Windows Become Confusion

Husker79 · October 13, 2022, 12:18am

Good day,

I’m attempting to execute a PowerShell script on a Windows host to create a Windows Server Failover Cluster. Running the script on node1 works without issue when logged in as a service account with appropriate AD permissions and using a PowerShell terminal ran as Administrator.

Executing the same script via Ansible (using the service account mentioned above) results in an error stating I do not have permissions to edit node1’s registry. Adding the “become” statements below get past this error, but then I receive an error that node2 cannot be added to the cluster as I don’t have permissions to its registry.

- name: Execute configure_wsfc.ps1
  win_shell: .\configure_wsfc.ps1
  args:
    chdir: '{{ temp_dir }}'
  become: true
  become_method: runas
  become_user: '{{ service_account }}'

configure_wsfc.ps1:

New-Cluster -Name $WSFCClusterName -Node ("node1", "node2") -AdministrativeAccessPoint ActiveDirectoryAndDNS -StaticAddress ("192.168.0.1", "192.168.0.2" -NoStorage

What am I missing?

Thank you.

jborean · October 13, 2022, 3:28am

To truly replicate the behaviour of running it interatively (or at least as close as you can get) you need to specify a password for become.

win_shell: …
become: true
become_method: runas
vars:
ansible_become_user: ‘{{ ansible_user }}’
ansible_become_pass: ‘{{ ansible_password }}’

This will create an “interactive” token that can delegate it’s credentials to downstream servers as needed. If you don’t specify a password then it will essentially do a “batch” logon without a password similar to running in a scheduled task but without saving the user’s credentials.

Thanks

Jordan

m.nelson · October 13, 2022, 8:54am

Hi,

I think you playbook will work if you use CredSSP as the connection method:

https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html

CredSSP permits ansible to target other hosts from that it initially connected to.

Regards,

antuelle78

Husker79 · October 13, 2022, 1:22pm

Jordan,

Truly appreciate the reply. I guess I overlooked the below note in the documentation:

“…Use become with a password if the task needs to access network resources.”

I’m definitely not as experienced in Windows as Linux. WinRM and privilege escalation are as clear as mud.

Two quick Ansible on Windows questions, if I may.

To run a PS script is it a better practice to use win_command with powershell.exe -ExecutionPolicy Bypass -File script.ps1 or win_shell as above?
Why did failure of the PS script not fail the win_shell task?
Thank you and have a great day.

jborean · October 17, 2022, 12:16am

If you are running a script then I would say win_shell is easier but neither are truly wrong… Unfortunately error handling in PowerShell is a bit of a mixed bag, by default it sets $ErrorActionPreference = ‘Continue’ which can cause some errors to be “ignored” or at least not part of the final error condition check. I would make sure that you have $ErrorActionPreference = ‘Stop’ in your script to ensure that an error actually stops your script and exits with a non-0 return code or at least throw an exception in the cases where you want a failure to occur.

Topic		Replies	Views
Ansible to Windows with SSH, become not working Get Help windows , ssh , runas	2	89	August 2, 2024
The powershell shell family is incompatible with the sudo become plugin Ansible Project windows	4	0	May 15, 2020
Ansible Windows become_user per task? Ansible Project windows	3	0	March 15, 2017
Windows - become_method runas - password definition Ansible Project windows	4	0	February 21, 2018
windows become runas without target user password? Ansible Project windows	2	0	January 5, 2018

Windows Become Confusion

Related topics