win_command not exec admin mode

hello comunity, mi english is very bad, but my problem is the flowing:

one partner install ansible in you ecosystem and install SQL-Server 2014 in silent mode and not problem. I install my ecosytem with ansible but in the momment to exec the silent installation win_command is exected by default in the window server and the bash twrow error to access. Any idea for what my partner is OK and my NO.

my playbook:

  • name: Crea directorios para SQL server
    win_file:
    path: “{{ item }}”
    state: directory
    with_items:

  • “{{ mssql_sqldata_dir }}”

  • “{{ mssql_data_dir }}”

  • “{{ mssql_logs_dir }}”

  • “{{ mssql_bkps_dir }}”

  • “{{ mssql_temp_dir }}”

  • name: Copia Archivo configuracion SQL
    win_template:
    src: ConfigurationFile-2014.ini
    dest: C:_archivos\ConfigurationFile.ini

  • name: mount SQL Server ISO
    win_disk_image:
    image_path: C:_archivos\en_sql_server_2014_developer_edition_with_service_pack_1_x64_dvd_6668542.iso
    state: present
    #when: not sqlservr_info.stat.exists
    register: iso_mount

  • name: grant the ansible user the SeTcbPrivilege right
    win_user_right:
    name: SeTcbPrivilege
    users: ‘{{ansible_user}}’
    action: add

  • name: run SQL server setup.exe
    win_command: ‘setup.exe /Q /ConfigurationFile={{ servers_setup_dir }}\ConfigurationFile.ini’
    args:
    chdir: “{{ iso_mount.mount_path }}”

Hi

When trying to install SQL Server it needs to interact with the DPAPI which is an API in Windows that interacts with various crypto elements. By default a command run over WinRM is unable to access the DPAPI for various security reasons in Windows and any application that tries to use like (like the SQL installer) will fail with an access is denied.

There are 2 main ways you can resolve this issue;

I would highly recommend you use become in this case if you are on 2.5+, CredSSP is ok if you are on an older version of Ansible but it does send the username and password to the remote host which has other security implications. An example on how to use become for that task you would need to do;

`

  • name: run SQL server setup.exe
    win_command: setup.exe /Q /ConfigurationFile={{ servers_setup_dir}}\ConfigurationFile.ini
    args:
    chdir: “{{ iso_mount.mount_path }}”
    become: yes
    become_method: runas
    become_user: SYSTEM
    `

You can set the become_user to a different user if you wish but this way no password is sent over the wire. One last thing, you task to add the user to the SeTcbPrivilege right, I would highly recommend you not do this if it isn’t needed.

Also on a side note, the Ansible Development channel is more geared towards dev work with Ansible, like modules and engine work. Questions/issues with using Ansible itself is probably better directed towards https://groups.google.com/forum/#!forum/ansible-project.

Thanks

Jordan

thank it’s work!!!