Pre requisites - thopper91/Ansible-on-Windows GitHub Wiki
Pre-requisites
Before going any further, the following will need to be completed:
- Have a Linux Box (I am using Ubuntu)
- Have a Windows Control Machine (Using Server 2016)
Now for the steps to setup the environment
On Linux Box
- Install Ansible, Pip and Python on the machine
### Ansible ###
$ sudo apt-get install libssl-dev
$ sudo pip install ansible
### Python & Pip ###
$ sudo apt-get install python python-pip
### Check installed correctly and version. Ansible = pip list ###
$ pip list
$ python --version
$ pip --version
- Install winrm
$ pip2 install "pywinrm>=0.2.2" - Install Kerberos and its dependencies. Kerberos is the preferred option compared to NTLM to use when using an Active Directory account but it requires a few extra steps to set up on the Ansible control host. There are more options to install Kerberos, however as I am using Ubuntu (dependencies first!):
- Dependencies
sudo apt-get install python-dev libkrb5-dev krb5-user - Install Kerberos
$ sudo pip install pywinrm[kerberos]
- Now to configure Kerberos. This part is a little tricky but bare with us! We need to edit the file in /etc/krb5.conf, first need to edit the section of the file which starts with [realms]. Add the full domain name (capitals) and the qualified names of the primary and secondary Active Directory domain controllers; should look like this:
[realms]
MY.DOMAIN.COM = {
kdc = domain-controller01.my.domain.com
kdc = domain-controller02.my.domain.com
}
Scroll down to the section that starts with [domain_realm]. Essentially its the .my.domain.com from the domain controllers and the domain name in capitals:
[domain_realm]
.mydomain.com = MY.DOMAIN.COM
- Test the Kerberos connection:
$ kinit [email protected] - Install CredSSP. CredSSP authentication can be used to authenticate with both domain and local accounts. It allows credential delegation to do second hop authentication on a remote host by sending an encrypted form of the credentials to the remote host using the CredSSP protocol.
$ sudo pip install pywinrm[credssp] - Create Inventory hosts file and set it up with the .cfg file. The .cfg file is already setup in this repository, will just need to update the Inventory hosts file stored in the Inventory folder. This is fulfilled in native Ansible
- Next, create the group_vars folder along with a file within it. This file will hold all of the group variables that will be used when connecting to a Windows host. There is already a folder & file here, the only things ideally that need changing are the user and password variables.
On Windows Control Machine
Now we need to pop over to the Windows control machine, and will need to download/create the Powerscript file which is in this GitHub. The following steps are to be inputted into the Command Prompt (cmd):
winrm set winrm/config/service @{AllowUnencrypted="false"}//True if using HTTP 5985, False if using HTTPS 5986- Execute the powershell "ConfigureRemotingforAnsible.ps1"
Admins may want to choose to modify default settings, the following can be done (NOTE: I ran all of the below):
- Customize the expiration date of generated certificate
powershell.exe -File ConfigureRemotingforAnsible.ps1 -CertValidityDays 100 - Enable CredSSP as an authentication option
powershell.exe -File ConfigureRemotingforAnsible.ps1 -EnableCredSSP - Force a new SSL certificate to be attached to an already existing winrm listener
powershell.exe -File ConfigureRemotingforAnsible.ps1 -ForceNewSSLCert - Switch to configure winrm to listen on public zoon interfaces
powershell.exe -File ConfigureRemotingforAnsible.ps1 -SkipNetworkProfileCheck
On Linux Box
- Run the ping command to ensure the Linux box and Windows Control Machine are connected and talking together, the windows in command is the group_vars file:
$ ansible windows -m win_ping
Now the environment should be complete and setup successfully, any issues then please refer to the Ansible Document: https://docs.ansible.com/ansible/latest/intro_windows.html#id5