Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting registry ACLs using win_acl is broken by ALL APPLICATION PACKAGES #22968

Closed
Novex opened this issue Mar 25, 2017 · 1 comment
Closed

Setting registry ACLs using win_acl is broken by ALL APPLICATION PACKAGES #22968

Novex opened this issue Mar 25, 2017 · 1 comment
Assignees
@trondhindenes
Labels
affects_2.4 This issue/PR affects Ansible v2.4 bug This issue/PR relates to a bug. module This issue/PR relates to a module. support:core This issue/PR relates to code supported by the Ansible Engineering Team. windows Windows community

Comments

@Novex
Copy link

Novex commented Mar 25, 2017

ISSUE TYPE
  • Bug Report
COMPONENT NAME

win_acl

ANSIBLE VERSION
ansible 2.4.0
  config file =
  configured module search path = Default w/o overrides
  python version = 2.7.5 (default, Nov  6 2016, 00:28:07) [GCC 4.8.5 20150623 (R
ed Hat 4.8.5-11)]
CONFIGURATION

n/a

OS / ENVIRONMENT

CentOS 7 Docker Image as controller configuring a Windows Server 2016 host

SUMMARY

The ability to set ACLs in the Windows Registry (introduced in #19443) doesn't appear to work on Windows Server 2016 (and I assume Server 2012 too).

The underlying issue is the same as the filesystem problem in #20553. This was fixed by #20555 but unfortunately the code to fix it was not applies to the path which deals with setting registry ACLs

STEPS TO REPRODUCE

After configuring a valid connection to a windows server under the group windows, run the following command:

# ansible windows -m win_acl -a 'path="HKLM:\SOFTWARE" user="Administrator" type="allow" rights="ReadKey"'
EXPECTED RESULTS

An entry on the HKEY_LOCAL_MACHINE\SOFTWARE ACL assigning the Read permission to Administrator

ACTUAL RESULTS
[root@70daada2e2f6 /]# ansible windows -m win_acl -a 'path="HKLM:\SOFTWARE" user="Administrator" type="allow" rights="ReadKey"' -vvvv
No config file found; using defaults
Loading callback plugin minimal of type stdout, v2.0 from /opt/ansible/lib/ansible/plugins/callback/__init__.pyc
META: ran handlers
Using module file /opt/ansible/lib/ansible/modules/windows/win_acl.ps1
<iis-services> ESTABLISH WINRM CONNECTION FOR USER: Administrator on PORT 5986 TO iis-services
/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
EXEC (via pipeline wrapper)
iis-services | FAILED! => {
    "changed": false,
    "failed": true,
    "msg": "an error occurred when attempting to present ReadKey permission(s) on HKLM:\\SOFTWARE for Administrator - Exception calling \"Translate\" with \"1\" argument(s): \"Some or all identity references could not be translated.\""
@Novex Novex mentioned this issue Mar 25, 2017
Closed
@ansibot
Copy link
Contributor

ansibot commented Mar 25, 2017

cc @schwartzmx @trondhindenes
click here for bot help

@ansibot ansibot added affects_2.4 This issue/PR affects Ansible v2.4 bug_report module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. windows Windows community labels Mar 25, 2017
@alikins alikins removed the needs_triage Needs a first human triage before being processed. label Mar 27, 2017
@ansibot ansibot added the support:core This issue/PR relates to code supported by the Ansible Engineering Team. label Jun 29, 2017
jborean93 pushed a commit to jborean93/ansible that referenced this issue Jul 10, 2017
@Novex @jborean93
Fixes ansible#22968
55ee572 
* `APPLICATION PACKAGE AUTHORITY` ACLs also apply to the registry
jborean93 added a commit that referenced this issue Jul 11, 2017
@jborean93
win_acl: registry support for special service accounts (#26629)
37ef254 
* Fixes #22968
* `APPLICATION PACKAGE AUTHORITY` ACLs also apply to the registry

* fixed nested for loop

(cherry picked from commit 81c2252)
abadger pushed a commit that referenced this issue Aug 8, 2017
@jborean93 @abadger
win_acl: registry support for special service accounts (#26629)
c55b078 
* Fixes #22968
* `APPLICATION PACKAGE AUTHORITY` ACLs also apply to the registry

* fixed nested for loop

(cherry picked from commit 81c2252)
@ansibot ansibot added bug This issue/PR relates to a bug. and removed bug_report labels Mar 7, 2018
@ansible ansible locked and limited conversation to collaborators Apr 26, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@trondhindenes trondhindenes

Labels
affects_2.4 This issue/PR affects Ansible v2.4 bug This issue/PR relates to a bug. module This issue/PR relates to a module. support:core This issue/PR relates to code supported by the Ansible Engineering Team. windows Windows community
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #22968 - Setting registry ACLs using win_acl is broken by ALL APPLICATION PACKAGES
4 participants
@alikins @Novex @trondhindenes @ansibot