0

I have a lab resident in a vCenter server, the lab includes 5 windows servers and 3 windows 10 Each time I am running a playbook (any playbook) against this lab, 1 error is appeared in TASK [Gathering Facts]:

[WARNING]: Error when collecting winrm facts: You cannot call a method on a null-valued expression.  At line:15 char:17  + ...
$ansibleFacts.ansible_win_rm_certificate_expires = $_.Not ...  +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      + CategoryInfo          :  
InvalidOperation: (:) [], RuntimeException      + FullyQualifiedErrorId : InvokeMethodOnNull      at <ScriptBlock>, <No file>: line 15  at <ScriptBlock>, <No file>: line  
13

My all.yml file includes winrm details

---
# WinRM Protocol Details
ansible_user: DOMAIN\hiddai
ansible_password: F01o3O4
ansible_connection: winrm
ansible_port: 5985
ansible_winrm_scheme: http
ansible_winrm_server_cert_validation: ignore
ansible_winrm_kerberos_delegation: false
ansible_winrm_transport: ntlm
ansible_winrm_read_timeout_sec: 70
ansible_winrm_operation_timeout_sec: 60

The following policies are enabled in the domain:
Windows Components/Windows Remote Management (WinRM)/WinRM Client

  • Allow Basic authentication
  • Allow CredSSP authentication
  • Allow undecrypted traffic
  • Trusted Hosts

Windows Components/Windows Remote Management (WinRM)/WinRM Service

  • Allow remote server management through WinRM
  • Allow CredSSP authentication
  • Allow Basic authentication
  • Allow unencrypted traffic
  • Turn On Compatibility HTTP Listener
  • Turn On Compatibility HTTPS Listener

How can I resolve those errors?

Hiddai
  • 87
  • 1
  • 3
  • 14

1 Answers1

1

First error: do you have a winrm https (tcp port 5986) listener configured with a certificate? My guess is that it is unable to call that method because it cannot find any certificates.

Second error: you look to be getting an access denied error when attempting to double-hop to a UNC path. Either 1) Don't do this, or 2) if required, you'll need to configure credential delegation (either per-task, per-play, or in the connection). You can delegate either CredSSP or Kerberos credentials (by the looks of it, you'll definitely be needing more python modules if going with Kerberos.

Read up on ansible, windows and kerberos here: https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html

Semicolon
  • 1,775
  • 8
  • 7
  • Thanks, as per your answer, I add additional info. ERR1+2 are clear when using 2nd Dockerfile. ERR2 - It is look like when gathering fact a particular PowerShell is trying to connect with the domain controller (```\\domain.com\sys...``` path inside the error). I checked most of the packages in the requirement list - they are found also in the 1st Docker container. Am I missing something in my Dockerfile configuration? – Hiddai Aug 17 '21 at 13:33
  • Error 1 wouldn't be affected by your docker file at all - Error 1 is strictly all about what certificate is configured on the winrm listener on the windows machine you're managing. – Semicolon Aug 17 '21 at 13:43
  • Error 2 shouldn't be affected by anything in your dockerfile either - especially since after I said you needed to use either CredSSP or KERBEROS for double-hops, your winrm connection is STILL using ntlm authentication – Semicolon Aug 17 '21 at 13:48
  • A better question is why is ansible trying to hit a UNC path to call "facter.exe" Do you have any profile paths or redirected folders configured for that user account on the windows machine(s)? I would use a SEPARATE account than one you might have used to interactively logon. – Semicolon Aug 17 '21 at 13:52
  • 1
    Also - probably need to get out of the "where is my dockerfile problem" mindset. These are Windows problems that need to be addressed/investigated. probably not going to "docker" your way out of this one. – Semicolon Aug 17 '21 at 13:54