I am trying to create a playbook that will setup specific directories and ACLs on a Windows host.
I can setup the ACL with a local user on the windows host but when I try setup the ACL for a domain account, I get back the following error:
TASK [Grant domain account full access to this directory] **
fatal: [computer FQDN]: FAILED! => {“changed”: false, “failed”: true, “msg”: “an error occurred when attempting to present FullControl permission(s) on E:\Test for ansible@DEV.LOCAL - Exception calling ".ctor" with "1" argument(s): "Value was invalid.\r\nParameter name: sddlForm"”}
Can win_acl be used to control ACLs for Domain accounts?
The play book is run with:
ansible-playbook -i development demo.yaml
Ansible is configured to use winrm over SSL. I have tried with both Kerberos authentication and NTLM.
I can manually set the ACL if I connect through remote desktop with the account used to connect via winrm.
I have been able to make other win_ modules work. I can use the win_service module to set Windows services to run as domain users.
The playbook contains:
Try
user: DEV.LOCAL\ansible
Instead of the ansible@DEV.LOCAL syntax.
If that doesn't work, ugly workaround is to use win_shell to run icacls.exe
If i recall there are some fixes for this module (although not necessarily for the issue you describe) on github, so if you have the capacity to test out changes that would be very helpful.
Hope this helps,
Jon
Hi Jon,
Thank you for the reply and sorry for the delay in responding.
I updated the runbook to use ‘DEV.LOCAL\ansible’ and I still see the same error.
I have done some testing with the previous version of ansible, 2.2.0, and the command works as expected. There just seems to be a change in 2.3 and above that has broken the module.
If I restore the 2.2 version of lib/ansible/modules/windows/win_acl.ps1 into my 2.3 or 2.4 environment the win_acl module works.
Here are the results of my testing:
-
Ansible 2.2, setting user: DEV.LOCAL\ansible - ACLs are set correctly
-
Ansible 2.2, setting user: ansible@DEV.LOCAL - Failed: FAILED! => {“changed”: false, “failed”: true, “msg”: “ansible@DEV.LOCAL is not a valid user or group on the host machine or domain”}
-
Ansible 2.3+, setting user: DEV.LOCAL\ansible - FAILED! => {“changed”: false, “failed”: true, “msg”: “an error occurred when attempting to present FullControl permission(s) on E:\Test for DEV.LOCAL\ansible - Exception calling ".ctor" with "1" argument(s): "Value was invalid.\r\nParameter name: sddlForm"”}
-
Ansible 2.3, with win_acl.ps1 from Ansible 2.2, setting user: DEV.LOCAL\ansible - ACLs are set correctly
I was able to win_command with icacls.exe to apply the permissions I needed. Agree it feels like an ugly work around but for now seems easier than reverting ansible modules from 2.2 into 2.3
There are some things in Ansible 2.3 that we are using which is the reason to stay on 2.3.
You mentioned some changes in github that are could be tested. I am happy to have a look if you have the URLs to hand.
-James