win_command not exec admin mode
2,427 views
Skip to first unread message
lalo andres
Apr 26, 2018, 8:12:26 AM4/26/18
to Ansible Development
hello comunity, mi english is very bad, but my problem is the flowing:
one partner install ansible in you ecosystem and install SQL-Server 2014 in silent mode and not problem. I install my ecosytem with ansible but in the momment to exec the silent installation win_command is exected by default in the window server and the bash twrow error to access. Any idea for what my partner is OK and my NO.
my playbook:
- name: Crea directorios para SQL server
win_file:
path: "{{ item }}"
state: directory
with_items:
- "{{ mssql_sqldata_dir }}"
- "{{ mssql_data_dir }}"
- "{{ mssql_logs_dir }}"
- "{{ mssql_bkps_dir }}"
- "{{ mssql_temp_dir }}"
- name: Copia Archivo configuracion SQL
win_template:
src: ConfigurationFile-2014.ini
dest: C:\_archivos\ConfigurationFile.ini
- name: mount SQL Server ISO
win_disk_image:
image_path: C:\_archivos\en_sql_server_2014_developer_edition_with_service_pack_1_x64_dvd_6668542.iso
state: present
#when: not sqlservr_info.stat.exists
register: iso_mount
- name: grant the ansible user the SeTcbPrivilege right
win_user_right:
name: SeTcbPrivilege
users: '{{ansible_user}}'
action: add
- name: run SQL server setup.exe
win_command: 'setup.exe /Q /ConfigurationFile={{ servers_setup_dir }}\\ConfigurationFile.ini'
args:
chdir: "{{ iso_mount.mount_path }}"
Jordan Borean
Apr 26, 2018, 4:15:09 PM4/26/18
to Ansible Development
Hi
When trying to install SQL Server it needs to interact with the DPAPI which is an API in Windows that interacts with various crypto elements. By default a command run over WinRM is unable to access the DPAPI for various security reasons in Windows and any application that tries to use like (like the SQL installer) will fail with an access is denied.
There are 2 main ways you can resolve this issue;
When trying to install SQL Server it needs to interact with the DPAPI which is an API in Windows that interacts with various crypto elements. By default a command run over WinRM is unable to access the DPAPI for various security reasons in Windows and any application that tries to use like (like the SQL installer) will fail with an access is denied.
There are 2 main ways you can resolve this issue;
- Use become (http://docs.ansible.com/ansible/latest/user_guide/become.html#become-and-windows) with the win_command task to bypass that WinRM restriction run it like it would doing it manually on the host
- Use CredSSP authentication (ansible_winrm_transport: credssp) which allows any process to access DPAPI
I would highly recommend you use become in this case if you are on 2.5+, CredSSP is ok if you are on an older version of Ansible but it does send the username and password to the remote host which has other security implications. An example on how to use become for that task you would need to do;
- name: run SQL server setup.exe
win_command: setup.exe /Q /ConfigurationFile={{ servers_setup_dir}}\ConfigurationFile.ini
args:
chdir: "{{ iso_mount.mount_path }}"
become: yes
become_method: runas
become_user: SYSTEMYou can set the become_user to a different user if you wish but this way no password is sent over the wire. One last thing, you task to add the user to the SeTcbPrivilege right, I would highly recommend you not do this if it isn't needed.
Also on a side note, the Ansible Development channel is more geared towards dev work with Ansible, like modules and engine work. Questions/issues with using Ansible itself is probably better directed towards https://groups.google.com/forum/#!forum/ansible-project.
Thanks
Jordan
lalo andres
Apr 27, 2018, 9:09:34 AM4/27/18
to Ansible Development
thank it's work!!!
Reply all
Reply to author
Forward
0 new messages