ansible 2.9 et NT AUTHORITY\SYSTEM - bad ?

[sergey....@gmail.com]

Pardon my English.
I have a fully configured CentOS 7. I want to overwrite a file from a remote samba server (it enters AD via winbind) to a remote windows computer in the same domain.

In the beginning, nothing worked. I added a line:
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only

Ansible 2.7 worked without any problems but 2.9 doesn't work.

Is this really broken in 2.9 ?
(ansible 2.9 from epel el7)

[sergey....@gmail.com]

I use 2.9 and playbook

---

    - name: become as SYSTEM
      win_whoami:
      become: yes
      become_method: runas
      become_user: System
      register: sys_whoami

    - debug: var=sys_whoami

---

All work no problem.

Add line  : ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only

ERROR:

---

An exception occurred during task execution. To see the full traceback, use -vvv. The error was:    at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
fatal: [VM-WIN81-1.AD]: FAILED! => {"changed": false, "msg": "internal error: failed to become user 'System': Exception calling \"CreateProcessAsUser\" with \"9\" argument(s): \"Failed to get token for NT AUTHORITY\\SYSTEM required for become as a service account or an account without a password\""}

============================================

I change ansible to version 2.7

Both options work without any problems.

=====

wbinfo -n "NT AUTHORITY\\SYSTEM"
S-1-5-18 SID_WKN_GROUP (5)
wbinfo -s S-1-5-18
NT AUTHORITY\system 5

среда, 24 мая 2023 г. в 16:22:14 UTC+4, sergey....@gmail.com:

[sergey....@gmail.com]

I took CentOS8 Stream and install ansible-core 2.14.2-3.el8 and ansible 7.2.0-1.el8.next

All of this was based on python 3.11.2, and it didn't work at all because it returned a None variable, which could not be processed. As I found out from the Internet it is a bug in python 3.11.2

I have now installed a version of ansible (4.10.0)
ansible-core (2.11.12)

Exactly the same error as in version 2.9

I wonder if this works for anyone else, or after version 2.7 this is broken?

P.S. I have a kerberos authorization

четверг, 25 мая 2023 г. в 07:37:31 UTC+4, sergey....@gmail.com:

[jbor...@gmail.com]

2.3 - 2.9 was a fairly rapid time when it came to become on windows. IIRC 2.8 introduced password less become functionality which added more stringent checks onto the SYSTEM token that was used in the process. One of these checks was to see if the token had the SeTcbPrivilege associated with it.

In saying all that, the become flags you are wanting to use don't make too much sense  with the SYSTEM account. I'm not even sure if they would have even applied in 2.7 hence why no error was shown then. Why are you trying to use those flags with SYSTEM?

Thanks

Jordan

[sergey....@gmail.com]

Thank you very much for your reply. I understand what you mean.

When I run whoami through anisble, the launching user and the user show that it is on and SeTcbPrivilege = enable and SeDebugPrivilege=enable

There is some software and I can only install it this way:
1. I log on to the windows computer myself - I am in the domain administrator group. (I am the one who starts the Ansible)
2. I open samba share and right click on the launcher and select run as administrator.
This is the only way it works correctly.

But for some reason as soon as I set up a system user in the ansiblel I can't copy anything from samba share.

In samba logs all the time it says that :

[2023/05/25 23:22:28.105807,  0] ../../source3/auth/auth_util.c:1889(check_account)
  check_account: Failed to convert SID S-1-5-21-1374489729-2609897191-470403182-4723 to a UID (dom_user[AD\vm-win81-1$])

If I look on my computer with samba, I see

 wbinfo -s S-1-5-21-1374489729-2609897191-470403182-4723
AD\VM-WIN81-1$ 1

But when I change the ansible to 2.7, there is no such error.

That's right, users have UID but computers don't.

пятница, 26 мая 2023 г. в 07:17:36 UTC+4, jbor...@gmail.com: