How to connect Ansible to Windows from Ubuntu?
Let me quickly show you how to connect a Windows server from Ansible running on Ubuntu.
To complete the steps below, you need to have Python 3.x and Ansible installed on both systems. You can follow the articles below if you need help.
How to install and configure Ansible on Ubuntu?
How to install Ansible on Windows?
Below are the details of both servers that I use:
- Ansible controller - 192.168.0.108
- Server Windows — 192.168.0.102
Step 1: Create an Ansible Windows User
Create a new user to set up an Ansible Windows connection.
- Open Computer Management on your Windows system and go to Local Users and Groups.
- Right click "Users" and create a new user.
- Check the "Password never expires" box and click "Create".
- Now, among the available groups, right-click on the Administrators group and select Properties.
- Click Add and type ansible in the object names.
- Click on the "Check Names" option and then "OK".
Now the available user on the Windows machine is ready.
Step 2Setting Up Libraries and WinRM
Go to your computer with ansible controller, update it and install the libraries mentioned below.
[email protected]:~$ sudo apt-get update[email protected]:~$ sudo apt-get install gcc python-dev [email protected]:~$ sudo apt install python3-pip
WinRM stands for Windows Remote Management. This allows you to perform management tasks on remote Windows systems. We will install python3-winrm, the Python client that is used to connect to a Windows system.
[email protected]:~$ sudo apt-get install python3-winrmReading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: gyp libc-ares2 libhttp-parser2.8 libjs-async libjs-inherits libjs-is-typedarray libjs-node-uuid libuv1 libuv1-dev node-abbrev node-ajv node-ansi node-ansi-color-table node-ansi-regex node-ansi-styles node-ansistyles node-aproba node-archy node-are-we-there-yet node-async node-validate-npm-package-license node-wcwidth.js node-which node-which-module node-wide-align node-wrap-ansi node-wrappy node-y18n node-yallist node-yargs node-yargs-parser nodejs nodejs-doc Use 'sudo apt autoremove' to remove them. The following additional packages will be installed: python3-kerberos python3-ntlm-auth python3-requests-kerberos python3-requests-ntlm python3-xmltodict The following NEW packages will be installed: python3-kerberos python3-ntlm-auth python3-requests-kerberos python3-requests-ntlm python3-winrm python3-xmltodict 0 upgraded, 6 newly installed, 0 to remove and 231 not upgraded. Need to get 84.8 kB of archives. After this operation, 442 kB of additional disk space will be used. Do you want to continue? [Y/n] Y Get:1 http://old-releases.ubuntu.com/ubuntu cosmic/universe amd64 python3-kerberos amd64 1.1.14-1build1 [16.8 kB] Get:2 http://old-releases.ubuntu.com/ubuntu cosmic/universe amd64 python3-ntlm-auth all 1.1.0-1 [19.6 kB] Get:3 http://old-releases.ubuntu.com/ubuntu cosmic/universe amd64 python3-requests-kerberos all 0.11.0-2 [10.1 kB] Get:4 http://old-releases.ubuntu.com/ubuntu cosmic/universe amd64 python3-requests-ntlm all 1.1.0-1 [6,004 B] Get:5 http://old-releases.ubuntu.com/ubuntu cosmic/universe amd64 python3-xmltodict all 0.11.0-2 [10.6 kB] Get:6 http://old-releases.ubuntu.com/ubuntu cosmic/universe amd64 python3-winrm all 0.3.0-2 [21.7 kB] Fetched 84.8 kB in 1s (70.3 kB/s) Selecting previously unselected package python3-kerberos. (Reading database ... 244430 files and directories currently installed.) Preparing to unpack .../0-python3-kerberos_1.1.14-1build1_amd64.deb ... Unpacking python3-kerberos (1.1.14-1build1) ... Selecting previously unselected package python3-ntlm-auth. Selecting previously unselected package python3-xmltodict. Preparing to unpack .../4-python3-xmltodict_0.11.0-2_all.deb ... Unpacking python3-xmltodict (0.11.0-2) ... Selecting previously unselected package python3-winrm. Preparing to unpack .../5-python3-winrm_0.3.0-2_all.deb ... Unpacking python3-winrm (0.3.0-2) ... Setting up python3-kerberos (1.1.14-1build1) ... Setting up python3-winrm (0.3.0-2) ...
Step 3: Update the Ansible Inventory file
Now I will edit the ansible hosts file with the IP address of the windows system. So now ansible will know which Windows system it needs to connect to.
[email protected]:~$ sudo gedit /etc/ansible/hosts[win] 192.168.0.102
Step 4: Update Ansible Group Variables
Create a directory to contain the variables needed to connect to the Windows system.
[email protected]:~$ mkdir /etc/ansible/group_vars[email protected]:~$ sudo chmod -R 777 /etc/ansible/
Create a win.yaml file and put the user information you created in step 1 and a few more variables needed to connect to the windows system.
[email protected]:~$ gedit /etc/ansible/group_vars/win.yaml
---ansible_user: ansible ansible_password: ansible ansible_connection: winrm ansible_winrm_server_cert_validation: ignore ansible_winrm_transport: basic ansible_winrm_port: 5985 ansible_python_interpreter: C:Userstoadmin.ruAppDataLocalProgramsPythonPython37python
Step 5: Set up Windows servers to manage
Open the Windows Power Shell and update it. You need to have Powershell 3.0 and .NET Framework 4.0 on your Windows machine.
PS C:WINDOWSsystem32> $url = "https://raw.githubusercontent.com/jborean93/ansible-windows/master/scripts/Upgrade-PowerShell.ps1"PS C:WINDOWSsystem32> $file = "$env:tempUpgrade-PowerShell.ps1" PS C:WINDOWSsystem32> $username = "ansible" PS C:WINDOWSsystem32> $password = "ansible" PS C:WINDOWSsystem32> (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file) PS C:WINDOWSsystem32> Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force PS C:WINDOWSsystem32> &$file -Version 5.1 -Username $username -Password $password -Verbose
To set up WinRM on a Windows system using ansible, ansible has provided a remote configuration script. Run the script in PowerShell.
PS C:WINDOWSsystem32> $url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1"PS C:WINDOWSsystem32> $file = "$env:tempConfigureRemotingForAnsible.ps1" PS C:WINDOWSsystem32> (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file) PS C:WINDOWSsystem32> powershell.exe -ExecutionPolicy ByPass -File $file PS C:WINDOWSsystem32> winrm enumerate winrm/config/Listener Listener Address = * Transport = HTTP Port = 5985 Hostname Enabled = true URLPrefix = wsman CertificateThumbprint ListeningOn = 127.0.0.1, 169.254.8.240, 169.254.36.9, 169.254.102.217, 169.254.215.170, 192.168.0.102, ::1, fe80::3131:c6d7:9ef5:8f0%7, fe80::51b7:9134:550d:d7aa%22, fe80::88f1:1229:e1dd:2409%16, fe80::99cf:5796:4f8e:f5c1%15, fe80::fd77:c19d:e0f2:66d9%9 Listener Address = * Transport = HTTPS Port = 5986 Hostname = DESKTOP-2L8QMI6 Enabled = true URLPrefix = wsman CertificateThumbprint = C83B3FC8B274D0B650F0FD647DC7AC129BBE3FA0 ListeningOn = 127.0.0.1, 169.254.8.240, 169.254.36.9, 169.254.102.217, 169.254.215.170, 192.168.0.102, ::1, fe80::3131:c6d7:9ef5:8f0%7, fe80::51b7:9134:550d:d7aa%22, fe80::88f1:1229:e1dd:2409%16, fe80::99cf:5796:4f8e:f5c1%15, fe80::fd77:c19d:e0f2:66d9%9
Install winrm to allow HTTP traffic.
PS C:WINDOWSsystem32> winrm set winrm/config/service '@{AllowUnencrypted="true"}'ServiceRootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)MaxConcurrentOperations = 4294967295MaxConcurrentOperationsPerUser = 1500EnumerationTimeoutms = 240000MaxConnections = 300MaxPacketRetrievalTimeSeconds = 120AllowUnencrypted = trueAuthBasic = trueKerberos = trueNegotiate = trueCertificate = falseCredSSP = falseCbtHardeningLevel = RelaxedDefaultPortsHTTP = 5985HTTPS = 5986IPv4Filter = *IPv6Filter = *EnableCompatibilityHttpListener = falseEnableCompatibilityHttpsListener = falseCertificateThumbprintAllowRemoteAccess = true Set basic authentication to wir.
PS C:WINDOWSsystem32> winrm set winrm/config/service/auth '@{Basic="true"}'AuthBasic = trueKerberos = trueNegotiate = trueCertificate = falseCredSSP = falseCbtHardeningLevel = Relaxed Step 6: Check your connection to Windows Server.
Now all the actions on the car are done. Go to the ansible controller machine and ping the windows server machine using the win_ping ansible module.
[email protected]:~$ ansible win -m win_ping192.168.0.102 | SUCCESS => { "changed": false, "ping": "pong" }
A success message indicates that the connection has been established. The Windows system is now ready for remote administration from Ansible running on Ubuntu.