Lessons Learned - thopper91/Ansible-on-Windows GitHub Wiki

In here, I have logged all items that went wrong when using Ansible to automate tasks on a Windows host.

Windows Host Groups

When it comes to creating host groups, they HAVE to be named 'windows' otherwise Ansible will not read it. One way to get around this is having ALL IPs & Domain names in the same group (like below) or having multiple host files with a select few IP and domain names in them. The second option does mean you will have to ensure you choose the correct inventory file

[windows]
0.0.0.1
0.0.0.2

User details

In order for the below to run successfully you will need to ensure the user is part of the domain admin user group or has admin access otherwise Kerberos will flag as an error. What has been done (however) is a specific Ansible on windows user has been created for the work we want to complete

SSH & Kerberos errors

SSH error

Now if the Ansible flags an SSH error when executing the playbook like this: $ ansible-playbook playbook.yml then the main reason is because it doesn't actually know who you are. Ok here me out! Yes, in your group_vars file you have defined your ansible_password but this still will not ALWAYS allow you to successfully run the task. Now to overcome this issue and something that could be useful on a more security level, is to get the Developer to run the playbook like this: $ ansible-playbook -i ./inventory/HOSTNAME FILENAME.yml --ask-pass with hostname being the inventory file and playbook.yml being your file you want to execute.

So now we have ran this command, Ansible will flag for you to input the SSH password, remembering this is the password to get into the Windows Host machine. Once inputted and pressed enter, Ansible should successfully complete the tasks you outlined in your playbook...that's if the code is correct ;)

Kerberos error

When a Kerberos error arises, I found that the resolution was a very simple one to do and this is essentially how you execute the playbook. I suppose the first thing to do is use kinit to ensure its running: $ kinit hoppert@DOMAIN. This will flag if Kerberos is acutally up and running. If it is not, then you will need to reinstall the tool.

If it is running, then the solution I found was within the executable playbooks, I defined the following: connection: local. Remove or comment that line out and it works!

Run Playbook

In order to run the playbooks in this repository, it has been found to be consistently effective to get Ansible to prompt the user for a password. If this password is added to group_vars then it is known to provide the user with an error. So it is best to run the following:

$ ansible-playbook -i ./inventory/HOSTNAME FILENAME.yml --ask-pass

HOSTNAME: The host file wanted to be executed

FILENAME: The Ansible Playbook to be executed