windows become runas without target user password?
1,763 views
Skip to first unread message
Benjamin Schweizer
Jan 2, 2018, 3:54:06 AM1/2/18
to Ansible Project
Hello,
I've found that I need to become administrator for some chocolatey package installations, even when my domain user is member of local administrators group.
To do so, I run:
tasks:
# - win_ping:
- name: become test
win_shell: whoami
become: true
become_user: administrator
become_method: runas
This works but I need to enter the administrator password.
However, when I use "run as administrator" from the desktop, I only need to acknowledge the security dialogue *without giving the admin password*.
Is this working as designed, or do I need some special privileges?
What's your experience with become_method: runas?
Any ideas how to achieve something sudo-like under windows without sharing the local admin password?
Best Regards
Benjamin
Jordan Borean
Jan 2, 2018, 6:16:53 AM1/2/18
to Ansible Project
This is working as designed, the runas become method is used to run a process under a different logon type rather than escalating privileges. There is no need to escalate privileges within WinRM as each process is run like it would when right clicking on an exe and saying run as administrator.
The reason why you might still be getting an access is denied error is that a WinRM process is run within a network logon session compared to an interactive session when it is run locally. Windows restricts what a network logon session can do within Windows and one of the most common restrictions people come across is not being able to acces WUA (Windows Update API). So what Ansible does with the runas implementation is to create a new logon session with the credentials provided as an interactive session and then run the process on that new session. This means that any restrictions that are in place under the WinRM session is removed and the process will run exactly like it would when doing it locally.
Unfortunately the runas implementation is set as experimental before 2.5 (current devel branch) where you can run under and interactive session but it won’t have administrative privileges. This can be bypassed but it requires some security settings to be bypassed which is not fully recommended. If you are running devel or plan to use 2.5 when it is released you should have any issues.
To answer you question around whether the password is required. The runas become method is Ansible’s implementation of the runas executable https://technet.microsoft.com/en-us/library/bb490994.aspx where a username and password is required. The internal Win32 APIs that are called require both the username and password to be set and we can’t bypass that. In the end you do need to specify a password to use become for a normal account but there is another option if you are on the devel branch. You can become the SYSTEM account by setting SYSTEM as the become_user and this does not require a password. The SYSTEM account is like root on Windows and can do pretty much anything.
In the end, become runas is experimental in 2.3 and 2.4 and if you are on these versions I would recommend you use a scheduled task or psexec to bypass these issues for now. If you are using the devel branch branch then I would highly recommend you use become as either the SYSTEM account which doesn’t require a password or the same account and set the password.
Thanks
Jordan
The reason why you might still be getting an access is denied error is that a WinRM process is run within a network logon session compared to an interactive session when it is run locally. Windows restricts what a network logon session can do within Windows and one of the most common restrictions people come across is not being able to acces WUA (Windows Update API). So what Ansible does with the runas implementation is to create a new logon session with the credentials provided as an interactive session and then run the process on that new session. This means that any restrictions that are in place under the WinRM session is removed and the process will run exactly like it would when doing it locally.
Unfortunately the runas implementation is set as experimental before 2.5 (current devel branch) where you can run under and interactive session but it won’t have administrative privileges. This can be bypassed but it requires some security settings to be bypassed which is not fully recommended. If you are running devel or plan to use 2.5 when it is released you should have any issues.
To answer you question around whether the password is required. The runas become method is Ansible’s implementation of the runas executable https://technet.microsoft.com/en-us/library/bb490994.aspx where a username and password is required. The internal Win32 APIs that are called require both the username and password to be set and we can’t bypass that. In the end you do need to specify a password to use become for a normal account but there is another option if you are on the devel branch. You can become the SYSTEM account by setting SYSTEM as the become_user and this does not require a password. The SYSTEM account is like root on Windows and can do pretty much anything.
In the end, become runas is experimental in 2.3 and 2.4 and if you are on these versions I would recommend you use a scheduled task or psexec to bypass these issues for now. If you are using the devel branch branch then I would highly recommend you use become as either the SYSTEM account which doesn’t require a password or the same account and set the password.
Thanks
Jordan
Benjamin Schweizer
Jan 5, 2018, 10:20:43 AM1/5/18
to Ansible Project
Thank you Jordan,
that's a good explanation of the current state, and it's great to hear that it's improving in 2.5.
Cheers
Benjamin
Reply all
Reply to author
Forward
0 new messages