I'm starting my studies with Ansible and wanted to apply it to a real situation of my work.
I am implementing Ansible from Ubuntu to manage a Windows Nano Server 2016. I'm configuring to use a certificate mapped to a user account.
I based this tutorial here https://adamtheautomator.com/winrm-https-ansible/
The Error
I tested the connection using the win_ping module and I received this output:
**ansible windows -vvvv -i hosts -m win_ping**
NanoServer | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for
*debug1: auto-mux: Trying existing master
debug1: Control socket \"/home/woliveira/.ansible/cp/6df2d837bc\" does not exist
debug2: resolving \"nanoserver\" port 5986
debug2: ssh_connect_direct
debug1: Connecting to nanoserver [10.11.39.250] port 5986.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 25000 ms remain after connect
debug1: identity file /home/woliveira/.ssh/id_rsa type -1
debug1: identity file /home/woliveira/.ssh/id_rsa-cert type -1
debug1: identity file /home/woliveira/.ssh/id_dsa type -1
debug1: identity file /home/woliveira/.ssh/id_dsa-cert type -1
debug1: identity file /home/woliveira/.ssh/id_ecdsa type -1
debug1: identity file /home/woliveira/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/woliveira/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/woliveira/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/woliveira/.ssh/id_ed25519 type -1
debug1: identity file /home/woliveira/.ssh/id_ed25519-cert type -1
debug1: identity file /home/woliveira/.ssh/id_ed25519_sk type -1
debug1: identity file /home/woliveira/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/woliveira/.ssh/id_xmss type -1
debug1: identity file /home/woliveira/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
**Connection timed out during banner exchange",
"unreachable": true**
}
Next, I tried to increase the timeout in the ansible config file and I receive a Connection reset by peer.
NanoServer | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for
*debug1: auto-mux: Trying existing master
debug1: Control socket \"/home/woliveira/.ansible/cp/6df2d837bc\" does not exist
debug2: resolving \"nanoserver\" port 5986
debug2: ssh_connect_direct
debug1: Connecting to nanoserver [10.11.39.250] port 5986.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 3600000 ms remain after connect
debug1: identity file /home/woliveira/.ssh/id_rsa type -1
debug1: identity file /home/woliveira/.ssh/id_rsa-cert type -1
debug1: identity file /home/woliveira/.ssh/id_dsa type -1
debug1: identity file /home/woliveira/.ssh/id_dsa-cert type -1
debug1: identity file /home/woliveira/.ssh/id_ecdsa type -1
debug1: identity file /home/woliveira/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/woliveira/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/woliveira/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/woliveira/.ssh/id_ed25519 type -1
debug1: identity file /home/woliveira/.ssh/id_ed25519-cert type -1
debug1: identity file /home/woliveira/.ssh/id_ed25519_sk type -1
debug1: identity file /home/woliveira/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/woliveira/.ssh/id_xmss type -1
debug1: identity file /home/woliveira/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
kex_exchange_identification: read: **Connection reset by peer",
"unreachable": true**
}
The Environment Setup.
The Ansible 2.9.6 is installed in a Ubuntu 20.04.1 LTS VM
My windows server is the following:
OS Name: Microsoft Windows Server 2016 Standard Evaluation
OS Version: 10.0.14393 N/A Build 14393
Both VMs have Static Ip and are not in a domain. I follow this tutorial:
https://vnuggets.com/2019/08/08/ansible-certificate-authentication-to-windows/
I created a Windows local user called ansibleoperator and I added this user in Local Admi Group.
This is my Ansible hosts file:
[windows]
NanoServer
[windows:vars]
ansible_user=ansibleoperator
ansible_password=*********
ansble_connection=winrm
ansible_winrm_cert_pem=/home/woliveira/cert.pem
ansible_winrm_cert_key_pem=/home/woliveira/cert_key.pem
ansible_port=5986
ansible_winrm_scheme=https
ansible_winrm_server_cert_validation=ignore
The windows firewall is disabled
TrustedHosts is configured for any host (vallue=*)
What I've checked
If Another Windows host is able to connect using winrm:
PS C:> Test-WSMan -ComputerName "NanoServer" -UseSSL
wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0
From the Linux side I'm able to use Netcat to test the connection in the 5986 port using the following command:
nc -z -w1 NanoServer 5986;echo $?
The output is 0 (Command succeded)
I'm already tried to connect from other Windows, but this time using pywinrm script since is the same lib that Ansible use.
I run this Script:
import winrm
cert_pem = 'C:/Users/woliveira.adm/Desktop/CertificadoAnsible/cert.pem'
cert_key_pem = 'C:/Users/woliveira.adm/Desktop/CertificadoAnsible/cert_key.pem'
session = winrm.Session('NanoServer:5986', auth=('ansibleoperator', '********'),
transport='certificate',
cert_pem=cert_pem,
cert_key_pem=cert_key_pem,
server_cert_validation='ignore',
)
session.run_cmd('ipconfig')
And receive this:
Traceback (most recent call last):
File "<ipython-input-56-b902c730fb9c>", line 1, in <module>
runfile('C:/Users/woliveira.adm/Desktop/testewinrm.py', wdir='C:/Users/woliveira.adm/Desktop')
File "C:\ProgramData\Anaconda3\lib\site-packages\spyder_kernels\customize\spydercustomize.py", line 786, in runfile
execfile(filename, namespace)
File "C:\ProgramData\Anaconda3\lib\site-packages\spyder_kernels\customize\spydercustomize.py", line 110, in execfile
exec(compile(f.read(), filename, 'exec'), namespace)
File "C:/Users/woliveira.adm/Desktop/testewinrm.py", line 19, in <module>
session.run_cmd('ipconfig')
File "C:\ProgramData\Anaconda3\lib\site-packages\winrm\__init__.py", line 39, in run_cmd
shell_id = self.protocol.open_shell()
File "C:\ProgramData\Anaconda3\lib\site-packages\winrm\protocol.py", line 166, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "C:\ProgramData\Anaconda3\lib\site-packages\winrm\protocol.py", line 243, in send_message
resp = self.transport.send_message(message)
File "C:\ProgramData\Anaconda3\lib\site-packages\winrm\transport.py", line 323, in send_message
response = self._send_message_request(prepared_request, message)
File "C:\ProgramData\Anaconda3\lib\site-packages\winrm\transport.py", line 328, in _send_message_request
response = self.session.send(prepared_request, timeout=self.read_timeout_sec)
File "C:\ProgramData\Anaconda3\lib\site-packages\requests\sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "C:\ProgramData\Anaconda3\lib\site-packages\requests\adapters.py", line 529, in send
raise ReadTimeout(e, request=request)
ReadTimeout: HTTPConnectionPool(host='10.11.39.250', port=5986): Read timed out. (read timeout=30)
I don't know how I could debug this.
What could I check?
Sorry about my English. If there is something that is not clear enough, please let me know.
Best Answer
You have a typo in your vars file:
This should be:
(there is an
imissing).That's why Ansible is trying to connect via SSH instead of WinRM.