Windows - become_method runas - password definition

[Jeremie Levy]

Hello

I am using successfully ansible in my windows environment with Kerberos.

I am still having trouble if i want to execute a task as another user than my ansible user.

For example, i want to execute specific task as build user to make sure it's home dir is present - if not i guess my command will create it by login this specific user.

build_usr_password is in the var files (i used the debug module to check i can access it)

- name: Touching a file in order to make sure the account home dir is created.

win_stat:

path: C:\Users\build_usr

state: present

become: yes

become_method: runas

become_user: build_usr@DOMAIN

password: "{{ build_usr_password }}"

I tried ansible_become_password become_password and ansible_password. Still same issue:

The full traceback is:

LogonUser failed (The user name or password is incorrect, Win32ErrorCode 1326)

At line:623 char:13

+             throw [Ansible.Shell.Win32Exception] "LogonUser failed"

+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : OperationStopped: (:) [], Win32Exception

    + FullyQualifiedErrorId : LogonUser failed (The user name or password is incorrect, Win32ErrorCode 1326)

failed: [hasgqba110.ger.corp.intel.com] (item=bEeq07WG8-RQ.Myr9Ymd) => {

    "changed": false,

    "item": "bEeq07WG8-RQ.Myr9Ymd",

    "msg": "LogonUser failed (The user name or password is incorrect, Win32ErrorCode 1326)"

}

How do i define the password for this task ? (the password is in the vault encrypted file, i don't want to/can't pass it via the CLI)

ansible-playbook 2.4.3.0                                                                                                       

python version = 2.7.12 (default, Dec  4 2017, 14:50:18) [GCC 5.4.0 20160609]                                                  

Jordan ? :)

[J Hawkesworth]

Hello,

I haven't tried this myself but I am wondering if you maybe have a password containing a special character, such as $ - I have had trouble with passwords which contain characters which have reserved meaning in powershell in the past?

Also do you perhaps mean to use win_file module instead of win_stat? If I recall, win_stat only returns information on a file, such as whether it exists and is in the expected state, but win_file will ensure a file or directory exists

win_file:
   state: directory
   path: c:\Users\bld_usr

Hope this helps,

Jon

[Jeremie Levy]

Hi

No $ but @ is there.

I created a service with the credentials so they are working. (win_service)

It's just for this. And win_file or win_stat, it doesn't matter, I can't find out how to pass the password.

[Jordan Borean]

While become, become_method, become_flags, and become_user can be play or task directive, the password side is not and either needs to be specified with;

* Passed in when calling ansible-playbook with -K
* Set as a connection variable for the host

What you are looking for is to set the ansible_become_pass connection variable for the host, this can be done on either a host/group var set outside the playbook and makes it host specified. If you wanted to set it on the playbook/task side you can do it like this

- win_stat:
    path: C:\Users\build_user
  become: yes
  become_method: runas
  become_user: build_usr@DOMAIN
  vars:
    ansible_become_pass: '{{ build_usr_password }}'

It is still better to define it on the host/group side instead of the play/task side as you could define different password for each host that runs in a play and so on. Once other thing, the connection variables take precedence over the task directive, so setting ansible_become_user: someuser will override the task directory become_user: anotheruser.

Source for this info
http://docs.ansible.com/ansible/latest/become.html#connection-variables

Thanks

Jordan

[Jeremie Levy]

Worked!

Thank you so much!

Sorry i miss this information.