Thank you Jordan, that's a good explanation of the current state, and it's great to hear that it's improving in 2.5.
Cheers Benjamin Am Dienstag, 2. Januar 2018 12:16:53 UTC+1 schrieb Jordan Borean: > > This is working as designed, the runas become method is used to run a > process under a different logon type rather than escalating privileges. > There is no need to escalate privileges within WinRM as each process is run > like it would when right clicking on an exe and saying run as > administrator. > > The reason why you might still be getting an access is denied error is > that a WinRM process is run within a network logon session compared to an > interactive session when it is run locally. Windows restricts what a > network logon session can do within Windows and one of the most common > restrictions people come across is not being able to acces WUA (Windows > Update API). So what Ansible does with the runas implementation is to > create a new logon session with the credentials provided as an interactive > session and then run the process on that new session. This means that any > restrictions that are in place under the WinRM session is removed and the > process will run exactly like it would when doing it locally. > > Unfortunately the runas implementation is set as experimental before 2.5 > (current devel branch) where you can run under and interactive session but > it won’t have administrative privileges. This can be bypassed but it > requires some security settings to be bypassed which is not fully > recommended. If you are running devel or plan to use 2.5 when it is > released you should have any issues. > > To answer you question around whether the password is required. The runas > become method is Ansible’s implementation of the runas executable > https://technet.microsoft.com/en-us/library/bb490994.aspx where a > username and password is required. The internal Win32 APIs that are called > require both the username and password to be set and we can’t bypass that. > In the end you do need to specify a password to use become for a normal > account but there is another option if you are on the devel branch. You can > become the SYSTEM account by setting SYSTEM as the become_user and this > does not require a password. The SYSTEM account is like root on Windows and > can do pretty much anything. > > In the end, become runas is experimental in 2.3 and 2.4 and if you are on > these versions I would recommend you use a scheduled task or psexec to > bypass these issues for now. If you are using the devel branch branch then > I would highly recommend you use become as either the SYSTEM account which > doesn’t require a password or the same account and set the password. > > Thanks > > Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ce23d3cd-56be-4b34-b9de-f06b60150768%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
