Windows Become Confusion

77 views
Skip to first unread message

Joefrey Kimmel

unread,
Oct 12, 2022, 8:19:03 PM10/12/22
to ansible...@googlegroups.com

Good day,


I'm attempting to execute a PowerShell script on a Windows host to create a Windows Server Failover Cluster. Running the script on node1 works without issue when logged in as a service account with appropriate AD permissions and using a PowerShell terminal ran as Administrator.


Executing the same script via Ansible (using the service account mentioned above) results in an error stating I do not have permissions to edit node1's registry. Adding the "become" statements below get past this error, but then I receive an error that node2 cannot be added to the cluster as I don't have permissions to its registry.


- name: Execute configure_wsfc.ps1
  win_shell: .\configure_wsfc.ps1
  args:
    chdir: '{{ temp_dir }}'
  become: true
  become_method: runas
  become_user: '{{ service_account }}'

configure_wsfc.ps1:


New-Cluster -Name $WSFCClusterName -Node ("node1", "node2") -AdministrativeAccessPoint ActiveDirectoryAndDNS -StaticAddress ("192.168.0.1", "192.168.0.2" -NoStorage

What am I missing?


Thank you.

jbor...@gmail.com

unread,
Oct 12, 2022, 11:28:06 PM10/12/22
to Ansible Project
To truly replicate the behaviour of running it interatively (or at least as close as you can get) you need to specify a password for become.

- win_shell: ...
  become: true
  become_method: runas
  vars:
    ansible_become_user: '{{ ansible_user }}'
    ansible_become_pass: '{{ ansible_password }}'

This will create an "interactive" token that can delegate it's credentials to downstream servers as needed. If you don't specify a password then it will essentially do a "batch" logon without a password similar to running in a scheduled task but without saving the user's credentials.

Thanks

Jordan

Michael Nelson

unread,
Oct 13, 2022, 4:54:15 AM10/13/22
to ansible...@googlegroups.com

Hi,

I think you playbook will work if you use CredSSP as the connection method:

https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html

CredSSP permits ansible to target other hosts from that it initially connected to.

Regards,

antuelle78

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAMxFuKjcs6-9%3DZuiTh4LczTzuM_9g8av8GxTdcVkKPWWDzEHyA%40mail.gmail.com.

Husker79

unread,
Oct 13, 2022, 9:22:39 AM10/13/22
to Ansible Project
Jordan,

Truly appreciate the reply. I guess I overlooked the below note in the documentation:

"...Use become with a password if the task needs to access network resources."

I'm definitely not as experienced in Windows as Linux. WinRM and privilege escalation are as clear as mud.

Two quick Ansible on Windows questions, if I may.
  • To run a PS script is it a better practice to use win_command with powershell.exe -ExecutionPolicy Bypass -File script.ps1 or win_shell as above?
  • Why did failure of the PS script not fail the win_shell task?
Thank you and have a great day.

jbor...@gmail.com

unread,
Oct 16, 2022, 8:16:28 PM10/16/22
to Ansible Project
If you are running a script then I would say win_shell is easier but neither are truly wrong.. Unfortunately error handling in PowerShell is a bit of a mixed bag, by default it sets $ErrorActionPreference = 'Continue' which can cause some errors to be "ignored" or at least not part of the final error condition check. I would make sure that you have $ErrorActionPreference = 'Stop' in your script to ensure that an error actually stops your script and exits with a non-0 return code or at least throw an exception in the cases where you want a failure to occur.
Reply all
Reply to author
Forward
0 new messages