I spun my wheels for a while trying to get Ansible to manage windows hosts. Here are my notes on how I finally successfully got ansible (on a Linux host) to use an HTTPS WinRM connection to connect to a windows host using Kerberos for authentication. This article was of great help.
Ansible Hosts file
[all:vars]
ansible_user=<user>
ansible_password=<password>
ansible_connection=winrm
ansible_winrm_transport=kerberos
Packages to install (CentOS 7)
sudo yum install gcc python2-pip sudo pip install kerberos requests_kerberos pywinrm certifi
Playbook syntax
Modules involving Windows hosts have a win_ prefix.
Troubleshooting
Code 500
FAILED! => { "msg": "winrm send_input failed"
WinRMTransportError: (u'http', u'Bad HTTP response returned from server. Code 500')
I was using -m ping for testing instead of -m win_ping. Make sure you’re using win_ping and not regular ping module.
Certificate validation failed
"msg": "kerberos: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)"
I had a self signed CA certificate on the box ansible was trying to connect to. Python doesn’t appear to trust the system’s certificate trust chain by default. Ansible has a configuration directive
ansible_winrm_ca_trust_path
but even with that pointing to my system trust it wouldn’t work. I then found this gem on the winrm page for ansible:
The CA chain can contain a single or multiple issuer certificates and each entry is contained on a new line. To then use the custom CA chain as part of the validation process, set
ansible_winrm_ca_trust_path
to the path of the file. If this variable is not set, the default CA chain is used instead which is located in the install path of the Python package certifi.
Challenge #1: I didn’t have certifi installed.
sudo pip install certifi
Challenge #2: I needed to know where certifi’s default trust store was located, which I discovered after reading the project github page
python import certifi certifi.where()
In my case the location was ‘/usr/lib/python2.7/site-packages/certifi/cacert.pem’. I then symlinked my system trust to that location (backing up existing trust first)
sudo mv /usr/lib/python2.7/site-packages/certifi/cacert.pem /usr/lib/python2.7/site-packages/certifi/cacert.pem.old sudo ln -s /etc/pki/tls/cert.pem /usr/lib/python2.7/site-packages/certifi/cacert.pem
Et voila! No more trust issues.
Ansible Tower
Note: If you’re running Ansible Tower, you have to work with their own bundled version of python instead of the system version. For version 3.2 it was located here:
/var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/cacert.pem
I fixed it by doing this:
sudo mv /var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/cacert.pem /var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/cacert.pem.old sudo ln -s /etc/pki/tls/cert.pem /var/lib/awx/venv/ansible/lib/python2.7/site-packages/requests/cacert.pem
This resolved the trust issues.