0-42b6-8b2f-25688c928ee5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: unable to install exchange 2016 using ansible

[Matt Davis]

There's actually a bug in pywinrm for older Pythons (eg, the one in RHEL7) 
that is triggered by enabling kerberos delegation. It's fixed in pywinrm 
0.2.1.

On Saturday, September 17, 2016 at 6:50:01 AM UTC-7, Chandra Pandey wrote:
>
>
> I am getting below message after enable delegation , also pasting my , 
> playbook ansible settings ... if you can review with yours? 
>
>
> 
> [root@dev-testser-lx01 playbooks]# vi /etc/ansible/hosts
> [root@dev-testser-lx01 playbooks]# ansible-playbook win_exchange.yml -
> Using /etc/ansible/ansible.cfg as config file
> Loaded callback default of type stdout, v2.0
>
> PLAYBOOK: win_exchange.yml 
> *
> 1 plays in win_exchange.yml
>
> PLAY [install] 
> *
>
> TASK [install exchange] 
> 
> task path: /etc/ansible/playbooks/win_exchange.yml:19
>  ESTABLISH WINRM CONNECTION FOR USER: 
> Chandra pan...@ads.xyz.com on PORT 5986 TO dev-ansiblewn01.ads.xyz.com
> fatal: [dev-ansiblewn01.ads.xyz.com]: UNREACHABLE! => {"changed": false, 
> "msg": "kerberos: 'module' object has no attribute 'util'", "unreachable": 
> true}
> to retry, use: --limit @win_exchange.retry
>
> PLAY RECAP 
> *
> dev-ansiblewn01.ads.xyz.com : ok=0changed=0unreachable=1   
>  failed=0
>
> 
>
> My hosts setting 
>
>
>
>
> [wintestserverchandra]
> dev-ansiblewn01.ads.xyz.com
> [wintestserverchandra:vars]
> ansible_ssh_user = Chandra pan...@ads.xyz.com
> #ansible_ssh_user = ADS\Chandra Pandey
> #ansible_ssh_pass = password
> #ansible_winrm_transport = ntlm
> ansible_winrm_transport = kerberos
> ansible_winrm_kerberos_delegation = yes
> ansible_connection = winrm
> ansible_ssh_port = 5986
> ansible_winrm_server_cert_validation = ignore
> ~
> ~
>
> 
>
> My play book 
>
> ---
> - name: install
>
>   hosts: wintestserverchandra
>   gather_facts: false
>   tasks:
>  - name: install exchange
>raw: 'D:\install\Exchange2016\.\Setup.exe /mode:Install 
> /role:Mailbox /TargetDir:D:\Mailbox /IAcceptExchangeServerLicenseTerms'
>   
> ~
> ~
> ~
> =
>
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Chandra pan...@ads.xyz.com
>
> Valid starting   Expires  Service principal
> 09/17/2016 09:12:06  09/17/2016 19:12:06  krbtgt/ads.xyz@ads.xyz.com
> renew until 09/18/2016 09:12:03
>
>
> 
>
>
> On Saturday, September 17, 2016 at 4:55:37 AM UTC+5:30, Matt Davis wrote:
>>
>> Worked fine for me using Kerberos delegation: 
>> ansible_winrm_transport=kerberos and ansible_winrm_kerberos_delegation=yes. 
>> The setup takes so ridiculously long that I didn't try it any other way, so 
>> your mileage may vary.
>>
>> -Matt
>>
>>
>> On Friday, September 16, 2016 at 12:50:48 AM UTC-7, Chandra Pandey wrote:
>>>
>>> Hi, Thanks , will wait for your result ... 
>>>
>>>
>>> On Friday, September 16, 2016 at 3:53:57 AM UTC+5:30, Matt Davis wrote:
>>>>
>>>> I'm actually undertaking the same task this week for a PoC demo, so 
>>>> I'll let you know if I figure out the magic incantations to get it 
>>>> working. 
>>>> :)
>>>>
>>>> -Matt
>>>>
>>>> On Monday, September 12, 2016 at 12:48:49 PM UTC-7, Chandra Pandey 
>>>> wrote:
>>>>>
>>>>> I get error while installing fresh exchange 2016 server using ansible 
>>>>> --- 
>>>>>
>>>>>
>>>>> ExchangeSetup.log Error 
>>>>>
>>>>> Active Directory operation failed on . The supplied credential for 
>>>>> 'ADS\Chandra Pandey' is invalid.
>>>>> [09/12/2016 19:34:45.0055] [0] The supplied credential is invalid
>>>>>
>>>>>
>>>>> Ansible Error: 
>>>>>
>>>>>  WINRM RESULT u'>>>> "C:\\Users\\Chandra Pan", err "">'
>>>>>  PUT "/etc/ansible/playbooks/exch.ps1" TO 
>>>>> "C:\Users\Chandra 
>>>>> Pandey\AppData\Local\Temp\ansible-tmp-1473708846.5-280345779333025\exch.ps1"
>>>>>  WINRM PUT

[ansible-project] Re: unable to install exchange 2016 using ansible

[Matt Davis]

Make sure you're using the very latest pykerberos package from PyPI, not 
kerberos (remove kerberos if it's there) to get all the latest goodies lit 
up.

On Saturday, September 17, 2016 at 6:50:01 AM UTC-7, Chandra Pandey wrote:
>
>
> I am getting below message after enable delegation , also pasting my , 
> playbook ansible settings ... if you can review with yours? 
>
>
> 
> [root@dev-testser-lx01 playbooks]# vi /etc/ansible/hosts
> [root@dev-testser-lx01 playbooks]# ansible-playbook win_exchange.yml -
> Using /etc/ansible/ansible.cfg as config file
> Loaded callback default of type stdout, v2.0
>
> PLAYBOOK: win_exchange.yml 
> *
> 1 plays in win_exchange.yml
>
> PLAY [install] 
> *
>
> TASK [install exchange] 
> 
> task path: /etc/ansible/playbooks/win_exchange.yml:19
>  ESTABLISH WINRM CONNECTION FOR USER: 
> Chandra pan...@ads.xyz.com on PORT 5986 TO dev-ansiblewn01.ads.xyz.com
> fatal: [dev-ansiblewn01.ads.xyz.com]: UNREACHABLE! => {"changed": false, 
> "msg": "kerberos: 'module' object has no attribute 'util'", "unreachable": 
> true}
> to retry, use: --limit @win_exchange.retry
>
> PLAY RECAP 
> *
> dev-ansiblewn01.ads.xyz.com : ok=0changed=0unreachable=1   
>  failed=0
>
> 
>
> My hosts setting 
>
>
>
>
> [wintestserverchandra]
> dev-ansiblewn01.ads.xyz.com
> [wintestserverchandra:vars]
> ansible_ssh_user = Chandra pan...@ads.xyz.com
> #ansible_ssh_user = ADS\Chandra Pandey
> #ansible_ssh_pass = password
> #ansible_winrm_transport = ntlm
> ansible_winrm_transport = kerberos
> ansible_winrm_kerberos_delegation = yes
> ansible_connection = winrm
> ansible_ssh_port = 5986
> ansible_winrm_server_cert_validation = ignore
> ~
> ~
>
> 
>
> My play book 
>
> ---
> - name: install
>
>   hosts: wintestserverchandra
>   gather_facts: false
>   tasks:
>  - name: install exchange
>raw: 'D:\install\Exchange2016\.\Setup.exe /mode:Install 
> /role:Mailbox /TargetDir:D:\Mailbox /IAcceptExchangeServerLicenseTerms'
>   
> ~
> ~
> ~
> =
>
> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Chandra pan...@ads.xyz.com
>
> Valid starting   Expires  Service principal
> 09/17/2016 09:12:06  09/17/2016 19:12:06  krbtgt/ads.xyz@ads.xyz.com
> renew until 09/18/2016 09:12:03
>
>
> 
>
>
> On Saturday, September 17, 2016 at 4:55:37 AM UTC+5:30, Matt Davis wrote:
>>
>> Worked fine for me using Kerberos delegation: 
>> ansible_winrm_transport=kerberos and ansible_winrm_kerberos_delegation=yes. 
>> The setup takes so ridiculously long that I didn't try it any other way, so 
>> your mileage may vary.
>>
>> -Matt
>>
>>
>> On Friday, September 16, 2016 at 12:50:48 AM UTC-7, Chandra Pandey wrote:
>>>
>>> Hi, Thanks , will wait for your result ... 
>>>
>>>
>>> On Friday, September 16, 2016 at 3:53:57 AM UTC+5:30, Matt Davis wrote:
>>>>
>>>> I'm actually undertaking the same task this week for a PoC demo, so 
>>>> I'll let you know if I figure out the magic incantations to get it 
>>>> working. 
>>>> :)
>>>>
>>>> -Matt
>>>>
>>>> On Monday, September 12, 2016 at 12:48:49 PM UTC-7, Chandra Pandey 
>>>> wrote:
>>>>>
>>>>> I get error while installing fresh exchange 2016 server using ansible 
>>>>> --- 
>>>>>
>>>>>
>>>>> ExchangeSetup.log Error 
>>>>>
>>>>> Active Directory operation failed on . The supplied credential for 
>>>>> 'ADS\Chandra Pandey' is invalid.
>>>>> [09/12/2016 19:34:45.0055] [0] The supplied credential is invalid
>>>>>
>>>>>
>>>>> Ansible Error: 
>>>>>
>>>>>  WINRM RESULT u'>>>> "C:\\Users\\Chandra Pan", err "">'
>>>>>  PUT "/etc/ansible/playbooks/exch.ps1" TO 
>>>>> "C:\Users\Chandra 
>>>>> Pandey\AppData\Local\Temp\ansible-tmp-1473708846.5-280345779333025\exch.ps1"
>>>>>  WINRM PUT

[ansible-project] Re: unable to install exchange 2016 using ansible

[Matt Davis]

Worked fine for me using Kerberos delegation: 
ansible_winrm_transport=kerberos and ansible_winrm_kerberos_delegation=yes. 
The setup takes so ridiculously long that I didn't try it any other way, so 
your mileage may vary.

-Matt


On Friday, September 16, 2016 at 12:50:48 AM UTC-7, Chandra Pandey wrote:
>
> Hi, Thanks , will wait for your result ... 
>
>
> On Friday, September 16, 2016 at 3:53:57 AM UTC+5:30, Matt Davis wrote:
>>
>> I'm actually undertaking the same task this week for a PoC demo, so I'll 
>> let you know if I figure out the magic incantations to get it working. :)
>>
>> -Matt
>>
>> On Monday, September 12, 2016 at 12:48:49 PM UTC-7, Chandra Pandey wrote:
>>>
>>> I get error while installing fresh exchange 2016 server using ansible 
>>> --- 
>>>
>>>
>>> ExchangeSetup.log Error 
>>>
>>> Active Directory operation failed on . The supplied credential for 
>>> 'ADS\Chandra Pandey' is invalid.
>>> [09/12/2016 19:34:45.0055] [0] The supplied credential is invalid
>>>
>>>
>>> Ansible Error: 
>>>
>>>  WINRM RESULT u'>> "C:\\Users\\Chandra Pan", err "">'
>>>  PUT "/etc/ansible/playbooks/exch.ps1" TO 
>>> "C:\Users\Chandra 
>>> Pandey\AppData\Local\Temp\ansible-tmp-1473708846.5-280345779333025\exch.ps1"
>>>  WINRM PUT "/etc/ansible/playbooks/exch.ps1" to 
>>> "C:\Users\Chandra 
>>> Pandey\AppData\Local\Temp\ansible-tmp-1473708846.5-280345779333025\exch.ps1"
>>>  
>>> (offset=121 size=121)
>>>  EXEC &  'C:\Users\Chandra 
>>> Pandey\AppData\Local\Temp\ansible-tmp-1473708846.5-280345779333025\exch.ps1'
>>>  WINRM EXEC 'PowerShell' ['-NoProfile', 
>>> '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', 
>>> 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABDAGgAYQBuAGQAcgBhACAAUABhAG4AZABlAHkAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMANwAwADgAOAA0ADYALgA1AC0AMgA4ADAAMwA0ADUANwA3ADkAMwAzADMAMAAyADUAXABlAHgAYwBoAC4AcABzADEAJwA=']
>>>  WINRM RESULT u'>> Microso", err "There is a pending r">'
>>>  EXEC Set-StrictMode -Version Latest
>>> Remove-Item "C:\Users\Chandra 
>>> Pandey\AppData\Local\Temp\ansible-tmp-1473708846.5-280345779333025" -Force 
>>> -Recurse;
>>>  WINRM EXEC u'PowerShell' [u'-NoProfile', 
>>> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
>>> u'-EncodedCommand', 
>>> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEMAaABhAG4AZAByAGEAIABQAGEAbgBkAGUAeQBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA3ADAAOAA4ADQANgAuADUALQAyADgAMAAzADQANQA3ADcAOQAzADMAMwAwADIANQAiACAALQBGAG8AcgBjAGUAIAAtAFIAZQBjAHUAcgBzAGUAOwA=']
>>>  WINRM RESULT u''
>>>  WINRM CLOSE SHELL: 2304FF63-3899-4A5F-AA24-67A3E8DAF0B1
>>> changed: [dev-01.xyz.com] => {"changed": true, "invocation": 
>>> {"module_args": {"_raw_params": "exch.ps1"}, "module_name": "script"}, 
>>> "rc": 0, "stderr": "There is a pending reboot from a previous installation 
>>> of a Windows Server role or feature. Please restart the computer and then 
>>> run Setup again.\r\nYou must be a member of the 'Organization Management' 
>>> role group or a member of the 'Enterprise Admins' group to continue.\r\nYou 
>>> must use an account that's a member of the Organization Management role 
>>> group to install or upgrade the first Mailbox server role in the 
>>> topology.\r\nYou must use an account that's a member of the Organization 
>>> Management role group to install the first Client Access server role in the 
>>> topology.\r\nYou must use an account that's a member of the Organization 
>>> Management role group to install the first Client Access server role in the 
>>> topology.\r\nYou must use an account that's a member of the Organization 
>>> Management role group to install or upgrade the first Mailbox server role 
>>> in the topology.\r\nYou must use an account that's a member of the 
>>> Organization Management role group to instal

[ansible-project] Re: Script module in windows looks for /usr/bin/python

[Matt Davis]

No, but it looks like you're trying to use the Python "command" module to 
exec the script. On Ansible 2.1, use raw or the script module (if the 
script lives on the control host and you want to push it over). In 
devel/2.2+ you can use win_shell or win_command, but those modules are new 
to the (yet-to-be-released) Ansible 2.2.

On Thursday, September 15, 2016 at 7:25:45 PM UTC-7, Mumshad Mannambeth 
wrote:
>
> I am trying to run a basic script on a windows host using ansible. 
>
> Why is it looking for Python on windows? Do we need to have Python 
> installed on windows to run a script? :
>
>
>
>
> TASK [setup] 
> ***
> <10.xx.xx.108> ESTABLISH WINRM CONNECTION FOR USER: administrator on PORT 
> 5986 TO 10.xx.xx.108
> <10.xx.xx.108> EXEC Set-StrictMode -Version Latest
> (New-Item -Type Directory -Path $env:temp -Name 
> "ansible-tmp-1473989964.43-210051997727769").FullName | Write-Host 
> -Separator '';
> <10.xx.xx.108> PUT "/tmp/tmpNkeo10" TO 
> "C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1473989964.43-210051997727769\setup.ps1"
> <10.xx.xx.108> EXEC Set-StrictMode -Version Latest
> Try
> {
> & 
> 'C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1473989964.43-210051997727769\setup.ps1'
> }
> Catch
> {
> $_obj = @{ failed = $true }
> If ($_.Exception.GetType)
> {
> $_obj.Add('msg', $_.Exception.Message)
> }
> Else
> {
> $_obj.Add('msg', $_.ToString())
> }
> If ($_.InvocationInfo.PositionMessage)
> {
> $_obj.Add('exception', $_.InvocationInfo.PositionMessage)
> }
> ElseIf ($_.ScriptStackTrace)
> {
> $_obj.Add('exception', $_.ScriptStackTrace)
> }
> Try
> {
> $_obj.Add('error_record', ($_ | ConvertTo-Json | ConvertFrom-Json))
> }
> Catch
> {
> }
> Echo $_obj | ConvertTo-Json -Compress -Depth 99
> Exit 1
> }
> Finally { Remove-Item 
> "C:\Users\Administrator\AppData\Local\Temp\ansible-tmp-1473989964.43-210051997727769"
>  
> -Force -Recurse -ErrorAction SilentlyContinue }
> ok: [web_server_node1] => {"ansible_facts": {"ansible_architecture": 
> "64-bit", "ansible_date_time": {"date": "9/15/2016", "day": "15", "hour": 
> "21", "iso8601": "2016-09-15T21:37:56", "minute": "37", "month": "09", 
> "year": "2016"}, "ansible_distribution": "Microsoft Windows NT 6.3.9600.0", 
> "ansible_distribution_version": "6.3.9600.0", "ansible_env": 
> {"ALLUSERSPROFILE": "C:\\ProgramData", "APPDATA": 
> "C:\\Users\\Administrator\\AppData\\Roaming", "COMPUTERNAME": "LGLAS108", 
> "ComSpec": "C:\\Windows\\system32\\cmd.exe", "CommonProgramFiles": 
> "C:\\Program Files\\Common Files", "CommonProgramFiles(x86)": "C:\\Program 
> Files (x86)\\Common Files", "CommonProgramW6432": "C:\\Program 
> Files\\Common Files", "FP_NO_HOST_CHECK": "NO", "HOMEDRIVE": "C:", 
> "HOMEPATH": "\\Users\\Administrator", "LOCALAPPDATA": 
> "C:\\Users\\Administrator\\AppData\\Local", "LOGONSERVER": "LGLAS108", 
> "MODULE_COMPLEX_ARGS": "{\"_ansible_version\": \"2.1.1.0\", 
> \"_ansible_selinux_special_fs\": [\"fuse\", \"nfs\", \"vboxsf\", 
> \"ramfs\"], \"_ansible_no_log\": false, \"_ansible_verbosity\": 3, 
> \"_ansible_syslog_facility\": \"LOG_USER\", \"gather_subset\": \"all\", 
> \"_ansible_diff\": false, \"_ansible_debug\": false, 
> \"_ansible_check_mode\": false}", "NUMBER_OF_PROCESSORS": "2", "OS": 
> "Windows_NT", "PATHEXT": 
> ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL", 
> "PROCESSOR_ARCHITECTURE": "AMD64", "PROCESSOR_IDENTIFIER": "Intel64 Family 
> 6 Model 26 Stepping 4, GenuineIntel", "PROCESSOR_LEVEL": "6", 
> "PROCESSOR_REVISION": "1a04", "PROMPT": "$P$G", 
> "PSExecutionPolicyPreference": "Unrestricted", "PSModulePath": 
> "C:\\Users\\Administrator\\Documents\\WindowsPowerShell\\Modules;C:\\Program 
> Files\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules",
>  
> "PUBLIC": "C:\\Users\\Public", "Path": 
> "C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
>  
> "ProgramData": "C:\\ProgramData", "ProgramFiles": "C:\\Program Files", 
> "ProgramFiles(x86)": "C:\\Program Files (x86)", "ProgramW6432": 
> "C:\\Program Files", "SystemDrive": "C:", "SystemRoot": "C:\\Windows", 
> "TEMP": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp", "TMP": 
> "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp", "USERDOMAIN": "LGLAS108", 
> "USERDOMAIN_ROAMINGPROFILE": "LGLAS108", "USERNAME": "Administrator", 
> "USERPROFILE": "C:\\Users\\Administrator", "windir": "C:\\Windows"}, 
> "ansible_fqdn": "lglas108.ehcdomain2.local", "ansible_hostname": 
> "LGLAS108", "ansible_interfaces": [{"default_gateway": "10.247.69.1", 
> "dns_domain": null, "interface_index": 12, "interface_name": "Intel(R) 
> 82574L Gigabit Network Connection"}], "ansible_ip_addresses": 
> ["10.xx.xx.108", "fe80::3451:3c97:517b:5c87"], "ansible_lastboot": 
> "2016-09-15 19:37:51Z", "ansible_os_family": "Windows", "ansible_os_name": 
> "Microsoft Windows Server 2012 R2 Standard Evaluation", 
> "ansible_powershel

[ansible-project] Re: unable to install exchange 2016 using ansible

[Matt Davis]

I'm actually undertaking the same task this week for a PoC demo, so I'll 
let you know if I figure out the magic incantations to get it working. :)

-Matt

On Monday, September 12, 2016 at 12:48:49 PM UTC-7, Chandra Pandey wrote:
>
> I get error while installing fresh exchange 2016 server using ansible --- 
>
>
> ExchangeSetup.log Error 
>
> Active Directory operation failed on . The supplied credential for 
> 'ADS\Chandra Pandey' is invalid.
> [09/12/2016 19:34:45.0055] [0] The supplied credential is invalid
>
>
> Ansible Error: 
>
>  WINRM RESULT u' Pan", err "">'
>  PUT "/etc/ansible/playbooks/exch.ps1" TO 
> "C:\Users\Chandra 
> Pandey\AppData\Local\Temp\ansible-tmp-1473708846.5-280345779333025\exch.ps1"
>  WINRM PUT "/etc/ansible/playbooks/exch.ps1" to 
> "C:\Users\Chandra 
> Pandey\AppData\Local\Temp\ansible-tmp-1473708846.5-280345779333025\exch.ps1" 
> (offset=121 size=121)
>  EXEC &  'C:\Users\Chandra 
> Pandey\AppData\Local\Temp\ansible-tmp-1473708846.5-280345779333025\exch.ps1'
>  WINRM EXEC 'PowerShell' ['-NoProfile', 
> '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', 
> 'JgAgACAAJwBDADoAXABVAHMAZQByAHMAXABDAGgAYQBuAGQAcgBhACAAUABhAG4AZABlAHkAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGEAbgBzAGkAYgBsAGUALQB0AG0AcAAtADEANAA3ADMANwAwADgAOAA0ADYALgA1AC0AMgA4ADAAMwA0ADUANwA3ADkAMwAzADMAMAAyADUAXABlAHgAYwBoAC4AcABzADEAJwA=']
>  WINRM RESULT u' Microso", err "There is a pending r">'
>  EXEC Set-StrictMode -Version Latest
> Remove-Item "C:\Users\Chandra 
> Pandey\AppData\Local\Temp\ansible-tmp-1473708846.5-280345779333025" -Force 
> -Recurse;
>  WINRM EXEC u'PowerShell' [u'-NoProfile', 
> u'-NonInteractive', u'-ExecutionPolicy', u'Unrestricted', 
> u'-EncodedCommand', 
> u'UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEMAaABhAG4AZAByAGEAIABQAGEAbgBkAGUAeQBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBuAHMAaQBiAGwAZQAtAHQAbQBwAC0AMQA0ADcAMwA3ADAAOAA4ADQANgAuADUALQAyADgAMAAzADQANQA3ADcAOQAzADMAMwAwADIANQAiACAALQBGAG8AcgBjAGUAIAAtAFIAZQBjAHUAcgBzAGUAOwA=']
>  WINRM RESULT u''
>  WINRM CLOSE SHELL: 2304FF63-3899-4A5F-AA24-67A3E8DAF0B1
> changed: [dev-01.xyz.com] => {"changed": true, "invocation": 
> {"module_args": {"_raw_params": "exch.ps1"}, "module_name": "script"}, 
> "rc": 0, "stderr": "There is a pending reboot from a previous installation 
> of a Windows Server role or feature. Please restart the computer and then 
> run Setup again.\r\nYou must be a member of the 'Organization Management' 
> role group or a member of the 'Enterprise Admins' group to continue.\r\nYou 
> must use an account that's a member of the Organization Management role 
> group to install or upgrade the first Mailbox server role in the 
> topology.\r\nYou must use an account that's a member of the Organization 
> Management role group to install the first Client Access server role in the 
> topology.\r\nYou must use an account that's a member of the Organization 
> Management role group to install the first Client Access server role in the 
> topology.\r\nYou must use an account that's a member of the Organization 
> Management role group to install or upgrade the first Mailbox server role 
> in the topology.\r\nYou must use an account that's a member of the 
> Organization Management role group to install or upgrade the first Client 
> Access server role in the topology.\r\nYou must use an account that's a 
> member of the Organization Management role group to install the first 
> Mailbox server role in the topology.\r\nSetup encountered a problem while 
> validating the state of Active Directory: Active Directory operation failed 
> on . The supplied credential for 'ADS\\Chandra Pandey' is invalid.  See the 
> Exchange setup log for more information on this error.\r\nEither Active 
> Directory doesn't exist, or it can't be contacted.\r\n", "stdout": 
> "\r\nWelcome to Microsoft Exchange Server 2016 Unattended 
> Setup\r\n\r\nCopying Files...\r\nFile copy complete.\r\nSetup will now 
> collect additional information needed for installation.\r\n\r\n 
> Languages\r\n Management tools\r\n Mailbox role: Transport 
> service\r\n Mailbox role: Client Access service\r\n Mailbox role: 
> Unified Messaging service\r\n Mailbox role: Mailbox service\r\n 
> Mailbox role: Front End Transport service\r\n Mailbox role: Client 
> Access Front End service\r\n\r\nPerforming Microsoft Exchange Server 
> Prerequisite Check\r\n\r\n Configuring Prerequisites ... COMPLETED\r\n 
> Prerequisite Analysis\r\n\r\nThe Exchange Server setup operation didn't 
> complete.  More details can be found in ExchangeSetup.log located in the 
> :\\ExchangeSetupLogs folder.\r\n", "stdout_lines": ["", 
> "Welcome to Microsoft Exchange Server 2016 Unattended Setup", "", "Copying 
> Files...", "File copy complete.", "Setup will now collect additional 
> information needed for installation.", "", "   

[ansible-project] Re: bash script not writing to file with ansible, but does locally

[Matt Davis]

Since your script doesn't specify an absolute path for the output, I 
suspect it's writing it to the Ansible module tempdir, which is being 
promptly deleted as soon as the task finished. Try adding a 
chdir=/some/permanent/path to the end of the command task to run the script 
from a non-ephemeral location.

On Thursday, September 15, 2016 at 12:30:28 PM UTC-7, richard kappler wrote:
>
> I have a bash script ( I know, it's a bit sloppy):
>
> #!/bin/sh
>
> df -h >> mongo-rebuild-validate.log 2>&1
>
> /opt/mongodb/bin/mongo localhost:27017 
> /opt/mongodb/mongodb-create-visionnode.js >> mongo-rebuild-validate.log 2>&1
>
> /opt/mongodb/bin/mongoimport --host 127.0.0.1 --db visionnode --collection 
> ftpUser --file /opt/mongodb/ftpUserJSON-Linux.js  >> 
> mongo-rebuild-validate.log 2>&1
>
> df -h >> mongo-rebuild-validate.log 2>&1
>
>  on remotes servers that works fine, does what I designed it to do, 
> including writing all the stdout and stderr to the intended log.
>
> However, when try to run this script remotely using:
>
> ---
> - name: Rebuild the mongo db
>   hosts: servers
>   gather_facts: false
>   tasks:
>
>   - name: execute rebuild-SSPC-db.sh
> command: /opt/mongodb/rebuild-SSPC-db.sh
>
>   - name: bring back validation file
> fetch: src=/opt/mongodb/mongo-rebuild-validate.log 
> dest=/playbooks/MongoRebuild/validations/prefix-{{ inventory_hostname }} 
> flat=yes
>
> it rebuilds the database and creates the ftpUser, but it does not write 
> anything to the validation log.
>
> What am I missing?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/af131135-dab3-407e-b3eb-0159e76e2704%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: Extend setup module

[Matt Davis]

Local facts for Windows have been available since 2.1- you just need to set 
fact_path to tell it where on the target system to find a directory of .ps1 
scripts to execute. It currently expects to find a dictionary/array on the 
output pipeline from each script that gets grafted onto a new fact named 
ansible_(factsfilename-sans-extension). 

On Tuesday, September 13, 2016 at 3:54:35 AM UTC-7, Mike Fennemore wrote:
>
> Nevermind, to answer my own question 
> http://docs.ansible.com/ansible/developing_modules.html#module-provided-facts 
> . Although this does add the hassle of adding a custom module to playbooks.
> It would be nice to have a hook to add a module to run on playbook 
> execution like the setup module though.
>
> On Tuesday, September 13, 2016 at 11:14:40 AM UTC+2, Mike Fennemore wrote:
>>
>> We have a internal CMDB that gathers facts from systems using the setup 
>> module on playbook execution. Is there a way to extend the setup module to 
>> include extra information?
>> From what I have read the local facts would work for Linux systems but 
>> the path wouldn't exist on Windows systems.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/eb517322-44e9-4d7d-aa2b-ea80049b1d1b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.