Ansible become only works if already logged in via RDP
I have the following Ansible task:
- name: Run NLB script
win_shell: "Get-NlbClusterNode -NodeName {{ inventory_hostname }}"
vars:
ansible_become: yes
ansible_become_method: runas
ansible_become_user: "{{ ansible_user }}"
ansible_become_flags: logon_type=interactive logon_flags=with_profile
The command to be executed requires elevated rights. And fails with Get-NlbClusterNode : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)). But only if I am not logged in via RDP. If I am logged in the task succeeds.
I tested that with the win_whoami task with the following result (I omitted some parts that are identical for both servers):
Working server (previously logged in):
{
"who": {
"account": {
"account_name": "myuser",
"domain_name": "MYORG",
"sid": "S-1-5-21-2787190722-3303379186-206289660-474227",
"type": "User"
},
"authentication_package": "Kerberos",
"changed": false,
"dns_domain_name": "MYORG.CORP",
"failed": false,
"groups": [
{
"account_name": "REMOTE INTERACTIVE LOGON",
"attributes": [
"Mandatory",
"Enabled by default",
"Enabled"
],
"domain_name": "NT AUTHORITY",
"sid": "S-1-5-14",
"type": "WellKnownGroup"
},
{
"account_name": "INTERACTIVE",
"attributes": [
"Mandatory",
"Enabled by default",
"Enabled"
],
"domain_name": "NT AUTHORITY",
"sid": "S-1-5-4",
"type": "WellKnownGroup"
},
{
"account_name": "Authentication authority asserted identity",
"attributes": [
"Mandatory",
"Enabled by default",
"Enabled"
],
"domain_name": "",
"sid": "S-1-18-1",
"type": "WellKnownGroup"
}
],
"login_time": "2020-07-01T15:35:31.6960496+02:00",
"logon_id": 474458244,
"logon_server": "SERVAD34",
"logon_type": "RemoteInteractive",
"token_type": "TokenPrimary",
"upn": "MYUSER@myorg.corp",
"user_flags": [
"Winlogon"
]
}
}
Not working server (not previously logged in):
{
"who": {
"account": {
"account_name": "MYUSER",
"domain_name": "MYORG",
"sid": "S-1-5-21-2787190722-3303379186-206289660-474227",
"type": "User"
},
"authentication_package": "Kerberos",
"changed": false,
"dns_domain_name": "MYORG.CORP",
"failed": false,
"groups": [
{
"account_name": "BATCH",
"attributes": [
"Mandatory",
"Enabled by default",
"Enabled"
],
"domain_name": "NT AUTHORITY",
"sid": "S-1-5-3",
"type": "WellKnownGroup"
},
{
"account_name": "CONSOLE LOGON",
"attributes": [
"Mandatory",
"Enabled by default",
"Enabled"
],
"domain_name": "",
"sid": "S-1-2-1",
"type": "WellKnownGroup"
},
{
"account_name": "Service asserted identity",
"attributes": [
"Mandatory",
"Enabled by default",
"Enabled"
],
"domain_name": "",
"sid": "S-1-18-2",
"type": "WellKnownGroup"
}
],
"login_time": "2020-07-01T16:21:56.7529726+02:00",
"logon_id": 397914032,
"logon_server": "SERVAD31",
"logon_type": "Batch",
"token_type": "TokenPrimary",
"upn": "MYUSER@myorg.corp",
"user_flags": []
}
}
The logon flags (interactive and with_profile) are actually default values and does not have to be set (see here). But even if I do set the values the logon type on the not working server is batch instead of interactive.
Note: I cannot use ansible_winrm_kerberos_delegation unfortunately, so I have to use runas as become method.
What is the reason for that and how can I run this task without logging in via RDP first or force the interactive logon type?
deve0 Answers
Nobody has answered this question yet.
User contributions licensed under CC BY-SA 3.0