New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error using become in a Windows environment #69086
Comments
Files identified in the description: If these files are incorrect, please update the |
Sorry for the delay here but this is the error returned by the call to LogonUser. Windows is saying the username or password is invalid so I'm not sure what we can do fix that. What I recommend you try is to explicitly set the username/password using the vars directive to rule out something else setting the wrong password. - win_whoami:
become: yes
become_method: runas
vars:
ansible_become_user: ourdomain\adminuser
ansible_become_pass: my password If that also fails I'm not sure what else it could be, we are really at the mercy of what Windows validates the password as. |
Hi, |
I can confirm this behavior. Seems like the bug was introduced with |
I did not take a closer look, but maybe something slipped through here: |
If you have an issue please share more information about
The original issue is literally Windows reporting the username/password is incorrect and there's not much we can do about it. Maybe there's a bug with passing in the password correctly but without knowing how that was done in the first place (or even a reply with my suggestion) there's not much we can do to help. From my perspective everything works fine and I need more info to try and track down why it might be happening it you. |
Hi @jborean93, Here the relevant variables: ansible_connection: winrm
ansible_port: 5986
ansible_winrm_transport: kerberos
ansible_winrm_server_cert_validation: ignore
ansible_user: "{{ admin_user }}"
ansible_password: "{{ admin_password }}"
ansible_become_method: runas
ansible_become_password: "{{ admin_password }}"
ansible_become_user: "{{ nt_domain }}\\{{ admin_user }}" This is the error I get if I use a version higher than 2.9.1:
Again, with 2.9.1, everything works fine without a change to the playbook. Same account, same everything.
You are correct, Windows just tells us our credentials are wrong which is probably correct from the OSs point of view. I think the become module does not pass them correctly. There was a larger change merged into 2.9.2 (cd37b2d) that I suspect to have introduced this bug. Again, I did not take closer look, just compared releases and searched for commits related to the become module and this one looks suspicious. |
Can you set - win_whoami:
become: yes
become_method: runas
vars:
ansible_become_user: ourdomain\adminuser
ansible_become_pass: my password
- win_whoami:
become: yes
become_method: runas
vars:
ansible_become_user: ourdomain\adminuser
ansible_become_password: my password |
Both tasks work with 2.9.1. On 2.9.2 the second task using |
Thanks for narrowing down the problem a bit more, on your normal playbook can you run the following
The precedence for each var goes from lowest to highest. If One last thing to try is to run a single task with become with {
"module_entry": "module base64",
"powershell_modules": {
"Ansible.ModuleUtils.Legacy": "module util base64",
"Ansible.ModuleUtils.CamelConversion": "module util base64",
"Ansible.ModuleUtils.AddType": "module util base64"
},
"csharp_utils": {
"Ansible.AccessToken": "module util base64",
"Ansible.Become": "module util base64",
"Ansible.Process": "module util base64"
},
"csharp_utils_module": [],
"module_args": {
"_ansible_check_mode": false,
"_ansible_no_log": false,
"_ansible_debug": false,
"_ansible_diff": false,
"_ansible_verbosity": 3,
"_ansible_version": "2.11.0.dev0",
"_ansible_module_name": "win_whoami",
"_ansible_syslog_facility": "LOG_USER",
"_ansible_selinux_special_fs": [
"fuse",
"nfs",
"vboxsf",
"ramfs",
"9p",
"vfat"
],
"_ansible_string_conversion_action": "warn",
"_ansible_socket": null,
"_ansible_shell_executable": "/bin/sh",
"_ansible_keep_remote_files": true,
"_ansible_tmpdir": "C:\\Users\\vagrant-domain\\AppData\\Local\\Temp\\ansible-tmp-1599766908.8073065-12246-163912062193480\\.",
"_ansible_remote_tmp": "%TEMP%"
},
"actions": [
"become_wrapper",
"module_powershell_wrapper"
],
"environment": {},
"encoded_output": false,
"become_user": "vagrant-domain@DOMAIN.TEST",
"become_password": "MyPass",
"become_flags": "",
"min_ps_version": null,
"min_os_version": null,
"module_powershell_wrapper": "module exec base64",
"module_wrapper": "module exec base64",
"exec_wrapper": "module exec base64",
"become_wrapper": "module exec base64"
} You can see the become information is under |
You are correct. The Playbook I use has Running the debug tasks produces the output below. The variables have the same value no matter which Ansible version is used.
Changing I didn't bother to run a play with ANSIBLE_KEEP_REMOTE_FILES=1 set as the result will probably the same. |
The precedence may have changed but that's largely as a result of how vars are now trying to conform to the same standard, e.g.
Using
Other become plugins will have different vars but the standard when we split the become setup to a plugin was to have those 3 (the latter being
The order of this matters as it defines the priority of each pass, in your case the Ultimately you should either
Adding a dep warning will be hard because this precedence is controlled in a global fashion and is just how the plugin config system is designed to work. Also because OP hasn't replied with any further information I am going to assume that they came across this same problem and will close the issue. Windows is reporting the correct error in that the password was correct. We cannot log those details because a password is a sensitive bit of information but the comments here can help others debug their setup if need be. TLDR: Don't mix and match |
Hi, guys,
We're deploying different playbooks in windows environment and facing some strange behavior of become function. When we're first trying to use newly added to local admins user account, it fails with "incorrect username password error".
The second turn of playbook always works like a charm with no errors or problems at all.
ISSUE TYPE
COMPONENT NAME
lib/ansible/playbook/become.py
ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
VMware virtual machines with clean Windows Server 2019 Standard OS
STEPS TO REPRODUCE
Add chocolatey with win_chocolatey module with become.
EXPECTED RESULTS
Successful choco installed
ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: