{"id":745,"date":"2018-06-06T13:32:12","date_gmt":"2018-06-06T13:32:12","guid":{"rendered":"https:\/\/www.nicktailor.com\/?p=745"},"modified":"2020-06-17T07:17:10","modified_gmt":"2020-06-17T07:17:10","slug":"how-to-configure-ansible-to-manage-windows-hosts-on-ubuntu-16-04","status":"publish","type":"post","link":"https:\/\/nicktailor.com\/tech-blog\/how-to-configure-ansible-to-manage-windows-hosts-on-ubuntu-16-04\/","title":{"rendered":"How to configure Ansible to manage Windows Hosts on Ubuntu 16.04"},"content":{"rendered":"

Note: This section assumes you already have ansible installed, working, active directory setup, and test windows host in communication with AD. Although its not needed to have AD. Its good practice for to have it all setup talking to each other for learning.<\/em><\/strong><\/p>\n

.<\/span><\/span><\/p>\n

Setup<\/span><\/strong><\/p>\n

Now Ansible does not come with windows managing ability out of the box. Its is easier to setup on centos as the packages are better maintained on Redhat distros. However if you want to set it up on Ubuntu here is what you need to do.<\/strong><\/p>\n

\n
\n
\u2022<\/span>\u00a0<\/span>easy_install pip<\/strong><\/div>\n<\/div>\n
\n
\u2022<\/span>\u00a0<\/span>pip install –upgrade pip<\/strong><\/div>\n<\/div>\n
\n
\u2022<\/span>\u00a0<\/span> pip install pywinrm<\/strong><\/div>\n<\/div>\n
\n
\u2022<\/span>\u00a0<\/span>apt-get install python-pip<\/strong><\/div>\n<\/div>\n
\n
\u2022<\/span>\u00a0<\/span> apt-get install python-devel krb5-devel krb5-libs krb5-workstation<\/strong><\/div>\n<\/div>\n
\n
\u2022<\/span>\u00a0<\/span> apt-get install python-devel<\/strong><\/div>\n<\/div>\n
\n
\u2022<\/span>\u00a0<\/span> apt-get install python-de<\/strong><\/div>\n<\/div>\n
\n
\u2022<\/span>\u00a0<\/span> apt-get install python-dev<\/strong><\/div>\n<\/div>\n
\n
\u2022<\/span>\u00a0<\/span> apt-get install libkrb5-dev<\/strong><\/div>\n<\/div>\n
\n
\u2022<\/span>\u00a0<\/span>apt-get install bind9<\/strong><\/div>\n<\/div>\n
\n
\u2022<\/span>\u00a0<\/span>pip install pywinrm[Kerberos]<\/strong><\/div>\n<\/div>\n
\n
\u2022<\/span>\u00a0<\/span>apt-get install krb5-kdc krb5-admin-server<\/strong><\/div>\n<\/div>\n<\/div>\n

Next Setup your \/etc\/krb5.conf<\/strong><\/p>\n

[logging]<\/span>
\ndefault = <\/span>FILE:\/var\/log\/krb5libs.log<\/span>
\nkdc<\/span> = FILE:\/var\/log\/krb5kdc.log<\/span>
\nadmin_server<\/span> = FILE:\/var\/log\/kadmind.log<\/span>
\n[<\/span>libdefaults<\/span>]<\/span>
\ndefault_realm<\/span> = HOME.NICKTAILOR.COM<\/span>
\ndns_lookup_realm<\/span> = false<\/span>
\ndns_lookup_kdc<\/span> = false<\/span>
\nticket_lifetime<\/span> = 24h<\/span>
\nrenew_lifetime<\/span> = 7d<\/span>
\nforwardable = tr<\/span>ue<\/span>
\n[realms]<\/span>
\nHOME.NICKTAILOR.COM = {<\/span>
\nkdc<\/span> = HOME.NICKTAILOR.COM<\/span>
\nadmin_server<\/span> = HOME.NICKTAILOR.COM<\/span>
\n}<\/span>
\n[<\/span>domain_realm<\/span>]<\/span>
\n.home.nicktailor.com = HOME.NICKTAILOR.COM<\/span>
\nhome.nicktailor.com = <\/span>HOME.NICKTAILOR.COM<\/span><\/a><\/p>\n

Test Kerberos<\/span><\/strong><\/p>\n

Run the following commands to test Kerberos:<\/span><\/p>\n

kinit administrator@HOME.NICKTAILOR.COM<\/span>\u00a0<\u2013make sure you do this exact case sensitive or your <\/span>authenication<\/span> will fail. <\/span>Also<\/span> the user has<\/span> to have domain admin privileges.\u00a0<\/span><\/strong><\/p>\n

You will be prompted for the administrator password\u00a0<\/span>klist<\/span><\/strong>
\nYou should see a Kerberos KEYRING record.<\/span><\/p>\n

[<\/span>root@localhost<\/span> win_<\/span>playbooks<\/span>]#<\/span> klist<\/span>
\nTicket cache: FILE:\/tmp\/krb5cc_0Default principal: administrator@HOME.NICKTAILOR.CO<\/span>M<\/span>
\nValid starting\u00a0 \u00a0 \u00a0 \u00a0Expires\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Service principal05\/23\/2018 14:20:50\u00a0 05\/24\/2018 00:20:50\u00a0 krbtgt\/HOME.NICKTAILOR.COM@HOME.NICKTAILOR.COM renew until 05\/30\/2018 14:20:40<\/span><\/p>\n

.<\/span><\/span><\/p>\n

Configure Ansible<\/span><\/strong><\/p>\n

Ansible is complex and is sensitive to the <\/span>environment. Troubleshooting an environment which has never initially worked is complex and confusing. We are going to configure Ansible with the least complex possible configuration. Once you have a working environment, you can make extensions and enhance<\/span>ments in small steps.<\/span><\/p>\n

The core configuration of Ansible resides at \/etc\/ansible<\/span><\/p>\n

We are only going to update two files for this exercise.<\/span><\/p>\n

Update the Ansible Inventory file<\/span><\/strong><\/p>\n

Edit \/etc\/ansible\/hosts and add:<\/span><\/p>\n

[windows]<\/span><\/strong><\/p>\n

HOME.NICKTAILOR.COM<\/span><\/p>\n

\u201c[windows]\u201d is a creat<\/span>ed group of servers called \u201cwindows\u201d. <\/span>In reality this<\/span> should be named something more appropriate for a group which would have similar configurations, such as \u201cActive Directory Servers\u201d, or \u201cProduction Floor Windows 10 PCs\u201d, etc.<\/span><\/p>\n

Update the Ansible Group V<\/span>ariables for Windows<\/span><\/strong><\/p>\n

Ansible Group Variables are variable settings for a specific inventory group. In this case, we will create the group variables for the \u201cwindows\u201d servers created in the \/etc\/ansible\/hosts file.<\/span><\/p>\n

Create\u00a0<\/span>\/etc\/ansible\/<\/em><\/span>group_vars<\/em><\/span>\/windows<\/em><\/span><\/strong>\u00a0and<\/span> add:<\/span><\/p>\n

\u2014<\/span><\/strong><\/p>\n

ansible_user<\/span>: Administrator<\/span><\/strong><\/p>\n

ansible_password<\/span>: Abcd1234<\/span><\/strong><\/p>\n

ansible_port<\/span>: 5986<\/span><\/strong><\/p>\n

ansible_connection<\/span>: <\/span>winrm<\/span><\/strong><\/p>\n

ansible_winrm_server_cert_validation<\/span>: ignore<\/span><\/strong><\/p>\n

 <\/p>\n

This is a YAML configuration file,\u00a0<\/span>so make sure the first line is three dashes \u201c\u2010\u2010\u2010\u201d<\/span><\/strong><\/em><\/p>\n

Naturally change the Administrator password to the password for\u00a0<\/span>WinServer1<\/span><\/strong>.<\/span><\/em><\/p>\n

For best practices, Ansible can encrypt this file into the Ansible Vault. This would prevent the password from being stored here in clear text. For this lab, we are attempting to k<\/span>eep the configuration as simple as possible. Naturally in production this would not be appropriate.<\/span><\/em><\/p>\n

.<\/span><\/span><\/p>\n

The <\/em><\/span>powershell<\/em><\/span> script must be run on the windows client <\/em><\/span>in order for<\/em><\/span> ansible to be table to talk to the host without issues.<\/em><\/span><\/strong><\/p>\n

Configure Windows <\/span>Servers to Manage<\/span><\/strong><\/p>\n

To configure the Windows Server for remote management by Ansible requires a bit of work. Luckily the Ansible team has created a PowerShell script for this. Download this script from [here] to each Windows Server to manage and run this scr<\/span>ipt as Administrator.<\/span><\/p>\n

Loginto\u00a0<\/span>WinServer1<\/span><\/strong>\u00a0as Administrator, download\u00a0<\/span>ConfigureRemotingForAnsible.ps1\u00a0<\/span><\/a>and run this PowerShell script without any <\/span>parameters.<\/span>Once this command has been run on the\u00a0<\/span>WinServer1<\/span><\/strong>, return to the Ansible1 Controller host.<\/span><\/p>\n

Test Connectivity to the Windows Server<\/span><\/strong><\/p>\n

If all has gone well, we should be able to perform an Ansible PING test command. This command will simply connect<\/span> to the remote\u00a0<\/span>WinServer1<\/span><\/strong>\u00a0server and report success or failure.<\/span><\/p>\n


\nType:<\/span>
\nansible windows -m <\/span>win_ping<\/span><\/strong><\/p>\n

This command runs the Ansible module \u201c<\/span>win_ping<\/span>\u201d on every server in the \u201cwindows\u201d inventory group.<\/span><\/p>\n

Type:\u00a0<\/span>ansible windows -m setup<\/span><\/strong>\u00a0to retrieve a complete config<\/span>uration of Ansible environmental settings.<\/span><\/p>\n

Type:\u00a0<\/span>ansible windows -c ipconfig<\/span><\/strong><\/p>\n

If this command is successful, the next steps will be to build Ansible playbooks to manage Windows Servers.<\/span><\/p>\n

Managing Windows Servers with Playbooks<\/span><\/strong><\/p>\n

\u00a0<\/span><\/p>\n

Let\u2019s<\/span> create some <\/span>playbooks and test Ansible for real on Windows systems.<\/span><\/p>\n

Create a folder on\u00a0<\/span>Ansible1<\/span><\/strong>\u00a0for the playbooks, YAML files, modules, scripts, etc. For these exercises we created a folder under \/root called <\/span>win_playbooks<\/span>.<\/span><\/p>\n

Ansible has some expectations on the directo<\/span>ry structure where playbooks reside. Create the library and scripts folders for use later in this exercise.<\/span><\/p>\n

Commands:<\/span><\/p>\n

cd \/root<\/span><\/strong><\/p>\n

mkdir<\/span> win_playbooks<\/span><\/strong><\/p>\n

mkdir<\/span> win_playbooks<\/span>\/library<\/span><\/strong><\/p>\n

mkdir<\/span> win_playbooks<\/span>\/scripts<\/span><\/strong><\/p>\n

 <\/p>\n

Create the first playbook example <\/span>\u201c<\/span>netstate.yml<\/span>\u201d<\/span>
\nThe contents are:<\/span><\/p>\n

\u2013 name: test <\/span>cmd<\/span> from <\/span>win_command<\/span> module<\/span><\/strong><\/p>\n

\u00a0 hosts: windows<\/span><\/strong><\/p>\n

\u00a0 tasks:<\/span><\/strong><\/p>\n

\u00a0\u00a0\u00a0 \u2013 name: run netstat and return Ethernet stats<\/span><\/strong><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>win_command<\/span>: netstat -e<\/span><\/strong><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0 register: netstat<\/span><\/strong><\/p>\n

\u00a0\u00a0\u00a0 \u2013 debug: var=netstat<\/span><\/strong><\/p>\n

 <\/p>\n

This playbook does only one<\/span> task, to connect to the servers in the Ansible inventory group \u201cwindows\u201d and run the command\u00a0<\/span>netstat.exe -a<\/span><\/strong>\u00a0and return the results.<\/span><\/em><\/p>\n

To run this playbook, run this command on\u00a0<\/span>Ansible1<\/span><\/strong><\/em>:<\/span><\/p>\n

.<\/span><\/span><\/p>\n

Errors that I ran into<\/span><\/strong><\/p>\n

Now on ubuntu you might get some SSL error when<\/span> trying to run a playbook. This is because the python libraries are trying to verify the <\/span>self signed<\/span> cert before opening a secure connection <\/span>via https<\/span>. <\/span><\/p>\n

.<\/span><\/span><\/p>\n

ansible windows -m <\/span>win_ping<\/span><\/strong><\/p>\n

.<\/span><\/span><\/p>\n

Wintestserver1 | UNREACHABLE! => {\u00a0<\/span><\/em>
\n“changed”: false,\u00a0<\/span><\/em>
\n“<\/span>msg<\/span>“: “<\/span>ssl<\/span>: <\/span>500 <\/span>WinRMTransport<\/span>. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)”,\u00a0<\/span><\/em>
\n“unreachable”: true\u00a0<\/span><\/em>
\n}\u00a0<\/span><\/em>
\n.\u00a0<\/span><\/em><\/p>\n

.<\/span><\/span><\/p>\n

How you can get around the is update the python library to not care about looking for a valid cert and just open a secure connection. <\/strong><\/p>\n

Edit \/usr\/lib\/python2.7\/sitecustomize.py<\/em><\/strong><\/p>\n

——————–<\/strong><\/p>\n

import ssl<\/strong><\/p>\n

try:<\/strong><\/p>\n

_create_unverified_https_context = ssl._create_unverified_context<\/strong><\/p>\n

except AttributeError:<\/strong><\/p>\n

# Legacy Python that doesn’t verify HTTPS certificates by default<\/strong><\/p>\n

pass<\/strong><\/p>\n

else:<\/strong><\/p>\n

# Handle target environment that doesn’t support HTTPS verification<\/strong><\/p>\n

\u00a0\u00a0\u00a0\u00a0ssl._create_default_https_context = _create_unverified_https_context<\/strong><\/p>\n

——————————– <\/strong><\/p>\n

Then it should look like this<\/span><\/p>\n

ansible windows -m <\/span>win_ping<\/span><\/strong><\/p>\n

.<\/span><\/span><\/p>\n

wintestse<\/span>rver1 | SUCCESS => {\u00a0<\/span>
\n“changed”: false,\u00a0<\/span>
\n“ping”: “pong”\u00a0<\/span>
\n}<\/span><\/p>\n

.<\/span><\/span><\/p>\n

Proxies and WSUS:<\/strong><\/p>\n

If you are using these you to disable proxies check on your host simply export<\/strong><\/p>\n

export no_proxy=127.0.0.1, winserver1, etc,<\/strong><\/p>\n

Or add a file in \/etc\/profile.d\/whatever.sh<\/strong><\/p>\n

If you have WSUS configured you will need to check to see if there are updates from there or they will not show when the yaml searches for new updates. <\/strong><\/p>\n

Test windows updates yaml: The formatting is all wrong below so click on the link and it will have the proper formatted yaml for windows update.<\/p>\n


\n– hosts: windows
\ngather_facts: no<\/p>\n

tasks:
\n– name: Search Windows Updates
\nwin_updates:
\ncategory_names:
\n– SecurityUpdates
\n– CriticalUpdates
\n– UpdateRollups
\n– Updates
\nstate: searched
\nlog_path: C:\\ansible_wu.txt<\/p>\n

– name: Install updates
\nwin_updates:
\ncategory_names:
\n– SecurityUpdates
\n– CriticalUpdates
\n– UpdateRollups
\n– Updates<\/p>\n

\u00a0.<\/span><\/span><\/p>\n

If it works properly the log file on the test host will have something like the following:\u00a0C:\\ansible_wu.txt<\/p>\n

Logs show the update<\/em><\/span><\/strong><\/p>\n

2018-06-04 08:47:54Z Creating Windows Update session…
\n2018-06-04 08:47:54Z Create Windows Update searcher…
\n2018-06-04 08:47:54Z Search criteria: (IsInstalled = 0 AND CategoryIds contains ‘0FA1201D-4330-4FA8-8AE9-B877473B6441’) OR(IsInstalled = 0 AND CategoryIds contains ‘E6CF1350-C01B-414D-A61F-263D14D133B4′) OR(IsInstalled = 0 AND CategoryIds contains ’28BC880E-0592-4CBF-8F95-C79B17911D5F’) OR(IsInstalled = 0 AND CategoryIds contains ‘CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83’)
\n2018-06-04 08:47:54Z Searching for updates to install in category Ids 0FA1201D-4330-4FA8-8AE9-B877473B6441 E6CF1350-C01B-414D-A61F-263D14D133B4 28BC880E-0592-4CBF-8F95-C79B17911D5F CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83…
\n2018-06-04 08:48:33Z Found 2 updates
\n2018-06-04 08:48:33Z Creating update collection…
\n2018-06-04 08:48:33Z Adding update 67a00639-09a1-4c5f-83ff-394e7601fc03 – Security Update for Windows Server 2012 R2 (KB3161949)
\n2018-06-04 08:48:33Z Adding update ba0f75ff-19c3-4cbd-a3f3-ef5b5c0f88bf – Security Update for Windows Server 2012 R2 (KB3162343)
\n2018-06-04 08:48:33Z Calculating pre-install reboot requirement…
\n2018-06-04 08:48:33Z Check mode: exiting…
\n2018-06-04 08:48:33Z Return value:
\n{
\n“updates”: {
\n“67a00639-09a1-4c5f-83ff-394e7601fc03”: {
\n“title”: “Security Update for Windows Server 2012 R2 (KB3161949)”,
\n“id”: “67a00639-09a1-4c5f-83ff-394e7601fc03”,
\n“installed”: false,
\n“kb”: [
\n“3161949”
\n]
\n},
\n“ba0f75ff-19c3-4cbd-a3f3-ef5b5c0f88bf”: {
\n“title”: “Security Update for Windows Server 2012 R2 (KB3162343)”,
\n“id”: “ba0f75ff-19c3-4cbd-a3f3-ef5b5c0f88bf”,
\n“installed”: false,
\n“kb”: [
\n“3162343”
\n]
\n}
\n},
\n“found_update_count”: 2,
\n“changed”: false,
\n“reboot_required”: false,
\n“installed_update_count”: 0,
\n“filtered_updates”: {<\/p>\n

}
\n}<\/p>\n

Written By Nick Tailor<\/p>\n

.<\/span><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Note: This section assumes you already have ansible installed, working, active directory setup, and test windows host in communication with AD. Although its not needed to have AD. Its good practice for to have it all setup talking to each other for learning. . Setup Now Ansible does not come with windows managing ability out of the box. Its isRead More …<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[51],"tags":[],"class_list":["post-745","post","type-post","status-publish","format-standard","hentry","category-ansible"],"_links":{"self":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/745","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/comments?post=745"}],"version-history":[{"count":9,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/745\/revisions"}],"predecessor-version":[{"id":1047,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/745\/revisions\/1047"}],"wp:attachment":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/media?parent=745"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/categories?post=745"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/tags?post=745"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}