I have also used psexec to overcome the “access denied” error but psexec doesnt seem to work. The message I get is “psexec exited with error code -1073741502”
You are coming across an issue due to double hop/credential delegation over WinRM. In most cases you are using an authentication type where the remote process does not have access to the credentials of the user and is unable to authenticate to further resources like a UNC path. This results in it using the anonymous user and in your case the anonymous user is unable to access the executable at ‘\[machine][path]\Setup.exe’ causing an access is denied error message.
Knowing AV installers this will probably be required anyway but this may not be the case- Use ‘ansible_winrm_transport=credssp’ to use CredSSP authentication, this results in unconstrained credential delegation just like become
Use ‘ansible_winrm_transport=kerberos’ with ‘ansible_winrm_kerberos_delegation=true’ to use Kerberos with credential delegation
Unlike Become or CredSSP, Kerberos delegation can be constrained at the AD level to ensure it only auths with the servers you wish- Download the installer using win_get_url from a web service and store it locally
Thanks
I tried all the methods listed above but none of them seemed to do the trick. I copied the executable to S3 and am downloading it onto the remote system and then running the command but I still get the same error.
I also tried to grant admin access to the user but that didnt work (please see the images below for the error and the task)
So the error you are getting now is not an issue trying to access the file but a problem with the installer itself. This means you have solved the original issue but are now coming across another issue that is related to the program you are trying to install. I very much doubt that you need to explicitly grant the SeTcbPrivilege privilege, this is a very sensitive privilege that is usually only assigned to the SYSTEM account and you shouldn’t have to add it to the current user unless you really have to.
What you need to find out is what a return code of 9 means in the context of the Sophos installer. You will need to look at the documentation and/or any installer logs on the system that could indicate what is going wrong there. I can’t tell you what the issue is as each installer can have their own meaning for a return code value, typically 0 is a success and 3010 means successful but a restart is required but other values could be anything else.
Hey Jordan, but when I try the original command from within the remote machine, it works. It only fails when I run the command through Ansible. Do you still think the error might be with the installer?
It’s not the installer itself but really what the installer is doing. Ansible typically runs a process under what is called a Network logon type and Microsoft restricts what processes can do under this type of logon. When you log on through RDP or just locally you are using an “Interactive” logon type.
To overcome this issue and run a process under an “Interactive” logon type in Ansible you should be using become. This will create a new process under the interactive logon and run it there and this 95% of the time replicates how the command would run when doing it manually. Have a read through https://docs.ansible.com/ansible/latest/user_guide/become.html#become-and-windows to see how to setup your task.
If become still doesn’t work then you need to get some logs to find out what exactly is failing, without that info I can’t really help you.
