Looks like the become works! However, the syntax needs to be in this case: win_command: 'cmd.exe /c "start C:\cygwin\bin\bash -li /cygdrive/c/TEMP/chmod.sh"'
become: yes become_method: runas become_user: SYSTEM I appreciate your help! I have like 4 or 5 scripts that I need elevation to run. On Wed, Jan 24, 2018 at 1:21 PM, Jordan Borean <[email protected]> wrote: > I don't think it is an elevation issue but rather a WinRM issue. All > commands run in WinRM run under an elevated token, you can test this out by > running > > ansible -i inventory.ini hosts -m win_command -a "whoami /all" > > You would get a similar output to the below > > (ansible-py36) jborean:~/dev/module-tester$ ansible -i inventory.ini > '2016' -m win_command -a "whoami /all" > SERVER2016.domain.local | SUCCESS | rc=0 >> > > USER INFORMATION > ---------------- > > User Name SID > ===================== ============================================== > domain\vagrant-domain S-1-5-21-3242954042-3778974373-1659123385-1104 > > > GROUP INFORMATION > ----------------- > > Group Name Type SID > Attributes > > ============================================= ================ > ============================================= > =============================================================== > Everyone Well-known group S-1-1-0 > Mandatory group, Enabled by default, > Enabled group > BUILTIN\Users Alias S-1-5-32- > 545 Mandatory group, Enabled by default, > Enabled group > BUILTIN\Administrators Alias S-1-5-32- > 544 Mandatory group, Enabled by default, > Enabled group, Group owner > NT AUTHORITY\NETWORK Well-known group S-1-5-2 > Mandatory group, Enabled by default, > Enabled group > NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 > Mandatory group, Enabled by default, > Enabled group > NT AUTHORITY\This Organization Well-known group S-1-5-15 > Mandatory group, Enabled by default, > Enabled group > DOMAIN\Domain Admins Group S-1-5-21- > 3242954042-3778974373-1659123385-512 Mandatory group, Enabled by default, > Enabled group > DOMAIN\Denied RODC Password Replication Group Alias S-1-5-21- > 3242954042-3778974373-1659123385-572 Mandatory group, Enabled by default, > Enabled group, Local Group > NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 > Mandatory group, Enabled by default, > Enabled group > Mandatory Label\High Mandatory Level Label S-1-16- > 12288 > > > > PRIVILEGES INFORMATION > ---------------------- > > Privilege Name Description > State > ========================================= ============================== > ==================================== ======= > SeIncreaseQuotaPrivilege Adjust memory quotas for a > process Enabled > SeSecurityPrivilege Manage auditing and security > log Enabled > SeTakeOwnershipPrivilege Take ownership of files or > other objects Enabled > SeLoadDriverPrivilege Load and unload device drivers > Enabled > SeSystemProfilePrivilege Profile system performance > Enabled > SeSystemtimePrivilege Change the system time > Enabled > SeProfileSingleProcessPrivilege Profile single process > Enabled > SeIncreaseBasePriorityPrivilege Increase scheduling priority > Enabled > SeCreatePagefilePrivilege Create a pagefile > Enabled > SeBackupPrivilege Back up files and directories > Enabled > SeRestorePrivilege Restore files and directories > Enabled > SeShutdownPrivilege Shut down the system > Enabled > SeDebugPrivilege Debug programs > Enabled > SeSystemEnvironmentPrivilege Modify firmware environment > values Enabled > SeChangeNotifyPrivilege Bypass traverse checking > Enabled > SeRemoteShutdownPrivilege Force shutdown from a remote > system Enabled > SeUndockPrivilege Remove computer from docking > station Enabled > SeManageVolumePrivilege Perform volume maintenance > tasks Enabled > SeImpersonatePrivilege Impersonate a client after > authentication Enabled > SeCreateGlobalPrivilege Create global objects > Enabled > SeIncreaseWorkingSetPrivilege Increase a process working set > Enabled > SeTimeZonePrivilege Change the time zone > Enabled > SeCreateSymbolicLinkPrivilege Create symbolic links > Enabled > SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token > for another user in the same session Enabled > > > USER CLAIMS INFORMATION > ----------------------- > > User claims unknown. > > Kerberos support for Dynamic Access Control on this device has been > disabled. > > The key info here is the mandatory label that is assigned to the user > where *Mandatory Label\High Mandatory Level* means an administrator token > while medium means a normal token. > > I would say this issue is because a WinRM process runs under a network > logon compared to running it locally which is with interactive logon, there > are some differences between the 2 and some programs fail to run on the > former. Unfortunately I don't have cygwin installed locally so I can't test > it out right now. > > What you will need to do is either > > * Use become on the win_command task (will only work if you are on > 2.5/devel or newer) > * Use win_psexec to run the command as the SYSTEM account > > With Ansible 2.5 (devel branch), become will be able to run a process > under an "interactive" logon and so you can do the following > > - win_command: C:\cygwin\bin\mintty.exe C:\temp\chmod.sh > become: yes > become_method: runas > become_user: SYSTEM > > # or this if it needs to run under the same user > - win_command: C:\cygwin\bin\mintty.exe C:\temp\chmod.sh > become: yes > become_method: runas > vars: > ansible_become_user: '{{ansible_user}}' > ansible_become_pass: '{{ansible_password}}' > > The first one is preferable as you don't need to supply a password to > become the SYSTEM account while the 2nd option can be used if you need to > run it as the same user. > > If you are not on Ansible 2.5 (devel), then win_psexec is probably your > next best bet. The executable psexec.exe is not included with Windows and > so needs to be installed for it to work, you would need to have > > - win_chocolatey: > name: psexec > state: present > > - win_psexec: > command: C:\cygwin\bin\mintty.exe C:\temp\chmod.sh > interactive: yes > system: yes > > Other options would be to use scheduled tasks but honestly you are best of > using become if you are on 2.5, otherwise win_psexec is the next best > option. > > I've tried to explain the concept of elevation and logon session a bit > further on a blog post https://www.bloggingforlogging.com/2018/ > 01/24/demystifying-winrm/, feel free to read it if you like. > > Thanks > > Jordan > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Ansible Project" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/ansible-project/7inLJoctNLk/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/ansible-project/d7b0e42a-01b1-45a0-be62-b8116bfa2d96%40googlegroups. > com > <https://groups.google.com/d/msgid/ansible-project/d7b0e42a-01b1-45a0-be62-b8116bfa2d96%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Thank you, Larry Pescatore Lab Engineer, ERG Inc. @ Google -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CADxK1ktsPEknEPE5bfx3mSiUOqthLugUqPsEdQo4dLZ0ZTfp9w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
