Managing Windows machines using Ansible is pretty straightforward and simple as in the document. You need to configure and enable WinRM on your Windows machine and then open WinRM ports 5985 and 5986(HTTPS) in the Windows Firewall (and also in the network firewall if any).
See other articles to learn how to manage windows using Ansible
But there are many cases where Ansible developers and users struggled to connect Windows machine from Ansible and I thought to publish common mistakes or errors and quick fixes for those issues.
Note: This is a living document and I will update this article whenever I find new issues or fixes related to the topic.
Simply check the port access using nc
or any other available tools on your Ansible machine.
$ nc -vz 192.168.99.103 5985
Connection to 192.168.99.103 port 5985 [tcp/wsman] succeeded !
I am getting below error while executing ansible
command.
$ ansible win2016 -m win_ping
objc[72452]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called.
objc[72452]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called. We cannot safely call it or ignore it in the fork() child process. Crashing instead. Set a breakpoint on objc_initializeAfterForkError to debug.
Fix: This error occurs because of added security to restrict multithreading in macOS High Sierra and later versions of macOS.
$ export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
You can export this via zsh or bash profile permanently.
$ ansible win2016 -m win_ping
win2016 | UNREACHABLE! => {
"changed": false,
"msg": "basic: the specified credentials were rejected by the server",
"unreachable": true
}
Fix: Enable basic authentication and unencrypted data on the WinRM service
Please note, if you are using HTTPS authentication, you should not enable this configurations.
1. Enable basic authentication on the WinRM service
PS > winrm set winrm/config/service/auth '@{Basic="true"}'
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
2. Also allow transfer of unencrypted data on the WinRM service.
PS > winrm set winrm/config/service '@{AllowUnencrypted="true"}'
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = false
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
You can check status using winrm get winrm/config/service
.
Disclaimer: The views expressed and the content shared are those of the author and do not reflect the views of the author’s employer or techbeatly platform.
Gineesh Madapparambath
Gineesh Madapparambath is the founder of techbeatly and he is the author of the book - ๐๐ป๐๐ถ๐ฏ๐น๐ฒ ๐ณ๐ผ๐ฟ ๐ฅ๐ฒ๐ฎ๐น-๐๐ถ๐ณ๐ฒ ๐๐๐๐ผ๐บ๐ฎ๐๐ถ๐ผ๐ป.
He has worked as a Systems Engineer, Automation Specialist, and content author. His primary focus is on Ansible Automation, Containerisation (OpenShift & Kubernetes), and Infrastructure as Code (Terraform).
(aka Gini Gangadharan - iamgini.com)
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Leave a Reply