我无法在使用Ansible的PowerShell脚本中使用Get-ADDomain,Get-ADUser等Active Directory命令。像ls,New-Item这样的基本命令可以正常工作。
ad-dns.test.com - Windows 2012 AD and DNS Server
box88.test.com - CentOS 7.2 (Not joined to domain) : Ansible, Kerberos, Python
box62.test.com - Windows 2012 R2 Standard (Joined to domain)
vkumar@TEST.COM - Domain User for the Kerberos Ticket
我已通过ConfigureRemotingForAnsible.ps1 PowerShell脚本在Windows Server 2012上启用了WinRM。
这是我试图通过Ansible执行的基本脚本。
ls
New-Item -Path C:\testfile.txt -ItemType file
Import-Module ActiveDirectory
Get-Module
Get-ADDomain
执行上述脚本时,ActiveDirectory模块似乎已正确加载,但所有Active Directory命令都失败并出现以下错误:
Get-ADDomain:无法联系服务器。这可能是因为此服务器不存在,当前已关闭,或者它没有运行Active Directory Web服务。
有趣的是,相同的脚本在PowerShell上直接执行而没有任何错误。
以下是Ansible的详细输出。
root@box88:~# ansible-playbook /etc/ansible/win_test.yml
PLAY [windows] *****************************************************************
TASK [wintest : include] *******************************************************
included: /etc/ansible/roles/wintest/tasks/win_test.yml for box62.test.com
TASK [wintest : script] ********************************************************
changed: [box62.test.com]
TASK [wintest : debug] *********************************************************
ok: [box62.test.com] => {
"res.stdout_lines + [ res.stderr ]": [
"",
"",
" Directory: C:\\Users\\vkumar",
"",
"",
"Mode LastWriteTime Length Name ",
"---- ------------- ------ ---- ",
"d-r-- 6/28/2016 9:10 AM Contacts ",
"d-r-- 7/19/2016 9:30 PM Desktop ",
"d-r-- 6/28/2016 9:10 AM Documents ",
"d-r-- 6/28/2016 9:10 AM Downloads ",
"d-r-- 6/28/2016 9:10 AM Favorites ",
"d-r-- 6/28/2016 9:10 AM Links ",
"d-r-- 6/28/2016 9:10 AM Music ",
"d-r-- 6/28/2016 9:10 AM Pictures ",
"",
"",
" Directory: C:\\",
"",
"",
"Mode LastWriteTime Length Name ",
"---- ------------- ------ ---- ",
"-a--- 7/19/2016 10:01 PM 0 testfile.txt ",
"",
"Name : ActiveDirectory",
"Path : C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDi",
" rectory\\ActiveDirectory.psd1",
"Description : ",
"Guid : 43c15630-959c-49e4-a977-758c5cc93408",
"Version : 1.0.0.0",
"ModuleBase : C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ActiveDi",
" rectory",
"ModuleType : Manifest",
"PrivateData : ",
"AccessMode : ReadWrite",
"ExportedAliases : {}",
"ExportedCmdlets : {[Add-ADCentralAccessPolicyMember, ",
" Add-ADCentralAccessPolicyMember], ",
" [Add-ADComputerServiceAccount, ",
" Add-ADComputerServiceAccount], ",
" [Add-ADDomainControllerPasswordReplicationPolicy, ",
" Add-ADDomainControllerPasswordReplicationPolicy], ",
" [Add-ADFineGrainedPasswordPolicySubject, ",
" Add-ADFineGrainedPasswordPolicySubject]...}",
"ExportedFunctions : {}",
"ExportedVariables : {}",
"NestedModules : {Microsoft.ActiveDirectory.Management}",
"",
"",
"Name : Microsoft.PowerShell.Management",
"Path : C:\\windows\\system32\\windowspowershell\\v1.0\\Modules\\Microsof",
" t.PowerShell.Management\\Microsoft.PowerShell.Management.psd",
" 1",
"Description : ",
"Guid : eefcb906-b326-4e99-9f54-8b4bb6ef3c6d",
"Version : 3.1.0.0",
"ModuleBase : C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
"ModuleType : Manifest",
"PrivateData : ",
"AccessMode : ReadWrite",
"ExportedAliases : {}",
"ExportedCmdlets : {[Add-Computer, Add-Computer], [Add-Content, Add-Content], ",
" [Checkpoint-Computer, Checkpoint-Computer], ",
" [Clear-Content, Clear-Content]...}",
"ExportedFunctions : {}",
"ExportedVariables : {}",
"NestedModules : {Microsoft.PowerShell.Commands.Management.dll}",
"",
"",
"",
"Get-ADDomain : Unable to contact the server. This may be because this server \r\ndoes not exist, it is currently down, or it does not have the Active Directory \r\nWeb Services running.\r\nAt C:\\Users\\vkumar\\AppData\\Local\\Temp\\ansible-tmp-1468990893.98-136722234533486\r\n\\test.ps1:5 char:1\r\n+ Get-ADDomain\r\n+ ~~~~~~~~~~~~\r\n+ CategoryInfo : ResourceUnavailable: (TEST:ADDomain) [Get-ADDoma \r\nin], ADServerDownException\r\n+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirector \r\ny.Management.Commands.GetADDomain\r\n"
]
}
PLAY RECAP *********************************************************************
box62.test.com : ok=3 changed=1 unreachable=0 failed=0
root@box88:~#
答案 0 :(得分:1)
上周,我在配置用于运行AD脚本的PowerShell工作节点时偶然发现了一个相同的问题。经过一番挖掘后,我发现了Ansible WinRM guide并查看了limitations section。此后不久,我在ServerFault上发现了this question,这使我怀疑这是Kerberos双跳身份验证问题,尤其是来自用户分号的评论和答案。
因此,我在Ansible文档中遵循了这一建议(分号也与之相同):
- 将
ansible_winrm_transport设置为credssp或kerberos(使用ansible_winrm_kerberos_delegation=true)以绕过双跳问题并访问网络资源
在我的情况下,我的组变量文件中的ansible_winrm_transport已设置为kerberos。我的解决方案是添加以下行:
ansible_winrm_kerberos_delegation: true
到我的组变量文件。添加之后,我运行了剧本,该剧本运行一个名为TestAD.ps1的脚本,该脚本尝试运行Get-ADDomain。这就是最终的Ansible输出:
ok: [psworker.domain.com] => {
"msg": {
"changed": true,
"cmd": "powershell.exe C:/scripts/TestAD.ps1",
"delta": "0:00:01.101562",
"end": "2020-07-31 09:08:44.785758",
"failed": false,
"rc": 0,
"start": "2020-07-31 09:08:43.684196",
"stderr": "",
"stderr_lines": [],
"stdout_lines": [
"Unrestricted",
"",
"",
"AllowedDNSSuffixes : {}",
"ChildDomains : {}",
"ComputersContainer : OU=mydomain Servers,DC=mydomain,DC=com",
"DeletedObjectsContainer : CN=Deleted Objects,DC=mydomain,DC=com",
"DistinguishedName : DC=mydomain,DC=com",
"DNSRoot : mydomain.com",
"DomainControllersContainer : OU=Domain Controllers,DC=mydomain,DC=com",
"DomainMode : Windows2012R2Domain",
"DomainSID : S-1-5-21-644830395-273481423-308473177",
"ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=mydomain,DC=com",
"Forest : mydomain.com",
"InfrastructureMaster : devdc00.mydomain.com",
"LastLogonReplicationInterval : ",
"LinkedGroupPolicyObjects : {cn={BD2441AA-23B7-4D11-B499-73642A1734A8},cn=policies,cn=system,DC=mydomain,DC=",
" com, cn={E73254A1-C013-4D45-8BB3-FEE2E1300B11},cn=policies,cn=system,DC=mydomain",
" ,DC=com, cn={CF7575AC-E140-4869-B8C7-904C753D8E28},cn=policies,cn=system,DC=mydoma",
" in,DC=com, cn={C63CB9EB-262E-4AD7-BC0B-70B3EF2F7B48},cn=policies,cn=system,DC=my",
" domain,DC=com...}",
"LostAndFoundContainer : CN=LostAndFound,DC=mydomain,DC=com",
"ManagedBy : ",
"Name : mydomain",
"NetBIOSName : mydomain",
"ObjectClass : domainDNS",
"ObjectGUID : 6f59e1a2-8857-46f2-90fd-51710bde58d6",
"ParentDomain : ",
"PDCEmulator : devdc00.mydomain.com",
"PublicKeyRequiredPasswordRolling : ",
"QuotasContainer : CN=NTDS Quotas,DC=mydomain,DC=com",
"ReadOnlyReplicaDirectoryServers : {}",
"ReplicaDirectoryServers : {dc01.mydomain.com, devdc00.mydomain.com}",
"RIDMaster : dc00.mydomain.com",
"SubordinateReferences : {DC=DomainDnsZones,DC=mydomain,DC=com, DC=ForestDnsZones,DC=mydomain,DC=com, ",
" CN=Configuration,DC=mydomain,DC=com}",
"SystemsContainer : CN=System,DC=mydomain,DC=com",
"UsersContainer : CN=Users,DC=mydomain,DC=com",
"",
"",
""
]
}
}
这是我的group_vars文件中的设置(可以直接在剧本中设置):
ansible_connection: winrm
ansible_port: 5986
ansible_winrm_server_cert_validation: ignore
ansible_winrm_kerberos_delegation: true
ansible_winrm_transport: kerberos
我使用完全相同的PowerShell脚本为Ansible配置WinRM。
答案 1 :(得分:0)
听起来PowerShell在Ansible环境中无法发现域控制器? 你可以改为:
Get-ADDomain -Server MyDomainController