I don't think it is an elevation issue but rather a WinRM issue. All
commands run in WinRM run under an elevated token, you can test this out by
running
ansible -i inventory.ini hosts -m win_command -a "whoami /all"
You would get a similar output to the below
(ansible-py36) jborean:~/dev/module-tester$ ansible -i inventory.ini '2016'
-m win_command -a "whoami /all"
SERVER2016.domain.local | SUCCESS | rc=0 >>
USER INFORMATION
----------------
User Name SID
===================== ==============================================
domain\vagrant-domain S-1-5-21-3242954042-3778974373-1659123385-1104
GROUP INFORMATION
-----------------
Group Name Type SID
Attributes
============================================= ================
=============================================
===============================================================
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default,
Enabled group
BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default,
Enabled group
BUILTIN\Administrators Alias S-1-5-32-544
Mandatory group, Enabled by default,
Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2
Mandatory group, Enabled by default,
Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default,
Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15
Mandatory group, Enabled by default,
Enabled group
DOMAIN\Domain Admins Group S-1-5-21-
3242954042-3778974373-1659123385-512 Mandatory group, Enabled by default,
Enabled group
DOMAIN\Denied RODC Password Replication Group Alias S-1-5-21-
3242954042-3778974373-1659123385-572 Mandatory group, Enabled by default,
Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10
Mandatory group, Enabled by default,
Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description
State
=========================================
================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a
process Enabled
SeSecurityPrivilege Manage auditing and security log
Enabled
SeTakeOwnershipPrivilege Take ownership of files or other
objects Enabled
SeLoadDriverPrivilege Load and unload device drivers
Enabled
SeSystemProfilePrivilege Profile system performance
Enabled
SeSystemtimePrivilege Change the system time
Enabled
SeProfileSingleProcessPrivilege Profile single process
Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority
Enabled
SeCreatePagefilePrivilege Create a pagefile
Enabled
SeBackupPrivilege Back up files and directories
Enabled
SeRestorePrivilege Restore files and directories
Enabled
SeShutdownPrivilege Shut down the system
Enabled
SeDebugPrivilege Debug programs
Enabled
SeSystemEnvironmentPrivilege Modify firmware environment
values Enabled
SeChangeNotifyPrivilege Bypass traverse checking
Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote
system Enabled
SeUndockPrivilege Remove computer from docking
station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks
Enabled
SeImpersonatePrivilege Impersonate a client after
authentication Enabled
SeCreateGlobalPrivilege Create global objects
Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set
Enabled
SeTimeZonePrivilege Change the time zone
Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links
Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for
another user in the same session Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled
.
The key info here is the mandatory label that is assigned to the user where
*Mandatory
Label\High Mandatory Level* means an administrator token while medium means
a normal token.
I would say this issue is because a WinRM process runs under a network
logon compared to running it locally which is with interactive logon, there
are some differences between the 2 and some programs fail to run on the
former. Unfortunately I don't have cygwin installed locally so I can't test
it out right now.
What you will need to do is either
* Use become on the win_command task (will only work if you are on
2.5/devel or newer)
* Use win_psexec to run the command as the SYSTEM account
With Ansible 2.5 (devel branch), become will be able to run a process under
an "interactive" logon and so you can do the following
- win_command: C:\cygwin\bin\mintty.exe C:\temp\chmod.sh
become: yes
become_method: runas
become_user: SYSTEM
# or this if it needs to run under the same user
- win_command: C:\cygwin\bin\mintty.exe C:\temp\chmod.sh
become: yes
become_method: runas
vars:
ansible_become_user: '{{ansible_user}}'
ansible_become_pass: '{{ansible_password}}'
The first one is preferable as you don't need to supply a password to
become the SYSTEM account while the 2nd option can be used if you need to
run it as the same user.
If you are not on Ansible 2.5 (devel), then win_psexec is probably your
next best bet. The executable psexec.exe is not included with Windows and
so needs to be installed for it to work, you would need to have
- win_chocolatey:
name: psexec
state: present
- win_psexec:
command: C:\cygwin\bin\mintty.exe C:\temp\chmod.sh
interactive: yes
system: yes
Other options would be to use scheduled tasks but honestly you are best of
using become if you are on 2.5, otherwise win_psexec is the next best
option.
I've tried to explain the concept of elevation and logon session a bit
further on a blog post
https://www.bloggingforlogging.com/2018/01/24/demystifying-winrm/, feel
free to read it if you like.
Thanks
Jordan
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/d7b0e42a-01b1-45a0-be62-b8116bfa2d96%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
