{"id":728,"date":"2018-06-05T13:35:09","date_gmt":"2018-06-05T13:35:09","guid":{"rendered":"https:\/\/www.nicktailor.com\/?p=728"},"modified":"2018-06-05T15:53:59","modified_gmt":"2018-06-05T15:53:59","slug":"how-to-setup-ansible-to-manage-windows-hosts-with-centos-7","status":"publish","type":"post","link":"https:\/\/nicktailor.com\/tech-blog\/how-to-setup-ansible-to-manage-windows-hosts-with-centos-7\/","title":{"rendered":"How to setup Ansible to manage Windows hosts with Centos 7"},"content":{"rendered":"<p><em><strong>Note- This assumes you already have a out of the box ansible setup and a windows AD and windows test VM joined to the domain.<\/strong><\/em><\/p>\n<p><strong>Install Prerequisite Packages on centos7 with ansible already installed<\/strong><\/p>\n<p>Use Yum to install the following packages.<\/p>\n<p>Install GCC required for Kerberos<\/p>\n<p><strong>yum -y group install \u201cDevelopment Tools\u201d<\/strong><\/p>\n<p>Install EPEL<\/p>\n<p><strong>yum -y install epel-release<\/strong><\/p>\n<p>Install Ansible<\/p>\n<p><strong>yum -y install ansible<\/strong><\/p>\n<p>Install Kerberos<\/p>\n<p><strong>yum -y install python-devel krb5-devel krb5-libs krb5-workstation<\/strong><\/p>\n<p>Install Python PIP<\/p>\n<p><strong>yum -y install python-pip<\/strong><\/p>\n<p>Install BIND utilities for nslookup<\/p>\n<p><strong>yum -y install bind-utils<\/strong><\/p>\n<p>Bring all packages up to the latest version<\/p>\n<p><strong>yum -y update<\/strong><\/p>\n<p><strong><br \/>\nCheck that Ansible and Python is Installed<\/strong><\/p>\n<p>Run the commands:<\/p>\n<p><strong>ansible &#8211; &#8211; version | head -l 1<\/strong><\/p>\n<p><strong>python &#8211; &#8211; version<\/strong><\/p>\n<p>The versions of Ansible and Python here are 2.4.2 and 2.7.5. Ansible is developing extremely rapidly so these instructions will likely change in the near future.<\/p>\n<p><strong>Configure Kerberos<\/strong><\/p>\n<p>There are other options than Kerberos, but Kerberos is generally the best option, though not the simplest.<\/p>\n<p>Install the Kerberos wrapper:<br \/>\n<strong>pip install pywinrm[Kerberos]<\/strong><\/p>\n<p>Kerberos packages were installed previously which will have created \/etc\/krb5.conf<\/p>\n<p><em><strong>Edit \/etc\/krb5.conf<\/strong><\/em><\/p>\n<p>[logging]<br \/>\ndefault = FILE:\/var\/log\/krb5libs.log<br \/>\nkdc = FILE:\/var\/log\/krb5kdc.log<br \/>\nadmin_server = FILE:\/var\/log\/kadmind.log<br \/>\n[libdefaults]<br \/>\ndefault_realm = HOME.NICKTAILOR.COM<br \/>\ndns_lookup_realm = false<br \/>\ndns_lookup_kdc = false<br \/>\nticket_lifetime = 24h<br \/>\nrenew_lifetime = 7d<br \/>\nforwardable = true<br \/>\n[realms]<br \/>\nHOME.NICKTAILOR.COM = {<br \/>\nkdc = HOME.NICKTAILOR.COM<br \/>\nadmin_server = HOME.NICKTAILOR.COM<br \/>\n}<br \/>\n[domain_realm]<br \/>\n.home.nicktailor.com = HOME.NICKTAILOR.COM<br \/>\nhome.nicktailor.com = HOME.NICKTAILOR.COM<\/p>\n<p><strong>Test Kerberos<\/strong><\/p>\n<p>Run the following commands to test Kerberos:<\/p>\n<p><strong><em>kinit administrator@HOME.NICKTAILOR.COM<\/em> &lt;&#8211;make sure you do this exact case sensitive or your authenication will fail. Also the user has to have domain admin privileges.\u00a0<\/strong><\/p>\n<p>You will be prompted for the administrator password\u00a0<strong>klist<\/strong><br \/>\nYou should see a Kerberos KEYRING record.<\/p>\n<p style=\"padding-left: 30px;\"><em>[root@localhost win_playbooks]# klist<\/em><br \/>\n<em>Ticket cache: FILE:\/tmp\/krb5cc_0Default principal: administrator@HOME.NICKTAILOR.COM<\/em><br \/>\n<em>Valid starting\u00a0 \u00a0 \u00a0 \u00a0Expires\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Service principal05\/23\/2018 14:20:50\u00a0 05\/24\/2018 00:20:50\u00a0 krbtgt\/HOME.NICKTAILOR.COM@HOME.NICKTAILOR.COM renew until 05\/30\/2018 14:20:40<\/em><\/p>\n<p><strong>Configure Ansible<\/strong><\/p>\n<p>Ansible is complex and is sensitive to the environment. Troubleshooting an environment which has never initially worked is complex and confusing. We are going to configure Ansible with the least complex possible configuration. Once you have a working environment, you can make extensions and enhancements in small steps.<\/p>\n<p>The core configuration of Ansible resides at \/etc\/ansible<\/p>\n<p>We are only going to update two files for this exercise.<\/p>\n<p><strong>Update the Ansible Inventory file<\/strong><\/p>\n<p>Edit \/etc\/ansible\/hosts and add:<\/p>\n<p><strong>[windows]<\/strong><\/p>\n<p>HOME.NICKTAILOR.COM<\/p>\n<p>\u201c[windows]\u201d is a created group of servers called \u201cwindows\u201d. In reality this should be named something more appropriate for a group which would have similar configurations, such as \u201cActive Directory Servers\u201d, or \u201cProduction Floor Windows 10 PCs\u201d, etc.<\/p>\n<p><strong><br \/>\nUpdate the Ansible Group Variables for Windows<\/strong><\/p>\n<p>Ansible Group Variables are variable settings for a specific inventory group. In this case, we will create the group variables for the \u201cwindows\u201d servers created in the \/etc\/ansible\/hosts file.<\/p>\n<p>Create <em><strong>\/etc\/ansible\/group_vars\/windows<\/strong><\/em> and add:<\/p>\n<p><strong>&#8212;<\/strong><\/p>\n<p><strong>ansible_user: Administrator<\/strong><\/p>\n<p><strong>ansible_password: Abcd1234<\/strong><\/p>\n<p><strong>ansible_port: 5986<\/strong><\/p>\n<p><strong>ansible_connection: winrm<\/strong><\/p>\n<p><strong>ansible_winrm_server_cert_validation: ignore<\/strong><\/p>\n<p>This is a YAML configuration file, <strong>so make sure the first line is three dashes \u201c\u2010\u2010\u2010\u201d<\/strong><\/p>\n<p>Naturally change the Administrator password to the password for\u00a0<strong>WinServer1<\/strong>.<\/p>\n<p>For best practices, Ansible can encrypt this file into the Ansible Vault. This would prevent the password from being stored here in clear text. For this lab, we are attempting to keep the configuration as simple as possible. Naturally in production this would not be appropriate.<\/p>\n<p><strong><br \/>\nConfigure Windows Servers to Manage<\/strong><\/p>\n<p>To configure the Windows Server for remote management by Ansible requires a bit of work. Luckily the Ansible team has created a PowerShell script for this. Download this script from [here] to each Windows Server to manage and run this script as Administrator.<\/p>\n<p>Log into\u00a0<strong>WinServer1<\/strong>\u00a0as Administrator, download\u00a0<a href=\"https:\/\/github.com\/ansible\/ansible\/blob\/devel\/examples\/scripts\/ConfigureRemotingForAnsible.ps1\">ConfigureRemotingForAnsible.ps1\u00a0<\/a>and run this PowerShell script without any parameters.<\/p>\n<p>Once this command has been run on the\u00a0<strong>WinServer1<\/strong>, return to the Ansible1 Controller host.<\/p>\n<p><strong><br \/>\nTest Connectivity to the Windows Server<\/strong><\/p>\n<p>If all has gone well, we should be able to perform an Ansible PING test command. This command will simply connect to the remote\u00a0<strong>WinServer1<\/strong>\u00a0server and report success or failure.<\/p>\n<p>Type:<br \/>\n<strong>ansible windows -m win_ping<\/strong><\/p>\n<p>This command runs the Ansible module \u201cwin_ping\u201d on every server in the \u201cwindows\u201d inventory group.<\/p>\n<p>Type:\u00a0<strong>ansible windows -m setup<\/strong>\u00a0to retrieve a complete configuration of Ansible environmental settings.<\/p>\n<p>Type:\u00a0<strong>ansible windows -c ipconfig<\/strong><\/p>\n<p>If this command is successful, the next steps will be to build Ansible playbooks to manage Windows Servers.<\/p>\n<p><strong><br \/>\nManaging Windows Servers with Playbooks<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>Let\u2019s create some playbooks and test Ansible for real on Windows systems.<\/p>\n<p>Create a folder on\u00a0<strong>Ansible1<\/strong>\u00a0for the playbooks, YAML files, modules, scripts, etc. For these exercises we created a folder under \/root called win_playbooks.<\/p>\n<p>Ansible has some expectations on the directory structure where playbooks reside. Create the library and scripts folders for use later in this exercise.<\/p>\n<p>Commands:<\/p>\n<p><strong>cd \/root<\/strong><\/p>\n<p><strong>mkdir win_playbooks<\/strong><\/p>\n<p><strong>mkdir win_playbooks\/library<\/strong><\/p>\n<p><strong>mkdir win_playbooks\/scripts<\/strong><\/p>\n<p>Create the first playbook example \u201cnetstate.yml\u201d<br \/>\nThe contents are:<\/p>\n<p><strong>&#8211; name: test cmd from win_command module<\/strong><\/p>\n<p><strong>\u00a0 hosts: windows<\/strong><\/p>\n<p><strong>\u00a0 tasks:<\/strong><\/p>\n<p><strong>\u00a0\u00a0\u00a0 &#8211; name: run netstat and return Ethernet stats <\/strong><\/p>\n<p><strong>\u00a0\u00a0\u00a0\u00a0\u00a0 win_command: netstat -e<\/strong><\/p>\n<p><strong>\u00a0\u00a0\u00a0\u00a0\u00a0 register: netstat<\/strong><\/p>\n<p><strong>\u00a0\u00a0\u00a0 &#8211; debug: var=netstat<\/strong><\/p>\n<p>This playbook does only one task, to connect to the servers in the Ansible inventory group \u201cwindows\u201d and run the command\u00a0<strong>netstat.exe -a<\/strong>\u00a0and return the results.<\/p>\n<p>To run this playbook, run this command on\u00a0<strong>Ansible1<\/strong>:<\/p>\n<p><strong>ansible-playbook netstat_e.yml<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Note- This assumes you already have a out of the box ansible setup and a windows AD and windows test VM joined to the domain. Install Prerequisite Packages on centos7 with ansible already installed Use Yum to install the following packages. Install GCC required for Kerberos yum -y group install \u201cDevelopment Tools\u201d Install EPEL yum -y install epel-release Install Ansible<a href=\"https:\/\/nicktailor.com\/tech-blog\/how-to-setup-ansible-to-manage-windows-hosts-with-centos-7\/\" class=\"read-more\">Read More &#8230;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[51],"tags":[],"class_list":["post-728","post","type-post","status-publish","format-standard","hentry","category-ansible"],"_links":{"self":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/728","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/comments?post=728"}],"version-history":[{"count":7,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/728\/revisions"}],"predecessor-version":[{"id":735,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/728\/revisions\/735"}],"wp:attachment":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/media?parent=728"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/categories?post=728"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/tags?post=728"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}