Ansible Linux jump host for windows node

In this blog, we will see to connect with Windows Target Server through Linux Jump Host From Ansible Controller.

Basically, Ansible Will connect to windows Nodes using Winrm.

prerequisites:

Make Sure Ansible Installed With 2.9 Version 

Linux server (jump host)

windows target server - windows server 2016

Ansible controller:

First, install python-pip & pywinrm in ansible controller.

[root@ansible~]# yum –y install python-pip

[root@ansible~]# pip install pywinrm

install socks dependency package

# pip install requests[socks]

install python Powershell remoting protocol

[root@ansible~]# pip install pypsrp

Kerberos also needs to be configured to talk to the domain.

[root@ansible~]# yum install gcc python-devel krb5-devel

# To add NTLM to the GSSAPI SPNEGO auth run

[root@ansible~]# yum install gssntlmssp

CredSSP Authentication

[root@ansible~]# pip install pypsrp[credssp]

             (or)

[root@ansible~]# yum install gcc python-devel

set up the inventory:

inventory file for windows

[win]

192.168.4.141 #windows IP 

[win:vars]

ansible_user=demo

ansible_password=2!ppy0ps

ansible_connection=psrp

ansible_port=5985

ansible_psrp_proxy=socks5://localhost:12345

jump host:

ssh your ansible controller to jump host using the ssh-copy-id command.

[root@ansible~]# ssh-copy-id username@

configure winrm in target windows server:

Ansible requires PowerShell version 3.0 and .NET Framework 4.0 or newer to function on older operating systems like Server 2008 and Windows 7. The base image does not meet this requirement. You can use the Upgrade-PowerShell.ps1 script to update these.

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force

PS D:\> .\Upgrade-PowerShell.ps1

Once completed, you will need to remove auto-logon and set the execution policy back to the default of Restricted. You can do this with the following PowerShell commands:

set-Executionpolicy unrestricted

WinRM setup:

Once Powershell has been upgraded to at least version 3.0, the final step is for the WinRM service to be configured so that Ansible can connect to it. There are two main components of the WinRM service that governs how Ansible can interface with the Windows host: the listener and the service configuration settings.

Details about each component can be read below, 

but the script ConfigureRemotingForAnsible.ps1 can be used to set up the basics. This script sets up both HTTP and HTTPS listeners with a self-signed certificate and enables the Basic authentication option on the service.

To use this script, run the following in PowerShell as shown below:

 D:\> .\ConfigureRemotingForAnsible.ps1

WinRM Listener:

The WinRM services listen for requests on one or more ports. Each of these ports must have a listener created and configured.

To view the current listeners that are running on the WinRM service, run the following command:

winrm enumerate winrm/config/listener

you will see the output look like the following:

Listener

Address = *

Transport = HTTP

Port = 5985

Hostname

Enabled = true

URLPrefix = wsman

CertificateThumbprint

ListeningOn = 10.0.2.15, 127.0.0.1, 192.168.56.155, ::1, fe80::5efe:10.0.2.15%6, fe80::5efe:192.168.56.155%8, fe80::

ffff:ffff:fffe%2, fe80::203d:7d97:c2ed:ec78%3, fe80::e8ea:d765:2c69:7756%7

Listener

Address = *

Transport = HTTPS

Port = 5986

Hostname = Windows 2012

Enabled = true

URLPrefix = wsman

CertificateThumbprint = E6CDAA82EEAF2ECE8546E05DB7F3E01AA47D76CE

ListeningOn = 10.0.2.15, 127.0.0.1, 192.168.0.210, ::1, fe80::5efe:10.0.2.15%6, fe80::5efe:192.168.56.155%8, fe80::

ffff:ffff:fffe%2, fe80::203d:7d97:c2ed:ec78%3, fe80::e8ea:d765:2c69:7756%7

in a separate terminal on your Ansible host run the following which will start an SSH connection you need to keep active until you have finished with Ansible.

ssh -D 12345 username@bastionhost

# now run your playbook in ansible controller

ansible all -i inventory -m win_ping