win_mapped_drive fails with become(runas) and ansible_become_pass var defined

[Дмитрий Витенберг]

Hi everyone,

I'm trying to mount smb share on windows host (win10 pro) that requires authentication using win_mapped_drive/win_credential

Here is the playbook sample (based on docs example)

- name: Create mapped drive with credentials and save the username and password
  block:
  - name: Save the network credentials required for the mapped drive
    win_credential:
      name: 10.0.20.1
      type: domain_password
      username: DOMAIN\admin
      secret: password
      state: present

  - name: Create a mapped drive that requires authentication
    win_mapped_drive:
      letter: M
      path: \\10.0.20.1\myshare1
      state: present
  vars:
    # become is required to save and retrieve the credentials in the tasks
    ansible_become: yes
    ansible_become_method: runas
    ansible_become_user: '{{ ansible_user }}'
    ansible_become_pass: '{{ ansible_password }}'

But the issue is:

- if ansible_become_pass variable is set win_mapped_drive task fails:

The full traceback is:
Exception calling "Invoke" with "2" argument(s): "Failed to map M: to '\\10.0.20.1\myshare1' with WNetAddConnection2W() (The specified network password is not correct, Win32ErrorCode 86)"
At line:420 char:17
+ ... $add_method.Invoke($null, [Object[]]@($letter_root, $path ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 + CategoryInfo : NotSpecified: (:) [], ParentContainsErrorRecordException
 + FullyQualifiedErrorId : Win32Exception

ScriptStackTrace:
at <ScriptBlock>, <No file>: line 420
fatal: [win1]: FAILED! => {
 "changed": false,
 "msg": "Unhandled exception while executing module: Exception calling \"Invoke\" with \"2\" argument(s): \"Failed to map M: to '\\\\10.0.20.1\\myshare1' with WNetAddConnection2W() (The specified network password is not correct, Win32ErrorCode 86)\""
}

- if ansible_become_pass variable is unset (or empty string) - everything works perfectly


So, AFAIK in 2.8+ become can work without password, as the docs say:
https://docs.ansible.com/ansible/latest/user_guide/become.html#become-without-setting-a-password

But my assumtions were, that with password defined it should wark just fine

My ansible version is  - ansible 2.9.9

Windows host's account i'm using is local admin

Can someone help me to debug the issue, it's probably me missusing the module or some sort of admin account missconfiguration (e.g. disabled priveledges mb), but no ideas left for me to prove it, thanks in advance.

[Jordan Borean]

There's been a recent issue on this problem https://github.com/ansible-collections/community.windows/issues/96. I can't say I've experienced this problem personally as if you have a credential Windows should be using that to connect to the network path. Are you potentially on a newer build of Windows 10?

[Дмитрий Витенберг]

I've build the image for openstack via https://github.com/cloudbase/windows-openstack-imaging-tools

It's Win10 Pro N

PS C:\Users\Admin> [System.Environment]::OSVersion.Version
Major  Minor  Build  Revision
-----  -----  -----  --------
10     0      19041  0

The issue you've linked seems relevant, but in my case even `net use` doesn't work when `ansible_become_pass` is set, i've found out that that when i use bacome w/o password all steps are executed in the same logon session (i've check it with subsequent win_whoami),

 when become is used with password defined logon session ids are different, but it should work, cause `cmdkey` sees the target's creds.

So workarounds for me:

1. delete ansible_become_pass var

2. define usename/password (for initial connection) for ansible_become_pass.

And the one more strange thing is that Error code may vary, sometimes it's 86, sometimes it's -  "The user name or password is incorrect, Win32ErrorCode 1326" - this one is far beyond my understanding.

My initial task was to mount share for java app which works via nssm under Local System Account privelegies (i guess it's the same as runas + SYSTEM user), so for that purpose (thx to your blog's article) i've used "global" scope mapping.

пятница, 19 июня 2020 г., 2:59:27 UTC+3 пользователь Jordan Borean написал:

[viten...@gmail.com]

Sorry, the 2nd one was incorrect:

So workarounds for me:

1. delete `ansible_become_pass` var

2. define usename/password (for initial connection) for `win_mapped_drive`

пятница, 19 июня 2020 г. в 17:58:01 UTC+3, viten...@gmail.com: