community.zabbix icon indicating copy to clipboard operation
community.zabbix copied to clipboard
verified publisher icon ansible-collections

Download Zabbix Agent fails when using WinRM with kerberos authentation.

Open CompPhy opened this issue 6 months ago • 3 comments

SUMMARY

When using WinRM kerberos authentication, the ansible_user variable takes the form of <username>@<domain>, but this causes a path issue when attempting to download the install package.

The path ends up being something like C:/Users/<usernamae>@<domain>/Downloads/<package> but it needs to be C:/Users/<usernamae>/Downloads/<package>. Because the former doesn't exist, the task just fails.

Specially: https://github.com/ansible-collections/community.zabbix/blob/75c519210b09c8548765d4cc8a6f0c0173f7ffd7/roles/zabbix_agent/tasks/install-Windows.yml#L63

ISSUE TYPE
  • Bug Report
COMPONENT NAME

Zabbix Agent role - install-Windows.yml

ANSIBLE VERSION
ansible [core 2.15.12]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  ansible collection location = /runner/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.9.18 (main, May 16 2024, 00:00:00) [GCC 11.4.1 20231218 (Red Hat 11.4.1-3)] (/usr/bin/python3)
  jinja version = 3.1.4
  libyaml = True
CONFIGURATION
CONFIG_FILE() = /etc/ansible/ansible.cfg
OS / ENVIRONMENT / Zabbix Version

Windows(Multiple Versions including Windows 10, 11 and Server) - Zabbix 6.0

STEPS TO REPRODUCE

Run playbooks that use WinRM kerberos authentication, with ansible_user set to @

EXPECTED RESULTS

Perhaps there should be some extra checks to make sure the Downloads folder exists? Or, create a temporary folder somewhere outside of the user directory?

Expected result would be that the role finds a valid download location.

ACTUAL RESULTS
{
  "changed": false,
  "invocation": {
    "module_args": {
      "url": "https://cdn.zabbix.com/zabbix/binaries/stable/6.0/6.0.40/zabbix_agent2-6.0.40-windows-amd64-openssl.msi",
      "dest": "C:/Users/<username redacted>@<domain redacted>/Downloads/zabbix_agent2-6.0.40-windows-amd64-openssl.msi",
      "headers": null,
      "maximum_redirection": 50,
      "checksum_algorithm": "sha1",
      "proxy_use_default_credential": false,
      "checksum": null,
      "proxy_password": null,
      "proxy_username": null,
      "force_basic_auth": false,
      "url_password": null,
      "url_username": null,
      "client_cert_password": null,
      "client_cert": null,
      "checksum_url": null,
      "follow_redirects": "all",
      "use_proxy": true,
      "url_method": null,
      "timeout": "120",
      "force": false,
      "use_default_credential": false,
      "proxy_url": "",
      "http_agent": "ansible-httpget",
      "validate_certs": false,
      "url_timeout": 120
    }
  },
  "elapsed": 0,
  "url": "https://cdn.zabbix.com/zabbix/binaries/stable/6.0/6.0.40/zabbix_agent2-6.0.40-windows-amd64-openssl.msi",
  "dest": "C:/Users/<username redacted>@<domain redacted>/Downloads/zabbix_agent2-6.0.40-windows-amd64-openssl.msi",
  "msg": "The path 'C:\\Users\\<username redacted>@<domain redacted>\\Downloads' does not exist for destination 'C:/Users/<username redacted>@<domain redacted>/Downloads/zabbix_agent2-6.0.40-windows-amd64-openssl.msi', or is not visible to the current user. Ensure download destination folder exists (perhaps using win_file state=directory) before win_get_url runs.",
  "_ansible_no_log": false,
  "attempts": 3
}

CompPhy avatar Jun 12 '25 16:06 CompPhy

Thanks for the report. I'll keep this open but will point out a couple of things.

  1. As we state in the documentation, Windows development is best effort only and we do NO testing against it because we lack the infrastructure to do so.
  2. Even if we did, standing up Kerberos authentication to test against is definitely beyond the scope of this project. While I wouldn't call it an edge case, its not part of the "standard" deployment that we try to support.

Someone may come and put in a fix for this (if you have the talent to do so, I would encourage you to put in the fix and we'll be happy to look at bringing in the PR) but if this is a critical thing for you, I would recommend exploring other options.

pyrodie18 avatar Jun 13 '25 01:06 pyrodie18

I completely understand, for sure this is a use case that's hard to test. For now, we have version locked at the 3.3.0 release that has been working for us. Unfortunately, I'm not sure if/when I might be able to make a contribution here. I will certainly try if time becomes available.

CompPhy avatar Jun 13 '25 12:06 CompPhy

Hello! The main problem I see is that when using Kerberos, It tries to go to localfiles C:/Users/<username redacted>@<domain redacted>/Downloads/ and that seems to be a problem, because the path should be C:/Users/<username redacted>/Downloads/?

I have added .split('@')[0] in roles/zabbix_agent/tasks/install-Windows.yml:

- name: Download and install Zabbix Agent
  when: not _zabbix_agent_exe.stat.exists or
    _install_latest and zabbix_agent_version_long is version('>', _zabbix_agent_exe_version.win_file_version.product_version)
  vars:
    _install_latest: "{{ zabbix_agent_package_state == 'latest' }}"
  block:
    - name: Download Zabbix Agent
      ansible.windows.win_get_url:
        url: "{{ zabbix_agent_win_download_url }}"
        dest: "C:/Users/{{ ansible_user.split('@')[0] }}/Downloads/{{ zabbix_agent_win_package }}"
        url_username: "{{ zabbix_download_user | default(omit) }}"
        url_password: "{{ zabbix_download_pass | default(omit) }}"
        force: false
        follow_redirects: all
        proxy_url: "{{ zabbix_https_proxy | default(None) | default(omit) }}"
        validate_certs: "{{ zabbix_download_validate_certs | default(false) | bool }}"
        timeout: "{{ zabbix_download_timeout | default(120) | int }}"
      register: _zabbix_agent_win_download
      until: _zabbix_agent_win_download is succeeded
      throttle: "{{ zabbix_download_throttle | default(5) | int }}"

    # Would be sweet if this worked.
    #- name: Install Zabbix Agent
    #  ansible.windows.win_package:
    #    path: "C:/Users/{{ ansible_user }}/Downloads/{{ zabbix_agent_win_download_package }}"
    #    arguments: "/l*v zabbix.log /i /qn SERVER={{ zabbix_agent_server }}"
    #  register: _res

    # https://www.zabbix.com/documentation/current/en/manual/installation/install_from_packages/win_msi
    - name: Install Zabbix Agent
      ansible.windows.win_command:
        chdir: "C:/Users/{{ ansible_user.split('@')[0] }}/Downloads"
        argv:
          - msiexec
          - /i
          #- "/l*v zabbix-install.log"
          - "{{ zabbix_agent_win_package }}"
          - /qn
          - "SERVER={{ zabbix_agent_server }}"

And it seems to be working now !

I will try to contribute, never tried to do it in public repositories tho. I will read it through.

patrik-plastik avatar Jun 27 '25 10:06 patrik-plastik

@patrik-plastik I don't think its that simple. In truth it could actually be either, depending on settings for the underlying domain/user setup. I think the real solution here is to actually check the path.

At a minimum there should be a "path exists" check, because win_get_url doesn't check that for you. win_get_url will just fail if the destination folder doesn't already exist, regardless of other circumstances.

CompPhy avatar Jun 27 '25 17:06 CompPhy

I know that it won't be THIS simple. Should be rewritten with:

  1. Path as variable
  2. rescues and try guess its variats

one of these options or both of them. My point was to point on that this change allowed me to install the agent.

patrik-plastik avatar Jun 30 '25 16:06 patrik-plastik