Custom Windows Module Failing with Ansible 2.6.4 when using become

Archives Ansible Project
1

Hi all,
First timer here.
So the details of the issue are:
Using Ansible 2.6.4
Playbook that runs my custom windows module (wrapping Service Fabric functionality to create and expand Service Fabric standalone clusters)
It runs on a host server running Windows Server 2016 and has local admin permissions.
Have to use become because of limitations of access without it.

With Ansible 2.4 it works as expected, action is performed and we are happy.

With 2.6.2 or 2.6.4 or 2.6.6 I get an error saying:
"The full traceback is:

Exception calling "RunAsUser" with "7" argument(s): "LogonUser failed (The 

user name or password is incorrect, Win32ErrorCode 1326)"

At line:1131 char:9

+         $result = [Ansible.BecomeUtil]::RunAsUser($username, $password, 

$lp_comm ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~

    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException

    + FullyQualifiedErrorId : Win32Exception

 

fatal: [myserver.my.domain]: FAILED! => {
    "changed": false, 
    "msg": "Failed to become user mylogin@my.domain: Exception calling \"RunAsUser\" with \"7\" argument(s): \"LogonUser failed (The user name or password is incorrect, Win32ErrorCode 1326)\""

}"

I’ve seen some similar errors with Chocolatey. So I’m after a little guidance where to look.
Other simple windows commands like whoami or win_command work fine with 2.6.4
I suspect it might be my module or the powershell cmdlets that it calls downstream.
One question i have it I whilst i specify the become user in the playbook, the module itself does no auth of it’s own. It simply runs as whoever become is set to. would this cause a problem?
Everything was working fine with 2.4 so i rule out permissions issues (unless the ansible become has changed to require something extra; but it works with other modules)

Any suggestions what I should take a look at?

Thanks
Chris

2

Become and Windows was still experimental in Ansible 2.4 but not much changed between 2.4 to 2.5+ apart from new features being added. Are you able to try and run your task with the following vars set to rule out an incorrect password being set;

`

  • module:
    vars:
    ansible_become: yes
    ansible_become_method: runas
    ansible_become_user: mylogin@my.domain
    ansible_become_pass: password

`

Can you also share the following;

  • How are you calling your module with become, are you enabling it from your playbook or cmdline or have you added ‘#AnsibleRequires -Become’ to your module

  • When you say whoami or win_command work fine, do you mean that become works with them?

This is a weird one because what you are saying it true, the module should not affect the become side as it cannot control the become process, except to tell Ansible that become is required with the ‘#AnsibleRequires -Become’ flag.

Thanks

Jordan

3

Hi Jordan,
This is how i’m calling my module:

  • hosts: management
    gather_facts: false
    run_once: true
    vars:
    ansible_become_user: “{{ servicefabric_details[‘sf_serv_account’] }}@{{ datacenter_domain }}”
    ansible_become_password: “{{ service_fabric_password[‘password’] }}”
    sf_base_dir: “{{ servicefabric_details[‘sf_local_installer_path’] }}”
    sf_config_dir: “{{ servicefabric_details[‘sf_local_installer_path’] }}\config”
    tasks:
  • block:
  • name: Create Service Fabric Cluster

servicefabric_cluster:

action: “present”

sf_tools_path: “{{ working_dir }}”

clusterconfigfilepath: “{{ sf_config_dir }}\{{ cluster_name }}.json”

NoCleanupOnFailure: true

timeoutinseconds: 300

win_whoami:
become: yes
become_method: runas
register: clustercreate

As you can see the service_fabric module is commented out just for testing while using win_whoami, but that is as it was called.

Become does indeed work fine with the win_whoami and win_command modules

Also I do not have the #requires -become flag in my module.

4

This has me very confused, if win_whoami and other modules work fine with become but your custom fails with an invalid logon. Is servicefabric_cluster an action plugin or just a PowerShell module, there should be no way that a standalone module could affect become apart from forcing become to run with ‘#AnsibleRequires -Become’.

Thanks

Jordan

5

Hi Jordan,
The servicefabric_cluster is a powershell module.

6

Can you share the output of win_whoami with both become on and off?

7

This is with become:

“account”: {
“account_name”: “svcservicefabric”,
“domain_name”: “MY”,
“sid”: “S-1-5-21-4077456329-152936645-47294291-6160”,
“type”: “User”
},
“authentication_package”: “Kerberos”,
“changed”: false,
“dns_domain_name”: “my.domain”,
“groups”: [
{
“account_name”: “Domain Users”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”
],
“domain_name”: “MY”,
“sid”: “S-1-5-21-4077456329-152936645-47294291-513”,
“type”: “Group”
},
{
“account_name”: “Everyone”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”
],
“domain_name”: “”,
“sid”: “S-1-1-0”,
“type”: “WellKnownGroup”
},
{
“account_name”: “Administrators”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”,
“Owner”
],
“domain_name”: “BUILTIN”,
“sid”: “S-1-5-32-544”,
“type”: “Alias”
},
{
“account_name”: “Remote Desktop Users”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”
],
“domain_name”: “BUILTIN”,
“sid”: “S-1-5-32-555”,
“type”: “Alias”
},
{
“account_name”: “Users”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”
],
“domain_name”: “BUILTIN”,
“sid”: “S-1-5-32-545”,
“type”: “Alias”
},
{
“account_name”: “INTERACTIVE”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”
],
“domain_name”: “NT AUTHORITY”,
“sid”: “S-1-5-4”,
“type”: “WellKnownGroup”
},
{
“account_name”: “CONSOLE LOGON”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”
],
“domain_name”: “”,
“sid”: “S-1-2-1”,
“type”: “WellKnownGroup”
},
{
“account_name”: “Authenticated Users”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”
],
“domain_name”: “NT AUTHORITY”,
“sid”: “S-1-5-11”,
“type”: “WellKnownGroup”
},
{
“account_name”: “This Organization”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”
],
“domain_name”: “NT AUTHORITY”,
“sid”: “S-1-5-15”,
“type”: “WellKnownGroup”
},
{
“account_name”: “Authentication authority asserted identity”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”
],
“domain_name”: “”,
“sid”: “S-1-18-1”,
“type”: “WellKnownGroup”
},
{
“account_name”: “Server.Owner.User.Group”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”,
“Resource”
],
“domain_name”: “MY”,
“sid”: “S-1-5-21-4077456329-152936645-47294291-2109”,
“type”: “Alias”
},
{
“account_name”: “High Mandatory Level”,
“attributes”: [
“Integrity”,
“Integrity enabled”
],
“domain_name”: “Mandatory Label”,
“sid”: “S-1-16-12288”,
“type”: “Label”
}
],
“impersonation_level”: “SecurityAnonymous”,
“label”: {
“account_name”: “High Mandatory Level”,
“domain_name”: “Mandatory Label”,
“sid”: “S-1-16-12288”,
“type”: “Label”
},
“login_domain”: “MY”,
“login_time”: “2018-10-29T09:09:39.3564295-04:00”,
“logon_id”: 56130748,
“logon_server”: “MyDomainController”,
“logon_type”: “Interactive”,
“privileges”: {
“SeBackupPrivilege”: “disabled”,
“SeChangeNotifyPrivilege”: “enabled-by-default”,
“SeCreateGlobalPrivilege”: “enabled-by-default”,
“SeCreatePagefilePrivilege”: “disabled”,
“SeCreateSymbolicLinkPrivilege”: “disabled”,
“SeDebugPrivilege”: “enabled”,
“SeImpersonatePrivilege”: “enabled-by-default”,
“SeIncreaseBasePriorityPrivilege”: “disabled”,
“SeIncreaseQuotaPrivilege”: “disabled”,
“SeIncreaseWorkingSetPrivilege”: “disabled”,
“SeLoadDriverPrivilege”: “disabled”,
“SeManageVolumePrivilege”: “disabled”,
“SeProfileSingleProcessPrivilege”: “disabled”,
“SeRemoteShutdownPrivilege”: “disabled”,
“SeRestorePrivilege”: “disabled”,
“SeSecurityPrivilege”: “disabled”,
“SeShutdownPrivilege”: “disabled”,
“SeSystemEnvironmentPrivilege”: “disabled”,
“SeSystemProfilePrivilege”: “disabled”,
“SeSystemtimePrivilege”: “disabled”,
“SeTakeOwnershipPrivilege”: “disabled”,
“SeTimeZonePrivilege”: “disabled”,
“SeUndockPrivilege”: “disabled”
},
“rights”: [
“SeNetworkLogonRight”,
“SeInteractiveLogonRight”,
“SeBatchLogonRight”,
“SeRemoteInteractiveLogonRight”
],
“token_type”: “TokenPrimary”,
“upn”: “svcservicefabric@my.domain”,
“user_flags”:
}

This is without:

“account”: {
“account_name”: “svcservicefabric”,
“domain_name”: “MY”,
“sid”: “S-1-5-21-4077456329-152936645-47294291-6160”,
“type”: “User”
},
“authentication_package”: “Kerberos”,
“changed”: false,
“dns_domain_name”: “MY.Domain”,
“groups”: [
{
“account_name”: “Domain Users”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”
],
“domain_name”: “MY”,
“sid”: “S-1-5-21-4077456329-152936645-47294291-513”,
“type”: “Group”
},
{
“account_name”: “Everyone”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”
],
“domain_name”: “”,
“sid”: “S-1-1-0”,
“type”: “WellKnownGroup”
},
{
“account_name”: “Administrators”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”,
“Owner”
],
“domain_name”: “BUILTIN”,
“sid”: “S-1-5-32-544”,
“type”: “Alias”
},
{
“account_name”: “Remote Desktop Users”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”
],
“domain_name”: “BUILTIN”,
“sid”: “S-1-5-32-555”,
“type”: “Alias”
},
{
“account_name”: “Users”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”
],
“domain_name”: “BUILTIN”,
“sid”: “S-1-5-32-545”,
“type”: “Alias”
},
{
“account_name”: “NETWORK”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”
],
“domain_name”: “NT AUTHORITY”,
“sid”: “S-1-5-2”,
“type”: “WellKnownGroup”
},
{
“account_name”: “Authenticated Users”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”
],
“domain_name”: “NT AUTHORITY”,
“sid”: “S-1-5-11”,
“type”: “WellKnownGroup”
},
{
“account_name”: “This Organization”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”
],
“domain_name”: “NT AUTHORITY”,
“sid”: “S-1-5-15”,
“type”: “WellKnownGroup”
},
{
“account_name”: “Authentication authority asserted identity”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”
],
“domain_name”: “”,
“sid”: “S-1-18-1”,
“type”: “WellKnownGroup”
},
{
“account_name”: “Server.Owners.User.Group”,
“attributes”: [
“Mandatory”,
“Enabled by default”,
“Enabled”,
“Resource”
],
“domain_name”: “MY”,
“sid”: “S-1-5-21-4077456329-152936645-47294291-2109”,
“type”: “Alias”
},
{
“account_name”: “High Mandatory Level”,
“attributes”: [
“Integrity”,
“Integrity enabled”
],
“domain_name”: “Mandatory Label”,
“sid”: “S-1-16-12288”,
“type”: “Label”
}
],
“impersonation_level”: “SecurityAnonymous”,
“label”: {
“account_name”: “High Mandatory Level”,
“domain_name”: “Mandatory Label”,
“sid”: “S-1-16-12288”,
“type”: “Label”
},
“login_domain”: “MY”,
“login_time”: “2018-10-29T09:13:12.9615843-04:00”,
“logon_id”: 56160748,
“logon_server”: “”,
“logon_type”: “Network”,
“privileges”: {
“SeBackupPrivilege”: “enabled-by-default”,
“SeChangeNotifyPrivilege”: “enabled-by-default”,
“SeCreateGlobalPrivilege”: “enabled-by-default”,
“SeCreatePagefilePrivilege”: “enabled-by-default”,
“SeCreateSymbolicLinkPrivilege”: “enabled-by-default”,
“SeDebugPrivilege”: “enabled-by-default”,
“SeImpersonatePrivilege”: “enabled-by-default”,
“SeIncreaseBasePriorityPrivilege”: “enabled-by-default”,
“SeIncreaseQuotaPrivilege”: “enabled-by-default”,
“SeIncreaseWorkingSetPrivilege”: “enabled-by-default”,
“SeLoadDriverPrivilege”: “enabled-by-default”,
“SeManageVolumePrivilege”: “enabled-by-default”,
“SeProfileSingleProcessPrivilege”: “enabled-by-default”,
“SeRemoteShutdownPrivilege”: “enabled-by-default”,
“SeRestorePrivilege”: “enabled-by-default”,
“SeSecurityPrivilege”: “enabled-by-default”,
“SeShutdownPrivilege”: “enabled-by-default”,
“SeSystemEnvironmentPrivilege”: “enabled-by-default”,
“SeSystemProfilePrivilege”: “enabled-by-default”,
“SeSystemtimePrivilege”: “enabled-by-default”,
“SeTakeOwnershipPrivilege”: “enabled-by-default”,
“SeTimeZonePrivilege”: “enabled-by-default”,
“SeUndockPrivilege”: “enabled-by-default”
},
“rights”: [
“SeNetworkLogonRight”,
“SeInteractiveLogonRight”,
“SeBatchLogonRight”,
“SeRemoteInteractiveLogonRight”
],
“token_type”: “TokenPrimary”,
“upn”: “”,
“user_flags”:
}

I’ve tried the same module with a different action and get the same thing:

"Failed to become user svcservicefabric@my.domain: Exception calling \"FromBase64String\" with \"1\" argument(s): \"The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters. \""

I’ve tried using domain\user format and user@domain
I’m not doing anything with base64strings but the become module is.

8

Thanks for that, the user seems to have the correct rights and it does confirm the win_whoami was run with become. The error you are getting is probably due to the become process outputting plaintext values where in a normal case it would base64 encode the output to deal with unicode issues.

I’m pretty sure I’ve fixed that in 2.8/devel so it would be great if you could try it out there. If you can follow https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#running-from-source and run Ansible straight from source on the devel branch that would be great. You can also set an environment variable on the Windows host ‘ANSIBLE_EXEC_DEBUG’ to the path to a local file, if that is set then the exec wrapper will output debug logs to that file and give you a better picture as to what’s going on.

If you still get an error it would be great if you could share the debug logs from the wrapper, it shouldn’t contain any sensitive information but make sure you double check before posting it just in case.

Thanks

Jordan

9

Thanks for the information Jordan.

I’ll give that a try soon, i’ve worked around the issue by running the playbook as the user in question but that’s not the best solution in my mind.