hello comunity, mi english is very bad, but my problem is the flowing:
one partner install ansible in you ecosystem and install SQL-Server 2014 in silent mode and not problem. I install my ecosytem with ansible but in the momment to exec the silent installation win_command is exected by default in the window server and the bash twrow error to access. Any idea for what my partner is OK and my NO.
my playbook:
name: Crea directorios para SQL server
win_file:
path: “{{ item }}”
state: directory
with_items:
name: mount SQL Server ISO
win_disk_image:
image_path: C:_archivos\en_sql_server_2014_developer_edition_with_service_pack_1_x64_dvd_6668542.iso
state: present #when: not sqlservr_info.stat.exists
register: iso_mount
name: grant the ansible user the SeTcbPrivilege right
win_user_right:
name: SeTcbPrivilege
users: ‘{{ansible_user}}’
action: add
name: run SQL server setup.exe
win_command: ‘setup.exe /Q /ConfigurationFile={{ servers_setup_dir }}\ConfigurationFile.ini’
args:
chdir: “{{ iso_mount.mount_path }}”
When trying to install SQL Server it needs to interact with the DPAPI which is an API in Windows that interacts with various crypto elements. By default a command run over WinRM is unable to access the DPAPI for various security reasons in Windows and any application that tries to use like (like the SQL installer) will fail with an access is denied.
Use CredSSP authentication (ansible_winrm_transport: credssp) which allows any process to access DPAPI
I would highly recommend you use become in this case if you are on 2.5+, CredSSP is ok if you are on an older version of Ansible but it does send the username and password to the remote host which has other security implications. An example on how to use become for that task you would need to do;
`
name: run SQL server setup.exe
win_command: setup.exe /Q /ConfigurationFile={{ servers_setup_dir}}\ConfigurationFile.ini
args:
chdir: “{{ iso_mount.mount_path }}”
become: yes
become_method: runas
become_user: SYSTEM
`
You can set the become_user to a different user if you wish but this way no password is sent over the wire. One last thing, you task to add the user to the SeTcbPrivilege right, I would highly recommend you not do this if it isn’t needed.
Also on a side note, the Ansible Development channel is more geared towards dev work with Ansible, like modules and engine work. Questions/issues with using Ansible itself is probably better directed towards https://groups.google.com/forum/#!forum/ansible-project.