我正在设置一个在 CentOS 7 上运行的 Ansible 服务器(使用 AWX 作为用户界面),并且我想与一些 Windows 主机通信以执行基本的包操作。
作为第一种方法,我使用 NTLM 与我的主机进行通信(系统管理员禁用基本身份验证)。
但是,我注意到当我在没有 sudo 权限的情况下启动 ansible-playbook 时,我的 playbook 无法运行。
我已经检查了这两种情况下的 TCP 流。而且似乎当它失败时(即没有 sudo 权限),服务器不会开始与主机通信。就好像没有尝试就失败了(尽管另有说明)
这不是防火墙的问题,因为我可以使用curl访问wsman端点。
我还检查了 Windows 帐户的权限(正如针对类似问题所建议的那样),但所需的一切都已存在。
我的剧本是这个非常简单的无任务文件:
- hosts: win
vars:
ansible_user: ansible_admin
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
ansible_port: 5985
ansible_winrm_transport: ntlm
我检查了有无任务(如 win_ping)和 ansible_winrm_server_cert_validation 变量。
我的 /etc/ansible/hosts 文件是这个:
[win]
192.168.0.42
[localhost]
127.0.0.1
这是我在没有 sudo 的情况下运行剧本时得到的结果
$ ansible-playbook helloworld.yml --ask-pass -vvvvv
ansible-playbook 2.7.9
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/var/lib/awx/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible-playbook
python version = 3.6.7 (default, Dec 5 2018, 15:02:05) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]
Using /etc/ansible/ansible.cfg as config file
SSH password:
setting up inventory plugins
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected
Set default localhost to 127.0.0.1
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading callback plugin default of type stdout, v2.0 from /usr/lib/python3.6/site-packages/ansible/callback/default.py
PLAYBOOK: hello_world.yml ******************************************************
1 plays in hello_world.yml
PLAY [win] ******************************************************
TASK [Gathering Facts] *********************************************************
task path: /home/ansible/playbooks/hello_world.yml:1
Using module file /usr/lib/python3.6/site-packages/ansible/modules/windows/setup.ps1
<192.168.0.42> ESTABLISH WINRM CONNECTION FOR USER: ansible_admin on PORT 5985 TO 192.168.0.42
checking if winrm_host 192.168.0.42 is an IPv6 address
<192.168.0.42> WINRM CONNECT: transport=ntlm endpoint=http://192.168.0.42:5985/wsman
<192.168.0.42> WINRM CONNECTION ERROR: the specified credentials were rejected by the server
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ansible/plugins/connection/winrm.py", line 402, in _winrm_connect
self.shell_id = protocol.open_shell(codepage=65001) # UTF-8
File "/usr/lib/python3.6/site-packages/winrm/protocol.py", line 157, in open_shell
res = self.send_message(xmltodict.unparse(req))
File "/usr/lib/python3.6/site-packages/winrm/protocol.py", line 234, in send_message
resp = self.transport.send_message(message)
File "/usr/lib/python3.6/site-packages/winrm/transport.py", line 243, in send_message
self.build_session()
File "/usr/lib/python3.6/site-packages/winrm/transport.py", line 232, in build_session
self.setup_encryption()
File "/usr/lib/python3.6/site-packages/winrm/transport.py", line 238, in setup_encryption
self._send_message_request(prepared_request, '')
File "/usr/lib/python3.6/site-packages/winrm/transport.py", line 266, in _send_message_request
raise InvalidCredentialError("the specified credentials were rejected by the server") winrm.exceptions.invalidCredentialError: the specified credentials were rejected by the server
fatal: [192.168.0.42]: UNREACHABLE! => {
"changed": false,
"msg": "ntlm: the specified credentials were rejected by the server",
"unreachable": true
}
to retry, use: --limit @/home/ansible/playbooks/hello_world.retry
PLAY RECAP *********************************************************************
192.168.0.42 : ok=0 changed=0 unreachable=1 failed=0
但是当我使用 sudo 权限运行剧本时,效果很好
$ sudo ansible-playbook helloworld.yml --ask-pass -vvvvv
ansible-playbook 2.7.9
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/var/lib/awx/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible-playbook
python version = 3.6.7 (default, Dec 5 2018, 15:02:05) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]
Using /etc/ansible/ansible.cfg as config file
SSH password:
setting up inventory plugins
/etc/ansible/hosts did not meet host_list requirements, check plugin documentation if this is unexpected
Set default localhost to 127.0.0.1
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading callback plugin default of type stdout, v2.0 from /usr/lib/python3.6/site-packages/ansible/callback/default.py
PLAYBOOK: hello_world.yml ******************************************************
1 plays in hello_world.yml
PLAY [win] ******************************************************
TASK [Gathering Facts] *********************************************************
task path: /home/ansible/playbooks/hello_world.yml:1
Using module file /usr/lib/python3.6/site-packages/ansible/modules/windows/setup.ps1
<192.168.0.42> ESTABLISH WINRM CONNECTION FOR USER: ansible_admin on PORT 5985 TO 192.168.0.42
checking if winrm_host 192.168.0.42 is an IPv6 address
<192.168.0.42> WINRM CONNECT: transport=ntlm endpoint=http://192.168.0.42:5985/wsman
<192.168.0.42> WINRM OPEN SHELL: E04DA2D8-15E4-4B28-A079-A5C795B612C5
EXEC (via pipeline wrapper)
<192.168.0.42> WINRM EXEC 'Powershell' ['-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-EncodedCommand', '<-- Very long string here -->']
<192.168.0.42> WINRM RESULT '<Response code 1, out "{"changed":false,"an", err "#< CLIXML\r\n<Objs Ver">'
<192.168.0.42> WINRM CLOSE SHELL: E04DA2D8-15E4-4B28-A079-A5C795B612C5
ok: [192.168.0.42]
PLAY RECAP *********************************************************************
192.168.0.42 : ok=1 changed=0 unreachable=0 failed=0
有人对此有解释吗?
或者,作为解决方法,是否可以使用 sudo 权限在 AWX 上运行 playbook?
编辑:添加了额外详细的输出
如果您使用 AWX,则需要正确检查您的凭据,尤其是在权限升级方法上,如果您想要指定分配给特定用户的升级权限类型。
我收到如下错误
“无法通过 ssh 连接到主机:ssh:连接到主机 192.168.56.117 端口 22:连接被拒绝”,