WinRM user

[JassonAvila]

Hi.

Every time that I use winrm and kerberos auth, winrm uses another user rather than the one set in ansible_user.

ESTABLISH WINRM CONNECTION FOR USER: XXX on PORT ...

but the ansible_user is set to an AD domain user. If I run it through CLI everything works but the issue is with semaphore tasks.

How can I change the user for winrm in semaphore?

OS: opensuse

[Brother-Blue]

Having a similar issue #1108, really hoping this gets fixed soon as it's a hassle to bounce between workflows for different OS's.

[Serverhamster]

I don't think it's possible to change ansible_user for a separate play or host since ansible_user is passed as --extra-vars and has higher priority than whatever you define. (https://github.com/ansible-semaphore/semaphore/issues/1464)

[Brother-Blue]

It is possible to have a different user per play or host; we have different ansible users defined in our windows/unix inventories. Windows requires a bit more information for WinRM to work and to also specify which service account the ansible play runs as.

# windows.ini
[windows:vars]
ansible_connection=winrm
ansible_winrm_transport=kerberos
ansible_port=5985
ansible_winrm_server_cert_validation=ignore
ansible_become=yes
ansible_become_method=runas
ansible_become_user=***\svc-ansible
ansible_become_password=***

# linux.ini
[linux:vars]
ansible_connection=ssh
ansible_user=ansible
ansible_ssh_pass=***
ansible_become=yes 
ansible_become_method=sudo
ansible_become_pass=***

Both of these work without any issue when running playbooks manually, but having issues with running playbooks against windows machines via Semaphore as explained in #1108

[robinmalik]

@Brother-Blue Do you know if there's a way within Semaphore to avoid us having to store the user/password for WinRM authentication directly in an inventory/group vars file?

[Brother-Blue]

I don't atm. I still haven't managed to get running plays against Windows vms in semaphore to work; a way I've been doing it currently is with ansible prompts in the playbook but that's not possible with semaphore

[robinmalik]

Ok, thanks anyway! I've got Semaphore working against Windows VMs but it's using NTLM rather than kerberos for WinRM.

[AndresGuty]

Hello, I am new to managing Ansible, as well as Semaphore UI. I am trying to manage Windows machines using WINRM from Semaphore, which I installed using Docker Desktop. After configuring it, I couldn't get it to ping the Windows machines. The only way I found is to enter the Semaphore container terminal as root and install the necessary packages with the following commands:

apk add py3-pip pip install pywinrm

This way, I managed to handle my Windows machines from Semaphore. I apologize if what I'm posting is not relevant; I'm just trying to learn how to manage Ansible and Semaphore.

[lbouriez]

Have you ever found a way to not use the credentials entered in semaphore but instead the one in the inventory ?

[AndresGuty]

Hello @lbouriez , I am going to perform tests.

[Brother-Blue]

@lbouriez I've managed to do it for Linux and Windows VMs, unfortunately not through semaphore for Windows though.

The following works, just have your semaphore inventory/task point to the inventory file with the credentials defined.

[home_lab:vars]
ansible_connection=ssh
ansible_user=my_user
ansible_ssh_pass=super_secure_password
ansible_become=yes 
ansible_become_method=sudo
ansible_become_pass=super_secure_password

[home_lab]
vm01.domain.com

[lbouriez]

Thank you for your answer, I am actually doing that for Windows and Linux but for Windows it doesnt work, it takes the credentials from the Semaphore keys...

[robinmalik]

@lbouriez Having just tried duplicating a working task template, linking it to a new Semaphore 'inventory' object (which uses a file, and a faulty username/password), the task fails. I had assumed when running, it was using the username/password details within the inventory file itself but apparently not. So yes, I can replicate your issue also.

[lbouriez]

I was just double checking now with -vvv and i can see, it's ignoring the credentials from the hots.yml and just using the one from semaphore :/

[Brother-Blue]

That's expected @robinmalik @lbouriez, extra vars passed in by Semaphore will always take precedence over inventory vars as per Ansible documentation https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#understanding-variable-precedence

[lbouriez]

So there is no way to bypass the credentials of semaphore and use the one in the yaml ? All my machine have different password, it's a nightmare to handle using semaphore 🥺

[robinmalik]

That's expected @robinmalik @lbouriez, extra vars passed in by Semaphore will always take precedence over inventory vars as per Ansible documentation https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#understanding-variable-precedence

Thanks @Brother-Blue. I wasn't aware it was passing them as extra vars.

@lbouriez I can see your problem here! If we wanting to connect (for example) using the Administrator account which is rotated for each server using LAPS (and thus different for each) we'd be stuck. We have to use a dedicated account that's an administrator on all machines instead (not ideal).

[ereinholdssu]

I seem to be having a similar issue. I have a vars yaml file that I can use to authenticate using kerberos or ntlm from the CLI. But if I try to run it from semaphore than I get an error that kerberos or ntlm is missing: ntlm: requested auth method is ntlm, but requests_ntlm is not installed kerberos: the python kerberos library is not installed These packages already appear to be installed in my site-packages directory of semaphore. pip3 install requests_ntlm --target=/root/snap/semaphore/common/ansible_env/lib/python3.8/site-packages pip3 install pykerberos --target=/root/snap/semaphore/common/ansible_env/lib/python3.8/site-packages Collecting pykerberos Using cached pykerberos-1.2.4-cp311-cp311-linux_x86_64.whl Installing collected packages: pykerberos Successfully installed pykerberos-1.2.4 WARNING: Target directory /root/snap/semaphore/common/ansible_env/lib/python3.8/site-packages/kerberos.cpython-311-x86_64-linux-gnu.so already exists. Specify --upgrade to force replacement. WARNING: Target directory /root/snap/semaphore/common/ansible_env/lib/python3.8/site-packages/pykerberos-1.2.4.dist-info already exists. Specify --upgrade to force replacement. WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv

Am I missing something simple? I would consider myself an average Linux user. Any help would be appreciated. Thanks!