Ansible Windows become_user per task?

[b...@tanners.org]

Is there a way to "become_user" per task on a Windows?

- name: Install programs (win_shell)

  win_shell: "{{ item.dest }}/{{ item.program }} {{ item.arguments }}"

  register: cmd

  when:

    - window_packages is defined

  with_items:

    - "{{ window_packages }}"

  become_user: bob

  tags: win_workstation2

Running the command with -vvvv shows I'm still WINRM as the Administrator

<PC130.corp.local> ESTABLISH WINRM CONNECTION FOR USER: Admini...@CORP.LOCAL on PORT 5986 TO PC130.corp.local EXEC (via pipeline wrapper)

Not sure how to check what user the task is running as but I don't find the stuff I'd expect in AppData\Local

[Matt Davis]

Yeah, docs forthcoming for this stuff, but you need to specify a couple more things to make it work (since the global *nix defaults don't make sense under Windows):

First and foremost, you never actually said you want to "become", just "who" you want to become- you need to add "become: yes" (this is not Windows-specific). Then you need to tell us which become method to use (become_method: runas), as the default "sudo" isn't implemented on Windows. You can set these at either the play or task level, as necessary, but "become: yes" is the key to actually making a task run as someone else- the rest is just "how". See below for a sample.

Also, there's a bug right now that's preventing become from working under NTLM and Kerberos auth (fails with "Access is denied"), so you can only use it with Basic, CredSSP, and Certificate auth (hoping to nail this one down in the next few days).

Hope that helps...

-Matt

(ansible-dev) [mdavis@mdavis-t460p win2012r2-domain]$ cat become.yml

- hosts: member1

  gather_facts: no

  become_method: runas

  tasks:

  - name: as default user

    win_shell: whoami    

  - name: as administrator

    become: yes

    become_user: administrator

    win_shell: whoami

(ansible-dev) [mdavis@mdavis-t460p win2012r2-domain]$ ansible-playbook -i hosts become.yml -vv -K

No config file found; using defaults

SUDO password: 

PLAYBOOK: become.yml *******************************************************************************

1 plays in become.yml

PLAY [member1] *************************************************************************************

META: ran handlers

TASK [as default user] *****************************************************************************

task path: /home/mdavis/vm/win2012r2-domain/become.yml:5

changed: [member1] => {"changed": true, "cmd": "whoami", "delta": "0:00:00.156427", "end": "2017-03-02 11:29:12.986398", "rc": 0, "start": "2017-03-02 11:29:12.829970", "stderr": "", "stderr_lines": [], "stdout": "ansible\\testguy\r\n", "stdout_lines": ["ansible\\testguy"]}

TASK [as administrator] ****************************************************************************

task path: /home/mdavis/vm/win2012r2-domain/become.yml:8

changed: [member1] => {"changed": true, "cmd": "whoami", "delta": "0:00:00.187422", "end": "2017-03-02 11:29:13.876657", "rc": 0, "start": "2017-03-02 11:29:13.689234", "stderr": "", "stderr_lines": [], "stdout": "ansible\\testguy\r\n", "stdout_lines": ["ansible\\testguy"]}

META: ran handlers

META: ran handlers

PLAY RECAP *****************************************************************************************

member1                    : ok=2    changed=2    unreachable=0    failed=0   

[Bob Tanner]

Is there a PR or repository I can follow so I know when the Kerberos auth stuff is available in devel branch?

On Mar 2, 2017, at 5:36 PM, Matt Davis <mda...@ansible.com> wrote:

Also, there's a bug right now that's preventing become from working under NTLM and Kerberos auth (fails with "Access is denied"), so you can only use it with Basic, CredSSP, and Certificate auth (hoping to nail this one down in the next few days).

--
Bob Tanner <b...@tanners.org>          Clash of Clan Tag: #LUJ2CPU
Follow me on Facebook and Twitter!  Clash Royale Tag: #2Q98YPC

[J Hawkesworth]

This is the bug report so that's probably the best place to look for now:

https://github.com/ansible/ansible/issues/22218

Jon