Access denied renaming windows domain joined server

[java_cat33]

I'm trying to rename a domain joined server via the following play....

- hosts: server

  tasks:

  

  - name: Rename server from server1 to server2

    win_shell: |

      $name = $env:COMPUTERNAME

      if ($name -ne "server1")

      {

      Rename-Computer -NewName "server2"

      write-host "Server will need a restart...."

      } 

Ansible connects to the server via kerberos via a user account that has domain admin rights.

However I receive an access denied message when running the play in verbose.

Do I need to use become/run_as even though I'm connecting via a domain admin account?

[Jordan Borean]

When connecting over WinRM, your credentials are by default not available to the remote process to use. Things that need to authenticate with a further server, like fileshares or domain actions, will fail as they have no credentials to use. While there are other options available you are best to use one of the following with Ansible

• Use become on the task, this works by creating a new logon with explicit credentials, similar to what happens when you log on locally
• Use CredSSP or Kerberos (with credential delegation enabled) and the remote process will have access to the credentials

Also if you are on Ansible 2.6, there is now a win_hostname module to do this instead of using win_shell https://docs.ansible.com/ansible/devel/modules/win_hostname_module.html.

Thanks

Jordan

[java_cat33]

Awesome - thanks once again Jordan!

I added the kerberos delegation. I'm running Ansible 2.5 so will look into upgrading 2.6

I know that the server will need a restart after running that remote PS command - what is the standard practice to then use win_reboot based upon the result of a remote PS command? Do I just need to specify it in the play since I know that it is expected or is there a more programmatic way based upon a returned value for example?

ansible_reboot_pending is currently set to false.

Let me know if I should start a new thread for this....

[java_cat33]

E.G reboot based upon a value in stdout?

[Jordan Borean]

Best way if you are using win_shell is to just base it on the stdout, the ansible_reboot_pending is a pretty useless fact that is gathered as part of setup and isn't kept up to date during the task execution.

In your case it would look something like this

- win_shell: |

    $name = $env:COMPUTERNAME
    if ($name -ne "server1") {
      Rename-Computer -NewName "server2"

      Write-Host "reboot_required"

    }
  register: hostname_result

- name: reboot if required
  win_reboot:
  when: hostname_result.stdout_lines[0] == "reboot_required"

I haven't tested this but basically it will output the reboot_required text, the win_reboot task will only run if the first line of the output contains that line.

Thanks

Jordan

[Lee Drew]

Thanks Jordan - I had an element not found error when trying stdout_lines[0].

I managed to get it working by using the following....

when: '"reboot_required" in hostname_result.stdout'

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/VGQMFnAcUI0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/b8f984c0-8223-4c66-9af0-288711151303%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.