win_acl and Windows domain accounts

[James Duff]

I am trying to create a playbook that will setup specific directories and ACLs on a Windows host.

I can setup the ACL with a local user on the windows host but when I try setup the ACL for a domain account, I get back the following error:

TASK [Grant domain account full access to this directory] **

fatal: [computer FQDN]: FAILED! => {"changed": false, "failed": true, "msg": "an error occurred when attempting to present FullControl permission(s) on E:\\Test for ans...@DEV.LOCAL - Exception calling \".ctor\" with \"1\" argument(s): \"Value was invalid.\r\nParameter name: sddlForm\""}

Can win_acl be used to control ACLs for Domain accounts?

The play book is run with: 

ansible-playbook -i development demo.yaml

Ansible is configured to use winrm over SSL. I have tried with both Kerberos authentication and NTLM.

I can manually set the ACL if I connect through remote desktop with the account used to connect via winrm.

I have been able to make other win_ modules work. I can use the win_service module to set Windows services to run as domain users.

The playbook contains:

---

- name: Test win_acl

  hosts: all

  gather_facts: false

  tasks:

  - name: Create root directory

    win_file:

      path: E:\Test

      state: directory

  - name: Grant domain account full access to this directory

    win_acl:

      user: ans...@DEV.LOCAL

      path: E:\Test

      rights: FullControl

      type: allow

      state: present

Version of Ansible:

ansible 2.3.0.0

  config file = 

  configured module search path = Default w/o overrides

  python version = 2.7.12 (default, Sep  1 2016, 22:14:00) [GCC 4.8.3 20140911 (Red Hat 4.8.3-9)]

Target Windows host is running Windows Server 2016.

Any assistance, would be appreciated.

Thank you

James

[J Hawkesworth]

Try
user: DEV.LOCAL\ansible

Instead of the ans...@DEV.LOCAL syntax.

If that doesn't work, ugly workaround is to use win_shell to run icacls.exe

If i recall there are some fixes for this module (although not necessarily for the issue you describe) on github, so if you have the capacity to test out changes that would be very helpful.

Hope this helps,

Jon

[James Duff]

Hi Jon,

Thank you for the reply and sorry for the delay in responding.

I updated the runbook to use 'DEV.LOCAL\ansible' and I still see the same error.

I have done some testing with the previous version of ansible, 2.2.0, and the command works as expected. There just seems to be a change in 2.3 and above that has broken the module.

If I restore the 2.2 version of lib/ansible/modules/windows/win_acl.ps1 into my 2.3 or 2.4 environment the win_acl module works.

Here are the results of my testing:

1. Ansible 2.2, setting user: DEV.LOCAL\ansible   - ACLs are set correctly
   
2. Ansible 2.2, setting user: ans...@DEV.LOCAL  - Failed: FAILED! => {"changed": false, "failed": true, "msg": "ans...@DEV.LOCAL is not a valid user or group on the host machine or domain"}
3. Ansible 2.3+, setting user: DEV.LOCAL\ansible   - FAILED! => {"changed": false, "failed": true, "msg": "an error occurred when attempting to present FullControl permission(s) on E:\\Test for DEV.LOCAL\\ansible - Exception calling \".ctor\" with \"1\" argument(s): \"Value was invalid.\r\nParameter name: sddlForm\""}
4. Ansible 2.3, with win_acl.ps1 from Ansible 2.2, setting user: DEV.LOCAL\ansible   - ACLs are set correctly
   

I was able to win_command with icacls.exe to apply the permissions I needed. Agree it feels like an ugly work around but for now seems easier than reverting ansible modules from 2.2 into 2.3

There are some things in Ansible 2.3 that we are using which is the reason to stay on 2.3.

You mentioned some changes in github that are could be tested. I am happy to have a look if you have the URLs to hand.

-James