It really depends on how the 'DB.Migrator.exe' binary is set to use
credentials over a network path. If it's trying to find a credential in the
user's DPAPI cred store then Kerberos with credential delegation is not
enough to unlock it. Your options for this case are either:
- Use become on the task with the connection user credentials
- Use credssp as the transport
I would also suggest you use win_command and not win_shell for this task.
The latter is only really useful if you want shell-isms, to run a binary
win_command is usually enough for you. My personal preference here is to
use become as that will do more than just fix credential delegation, it
runs the task in a similar security context as to how it is run
interactively.
Here is the task as I would write it with become
- name: Execute migrator
win_command: >
"{{ backup_path}}\Migrator\DB.Migrator.exe"
-s
-connstring "Server=application-listener.dev\applications,64000;
Database=USERAPPDB; User ID=USERAPP; Integrated Security=True;"
args:
chdir: '{{ backup_path }}\Migrator'
become: yes
become_method: runas
vars:
ansible_become_user: '{{ ansible_user }}'
ansible_become_pass: '{{ ansible_password }}'
register: migrator
failed_when: migrator.rc != 6
run_once: true
A few things I've changed
- I've done away with the set_fact task as it shouldn't be needed
- Used win_command instead of win_shell, the latter shouldn't be needed
for your task
- Using a yaml multiline syntax '>' that turns newlines into spaces so
the task line isn't too long
- Use a double quote for the executable argument. Because it's in a yaml
multilines string you don't need to escape that or backslashes making the
command line more representative of what will run
- Use single quotes for quoting YAML values like you need for chdir, no
need to escape double quotes
- Added the become vars to run with become
Thanks
Jordan
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/0e36c3a2-579d-4cb8-9cfe-647f57a5b400%40googlegroups.com.
