[ansible-project] Re: Windows mapped drives – what the hell is going on?
This is unfortunately outside of what I know and I can't really offer and more help. From what I can see the registry settings are the same when Ansible creates the drive vs when it's created with net use, even net use sees the drive, it's just not available. What you need to do now is enable file share auditing [1] on the target to try and track down why the drive is unavailable and what error is being reported by SMB that explains the failure a bit more. [1] - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1ca9fbf1-9902-4d06-9234-a0d31798da3e%40googlegroups.com.
[ansible-project] Re: Windows mapped drives – what the hell is going on?
Hi Jordan, 1) When you map it manually with net use, can you log off and back on and the drive still remains connected and visible in Windows Explorer? - Yes 2) The output for 'net use' on a limited process is showing that the Z map is configured but is unavailable, does the drive show up in Windows Explorer, maybe with a red X? - No, there is no Z: drive 3) If yes to the above, what happens when you try and open it up or just navigate to Z? - N/A 4) Can you use Ansible to map a shared path on any other server? - The same situation on other VMs in the same domain :( 5) In your limited/admin processes you ran the tests on, are they the same account or is your admin account a completely separate account? - I'm not sure if I understood your question correctly, wro4gtp is not an admin account, i ran only powershell app in 'as administrator' mode (all the time I use elvis account) On Thursday, January 16, 2020 at 12:51:50 AM UTC+1, Jordan Borean wrote: > > Unfortunately I cannot explain this at all, a couple of final > question/clarifications > >- When you map it manually with net use, can you log off and back on >and the drive still remains connected and visible in Windows Explorer? >- The output for 'net use' on a limited process is showing that the Z >map is configured but is unavailable, does the drive show up in Windows >Explorer, maybe with a red X >- If yes to the above, what happens when you try and open it up or >just navigate to Z >- Can you use Ansible to map a shared path on any other server >- In your limited/admin processes you ran the tests on, are they the >same account or is your admin account a completely separate account > > The only extra thing you can do is enable file share audit logs on the UNC > target and attempt to audit why the connections are failing. I don't know > of any way to audit the LANMan Redirector locally to see why it failed to > map the drive when you log in after Ansible is run. > > Thanks > > Jordan > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/88e7a8bf-d8cc-44dc-ae63-0d55ce5c5039%40googlegroups.com.
[ansible-project] Re: Windows mapped drives – what the hell is going on?
Unfortunately I cannot explain this at all, a couple of final question/clarifications - When you map it manually with net use, can you log off and back on and the drive still remains connected and visible in Windows Explorer? - The output for 'net use' on a limited process is showing that the Z map is configured but is unavailable, does the drive show up in Windows Explorer, maybe with a red X - If yes to the above, what happens when you try and open it up or just navigate to Z - Can you use Ansible to map a shared path on any other server - In your limited/admin processes you ran the tests on, are they the same account or is your admin account a completely separate account The only extra thing you can do is enable file share audit logs on the UNC target and attempt to audit why the connections are failing. I don't know of any way to audit the LANMan Redirector locally to see why it failed to map the drive when you log in after Ansible is run. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/20f83465-7990-4437-8c4e-61065451c490%40googlegroups.com.
[ansible-project] Re: Windows mapped drives – what the hell is going on?
1) What is the full command you run to map the drive normally (outside of Ansible)? - net use z: \\bellagio.intra.vegas.net\how\the\hell\to\solve\this\issue /persistent:yes' 2) If you manually map it through the GUI are you connecting with explicit credentials? - I'm connecting using mRemote, RDP protocol with the same credentials as configured in Ansible: username:elvis ; domain:bellagio ; password:elvis123 3) a) after mapping via Ansible, nonAdministrator: PS C:\Users\elvis> cmdkey.exe /list Currently stored credentials: Target: MicrosoftAccount:target=SSO_POP_Device Type: Generic User: 02yahgcuuqfcntfq Saved for this logon only Target: WindowsLive:target=virtualapp/didlogical Type: Generic User: 02yahgcuuqfcntfq Local machine persistence b) after mapping via Ansible, Administrator: PS C:\Windows\system32> cmdkey.exe /list Currently stored credentials: Target: MicrosoftAccount:target=SSO_POP_Device Type: Generic User: 02yahgcuuqfcntfq Saved for this logon only Target: WindowsLive:target=virtualapp/didlogical Type: Generic User: 02yahgcuuqfcntfq Local machine persistence c) after manual map, nonAdministrator: PS C:\Users\elvis> cmdkey.exe /list Currently stored credentials: Target: MicrosoftAccount:target=SSO_POP_Device Type: Generic User: 02yahgcuuqfcntfq Saved for this logon only Target: WindowsLive:target=virtualapp/didlogical Type: Generic User: 02yahgcuuqfcntfq Local machine persistence On Wednesday, January 15, 2020 at 12:25:46 PM UTC+1, Jordan Borean wrote: > That is very curious, typically the opposite is the case where the > standard (limited) process is able to see the mapped drive but the admin > process is not. We can see that in both scenarios net use can see that > there is a valid configuration for the mapped drive but it is only > successfully connecting under the administrative process. We can also see > that the registry settings are exactly the same compared to when you map it > manually and when Ansible does it for you. > > This pretty much means there's some sort of credential/authentication > issue that occurs with your limited process compared to the admin process. > >- What is the full command you run to map the drive normally (outside >of Ansible). >- If you manually map it through the GUI are you connecting with >explicit credentials? >- When you map it manually and there is a mapped drive in the GUI, >what is the output for 'cmdkey.exe /list', is there an entry for ' >bellagio.intra.vegas.net'? > > If the answer to the last 2 (or even 1) is with an explicit credential you > will have to do the same thing with Ansible with the win_credential module. > Having a credential present for the server specified will mean that > credential is used for outbound authentication. > > Thanks > > Jordan > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/b171ef85-9aa6-4c98-b4df-71f8bd71b610%40googlegroups.com.
[ansible-project] Re: Windows mapped drives – what the hell is going on?
1) What is the full command you run to map the drive normally (outside of Ansible)? - net use z: \\burak2.intra.noklab.net\Global_veryfication\[4]_TP\Ansible /persistent:yes' 2) If you manually map it through the GUI are you connecting with explicit credentials? - I'm connection using mRemote, RDP protocol with the same credentials as configured in Ansible: username:elvis ; domain:bellagio ; password:elvis123 3) a) after mapping via Ansible, nonAdministrator: PS C:\Users\elvis> cmdkey.exe /list Currently stored credentials: Target: MicrosoftAccount:target=SSO_POP_Device Type: Generic User: 02yahgcuuqfcntfq Saved for this logon only Target: WindowsLive:target=virtualapp/didlogical Type: Generic User: 02yahgcuuqfcntfq Local machine persistence b) after mapping via Ansible, Administrator: PS C:\Windows\system32> cmdkey.exe /list Currently stored credentials: Target: MicrosoftAccount:target=SSO_POP_Device Type: Generic User: 02yahgcuuqfcntfq Saved for this logon only Target: WindowsLive:target=virtualapp/didlogical Type: Generic User: 02yahgcuuqfcntfq Local machine persistence c) after manual map, nonAdministrator: PS C:\Users\elvis> cmdkey.exe /list Currently stored credentials: Target: MicrosoftAccount:target=SSO_POP_Device Type: Generic User: 02yahgcuuqfcntfq Saved for this logon only Target: WindowsLive:target=virtualapp/didlogical Type: Generic User: 02yahgcuuqfcntfq Local machine persistence On Wednesday, January 15, 2020 at 12:25:46 PM UTC+1, Jordan Borean wrote: > > That is very curious, typically the opposite is the case where the > standard (limited) process is able to see the mapped drive but the admin > process is not. We can see that in both scenarios net use can see that > there is a valid configuration for the mapped drive but it is only > successfully connecting under the administrative process. We can also see > that the registry settings are exactly the same compared to when you map it > manually and when Ansible does it for you. > > This pretty much means there's some sort of credential/authentication > issue that occurs with your limited process compared to the admin process. > >- What is the full command you run to map the drive normally (outside >of Ansible). >- If you manually map it through the GUI are you connecting with >explicit credentials? >- When you map it manually and there is a mapped drive in the GUI, >what is the output for 'cmdkey.exe /list', is there an entry for ' >bellagio.intra.vegas.net'? > > If the answer to the last 2 (or even 1) is with an explicit credential you > will have to do the same thing with Ansible with the win_credential module. > Having a credential present for the server specified will mean that > credential is used for outbound authentication. > > Thanks > > Jordan > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f6964258-2d11-45c5-a7a6-0135071d0058%40googlegroups.com.
[ansible-project] Re: Windows mapped drives – what the hell is going on?
That is very curious, typically the opposite is the case where the standard (limited) process is able to see the mapped drive but the admin process is not. We can see that in both scenarios net use can see that there is a valid configuration for the mapped drive but it is only successfully connecting under the administrative process. We can also see that the registry settings are exactly the same compared to when you map it manually and when Ansible does it for you. This pretty much means there's some sort of credential/authentication issue that occurs with your limited process compared to the admin process. - What is the full command you run to map the drive normally (outside of Ansible). - If you manually map it through the GUI are you connecting with explicit credentials? - When you map it manually and there is a mapped drive in the GUI, what is the output for 'cmdkey.exe /list', is there an entry for 'bellagio.intra.vegas.net'? If the answer to the last 2 (or even 1) is with an explicit credential you will have to do the same thing with Ansible with the win_credential module. Having a credential present for the server specified will mean that credential is used for outbound authentication. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2b8190d5-bf2f-43dd-806a-010cb89c2574%40googlegroups.com.
[ansible-project] Re: Windows mapped drives – what the hell is going on?
EDIT: 2) PowerShell as Administrator: PS C:\Windows\system32> gdr -PSProvider 'FileSystem' > > > Name Used (GB) Free (GB) Provider Root > CurrentLocation > - - > --- > A FileSystemA:\ > C 17.67 81.79 FileSystemC:\ > Windows\system32 > D FileSystemD:\ > E 0.14 99.86 FileSystemE:\ > Z 465267.94 178455.74 FileSystem\bellagio.intra.vegas > .net\how... > > PS C:\Windows\system32> net use > New connections will be remembered. > > Status Local RemoteNetwork > > --- > OK Z:\\bellagio.intra.vegas.net\how\the\hell\to\solve\ > this\issue > Microsoft Windows Network >\\TSCLIENT\C Microsoft Terminal > Services >\\TSCLIENT\S Microsoft Terminal > Services >\\TSCLIENT\V Microsoft Terminal > Services >\\TSCLIENT\W Microsoft Terminal > Services >\\TSCLIENT\X Microsoft Terminal > Services >\\TSCLIENT\Y Microsoft Terminal > Services >\\TSCLIENT\Z Microsoft Terminal > Services > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5d74539d-3f16-4124-ac47-989bda2e0ebd%40googlegroups.com.
[ansible-project] Re: Windows mapped drives – what the hell is going on?
It turned out that this issue is somehow related to permissions/security settings - any suggestions? I asked our internal IT team to check security event log: Please, look what I've found: * RDP login, user: elvis * I've mounted drive under Z: letter, Z: drive is visible. Computer\HKEY_CURRENT_USER\Network\Z (Default): REG_SZ (value not set) ConnectFlags: REG_DWORD 0x ConnectionType: REG_DWORD 0x0001 DeferFlags: REG_DWORD 0x0004 ProviderName: REG_SZ Microsoft Windows Network ProviderType: REG_DWORD 0x0002 RemotePath: REG_SZ \\bellagio.intra.vegas.net\how\the\hell\to\solve\this\ issue UserName REG_SZ I've disconnected Z: drive, Z: drive disappeared. Computer\HKEY_CURRENT_USER\Network - there is no Z: * Ansible, ansible_user=el...@intra.vegas.net * I've executed playbook, Z: drive isn't visible in GUI. Computer\HKEY_CURRENT_USER\Network\Z (Default): REG_SZ (value not set) ConnectFlags: REG_DWORD 0x ConnectionType: REG_DWORD 0x0001 DeferFlags: REG_DWORD 0x0004 ProviderName: REG_SZ Microsoft Windows Network ProviderType: REG_DWORD 0x0002 RemotePath: REG_SZ \\bellagio.intra.vegas.net\how\the\hell\to\solve\this\ issue UserName REG_SZ 1) PowerShell normal: PS C:\Users\elvis> gdr -PSProvider 'FileSystem' Name Used (GB) Free (GB) Provider Root CurrentLocation - - --- A FileSystemA:\ C 17.67 81.79 FileSystemC:\ Users\elvis D FileSystemD:\ E 0.14 99.86 FileSystemE:\ PS C:\Users\elvis> net use New connections will be remembered. Status Local RemoteNetwork --- Unavailable Z:\\bellagio.intra.vegas.net\how\the\hell\to\solve\this \issue Microsoft Windows Network \\TSCLIENT\C Microsoft Terminal Services \\TSCLIENT\S Microsoft Terminal Services \\TSCLIENT\V Microsoft Terminal Services \\TSCLIENT\W Microsoft Terminal Services \\TSCLIENT\X Microsoft Terminal Services \\TSCLIENT\Y Microsoft Terminal Services \\TSCLIENT\Z Microsoft Terminal Services The command completed successfully. 2) PowerShell as Administrator: PS C:\Windows\system32> gdr -PSProvider 'FileSystem' Name Used (GB) Free (GB) Provider Root CurrentLocation - - --- A FileSystemA:\ C 17.67 81.79 FileSystemC:\ Windows\system32 D FileSystemD:\ E 0.14 99.86 FileSystemE:\ Z 465267.94 178455.74 FileSystem\bellagio.intra.vegas. net\how... PS C:\Windows\system32> net use New connections will be remembered. Status Local RemoteNetwork --- OK Z:\\bellagio.intra.vegas.net\how\the\hell\to\solve\this \issue Microsoft Windows Network \\TSCLIENT\C Microsoft Terminal Services \\TSCLIENT\S Microsoft Terminal Services \\TSCLIENT\V Microsoft Terminal Services \\TSCLIENT\W Microsoft Terminal Services \\TSCLIENT\X Microsoft Terminal Services \\TSCLIENT\Y Microsoft Terminal Services \\TSCLIENT\Z Microsoft Terminal Services The command completed successfully. On Wednesday, January 15, 2020 at 10:25:54 AM UTC+1, Jordan Borean wrote: > > Sorry about the option name mismatch but glad you found the correct one. > > Your task seems to be correct so it's curious as to why it isn't showing > up. What I recommend you look at; > >- See if the key 'HKCU:\Network\Z' is present and if the entries match >what you set >- Run the command 'net use' on both a normal and elevated (Run as >administrator) and see if any of them show the Z drive > - If they do, see what the status is for it >- Look at the security event logs for
[ansible-project] Re: Windows mapped drives – what the hell is going on?
Sorry about the option name mismatch but glad you found the correct one. Your task seems to be correct so it's curious as to why it isn't showing up. What I recommend you look at; - See if the key 'HKCU:\Network\Z' is present and if the entries match what you set - Run the command 'net use' on both a normal and elevated (Run as administrator) and see if any of them show the Z drive - If they do, see what the status is for it - Look at the security event logs for both the server you are RDP'ing to as well as the target UNC server (bellagio). Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d18ff19d-4d6e-44cc-8462-e1e2a1694d93%40googlegroups.com.
[ansible-project] Re: Windows mapped drives – what the hell is going on?
Hi Jordan,
First of all big thanks for your reply, I'm really surprised how
efficiently this community works.
So, let's cut to the chase. I focused on your first hint and according to
it, I've corrected my playbook: (for others info: there was a 'typo' - name
instead of letter)
- name: Mount Z drive
win_mapped_drive:
letter: Z
path: \\bellagio.infra.vegas.net\how\the\hell\to\solve\this\issue
state: present
become: yes
become_method: runas
vars:
ansible_become_user: '{{ ansible_user }}'
ansible_become_pass: '{{ ansible_password }}'
Playbook has been executed successfully:
TASK [Mount Z drive]
task path: /etc/ansible/playbooks/test.yml:13
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/
win_mapped_drive.ps1
Pipelining is enabled.
<99.88.77.60> ESTABLISH WINRM CONNECTION FOR USER: el...@intra.vegas.net on
PORT 5986 TO 99.88.77.66
EXEC (via pipeline wrapper)
changed: [99.88.77.66] => {
"changed": true,
"invocation": {
"module_args": {
"letter": "Z",
"password": null,
"path":
"bellagio.infra.vegas.net\how\the\hell\to\solve\this\issue",
"state": "present",
"username": null
}
}
}
META: ran handlers
META: ran handlers
PLAY RECAP
**
10.42.197.227 : ok=2changed=1unreachable=0failed=0
skipped=0rescued=0ignored=0
but after I logon using RDP:
domain: INTRA.VEGAS.NET
login: elvis
pass: elvis123
there is still no Z: hard drive mounted.
PS C:\Users\elvis> gdr -PSProvider 'FileSystem'
Name Used (GB) Free (GB) Provider Root
CurrentLocation
- -
---
A FileSystemA:\
C 17.67 81.80 FileSystemC:\
Users\elvis
D FileSystemD:\
E 0.14 99.86 FileSystemE:\
Is it still my wrong understanding of some issue with env? Could you be so
kind to share with me how to investigate this issue?
On Tuesday, January 14, 2020 at 8:39:08 PM UTC+1, Jordan Borean wrote:
>
> Hi, the blog is still accepting comments, I just need to approve them so
> it doesn't get spammed.
>
> As for your issue at hand.
>
> 1) to use Ansible to map this network drive automatically in all VMs for
>> the domain user (mapped drive should be visible after VM reboots, during
>> every RDP sessions using this credentials?
>>
>
> You should be using the win_mapped_drive to create the mapping for the
> user you want. This should be as simple as
>
> - win_mapped_drive:
> name: Z
> path: \\bellagio.infra.vegas.net\how\the\hell\to\solve\this\issue
> state: present
> become: yes
> become_method: runas
> vars:
> ansible_become_user: '{{ ansible_user }}'
> ansible_become_pass: '{{ ansible_password }}'
>
> Because you are using NTLM authentication, the task will not be able to
> access the network path so become is being used to bypass that limitation.
> If you are connecting with Ansible to one account but want the mapped drive
> for another, change the become user/pass vars to the account in question.
> What this task will do is create the mapped drive Z for the become user and
> that drive will appear when they log on locally. When they try and access
> it locally it will use their logon credentials to access the UNC path.
>
> If you need to connect to the UNC path with custom credentials you can add
> the following task *before* the win_mapped_drive one.
>
> - win_credential:
> name: bellagio.infra.vegas.net
> type: domain_password
> username: custom user
> secret: password
> state: present
> become: yes
> become_method: runas
> vars:
> ansible_become_user: '{{ ansible_user }}'
> ansible_become_pass: '{{ ansible_password }}'
>
> This task creates a credential for that host in the become user's
> credential manager and it is used for any outbound authentication attempts
> on that particular host. This enables you to save a credential for a
> network host and then use that credential for the mapped drive. Once again
> become is important for this task to work as the credential manager can
> only be accessed through become when using WinRM. The win_credential module
> is pretty much a wrapper for the same
[ansible-project] Re: Windows mapped drives – what the hell is going on?
Hi Jordan,
First of all big thanks for your reply, I'm really surprised
how efficiently this community works.
So, let's cut to the chase. I focused on your first hint and according to
it, I've corrected my playbook: (for others info: there was a 'typo' -
*name* instead of *letter*)
- name: Mount Z drive
win_mapped_drive:
letter: Z
path: \\bellagio.infra.vegas.net\how\the\hell\to\solve\this\issue
state: present
become: yes
become_method: runas
vars:
ansible_become_user: '{{ ansible_user }}'
ansible_become_pass: '{{ ansible_password }}'
Playbook has been executed successfully:
TASK [Mount Z drive]
task path: /etc/ansible/playbooks/test.yml:13
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/windows/
win_mapped_drive.ps1
Pipelining is enabled.
<10.42.197.227> ESTABLISH WINRM CONNECTION FOR USER: wro4...@intra.noklab.net
on PORT 5986 TO 10.42.197.227
EXEC (via pipeline wrapper)
changed: [99.88.77.66] => {
"changed": true,
"invocation": {
"module_args": {
"letter": "Z",
"password": null,
"path": "bellagio.infra.vegas.net\how\the\hell\to\solve\this
\issue",
"state": "present",
"username": null
}
}
}
META: ran handlers
META: ran handlers
PLAY RECAP
**
10.42.197.227 : ok=2changed=1unreachable=0failed=0
skipped=0rescued=0ignored=0
but after I logon using RDP:
domain: INTRA.VEGAS.NET
login: elvis
pass: elvis123
there is still no Z: hard drive mounted.
PS C:\Users\elvis> gdr -PSProvider 'FileSystem'
Name Used (GB) Free (GB) Provider Root
CurrentLocation
- -
---
A FileSystemA:\
C 17.67 81.80 FileSystemC:\
Users\elvis
D FileSystemD:\
E 0.14 99.86 FileSystemE:\
Is it still my wrong understanding of some issue with env? Could you be so
kind to share with me how to
On Tuesday, January 14, 2020 at 8:39:08 PM UTC+1, Jordan Borean wrote:
>
> Hi, the blog is still accepting comments, I just need to approve them so
> it doesn't get spammed.
>
> As for your issue at hand.
>
> 1) to use Ansible to map this network drive automatically in all VMs for
>> the domain user (mapped drive should be visible after VM reboots, during
>> every RDP sessions using this credentials?
>>
>
> You should be using the win_mapped_drive to create the mapping for the
> user you want. This should be as simple as
>
> - win_mapped_drive:
> name: Z
> path: \\bellagio.infra.vegas.net\how\the\hell\to\solve\this\issue
> state: present
> become: yes
> become_method: runas
> vars:
> ansible_become_user: '{{ ansible_user }}'
> ansible_become_pass: '{{ ansible_password }}'
>
> Because you are using NTLM authentication, the task will not be able to
> access the network path so become is being used to bypass that limitation.
> If you are connecting with Ansible to one account but want the mapped drive
> for another, change the become user/pass vars to the account in question.
> What this task will do is create the mapped drive Z for the become user and
> that drive will appear when they log on locally. When they try and access
> it locally it will use their logon credentials to access the UNC path.
>
> If you need to connect to the UNC path with custom credentials you can add
> the following task *before* the win_mapped_drive one.
>
> - win_credential:
> name: bellagio.infra.vegas.net
> type: domain_password
> username: custom user
> secret: password
> state: present
> become: yes
> become_method: runas
> vars:
> ansible_become_user: '{{ ansible_user }}'
> ansible_become_pass: '{{ ansible_password }}'
>
> This task creates a credential for that host in the become user's
> credential manager and it is used for any outbound authentication attempts
> on that particular host. This enables you to save a credential for a
> network host and then use that credential for the mapped drive. Once again
> become is important for this task to work as the credential manager can
> only be accessed through become when using WinRM. The win_credential module
> is pretty much a wrapper for the same functionality that
[ansible-project] Re: Windows mapped drives – what the hell is going on?
Having a file server mounted on lots of windows client pcs is a common pattern in windows shops but I decided to use a web server and make the windows client machines collect the apps they need using win_get_url module. Hope this helps, Jon On Tuesday, January 14, 2020 at 1:57:40 PM UTC, Pjotr Banas wrote: > > Hello experts, > > I was trying to reach Jordan on his blog: > http://www.bloggingforlogging.com/2018/11/22/windows-mapped-drives-what-the-hell-is-going-on/#comment-178 > ,but > I see that comments are closed, so maybe here someone can help me with my > issue: > > > I've read article from the blog and I've tried to understand it, but I'm > still confued. Probably due to low level of win knowledge... > Could you try to help me and try to answer to my questions in simple > words(?) > > My scenario: I've several dozen win VMs deployed for my team, we thought > that the good idea is to use Ansible to confiure and customize them for our > purposes inlcuding network drive mapping (later using it as a repo with > apps/scripts which we want to install/use on VMs using Ansible). VMs are > deployed by internal network team and what we get is a clean windows VM > with domain username and pass. Mapped drive should be visible for mentioned > domain user after logon to VM using RDP. Ansible has been instaled and > configure succesfully - connection with VMs working well. Due to some > 'probably' security policy and network configuration only one way of auth > option was to use NTLM. > > Of course, it's possible to map network drive on every VM using RDP with > mentioned domain user. > > --- Network drive --- > > \\bellagio.intra.vegas.net\how\the\hell\to\solve\this\issue > > --- Ansible hosts --- > > [winhost] > 99.88.77.66 > 99.88.77.65 > > [winhost:vars] > ansible_user=el...@intra.vegas.net > ansible_password=elvis123 > ansible_connection=winrm > ansible_winrm_transport=ntlm > ansible_winrm_message_encryption=always > ansible_winrm_server_cert_validation=ignore > > Is it possible: > 1) to use Ansible to map this network drive automatically in all VMs for > the domain user (mapped drive should be visible after VM reboots, during > every RDP sessions using this credentials? > > 2) to use this mapped drive as a 'repo place' for future purposes - to > copy scrips, apps from this drive to VMs using Ansible? > > Best regards, Peter > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/69e98077-66e3-4cdd-9a52-9f464cdfeb59%40googlegroups.com.
[ansible-project] Re: Windows mapped drives – what the hell is going on?
Hi, the blog is still accepting comments, I just need to approve them so it
doesn't get spammed.
As for your issue at hand.
1) to use Ansible to map this network drive automatically in all VMs for
> the domain user (mapped drive should be visible after VM reboots, during
> every RDP sessions using this credentials?
>
You should be using the win_mapped_drive to create the mapping for the
user you want. This should be as simple as
- win_mapped_drive:
name: Z
path: \\bellagio.infra.vegas.net\how\the\hell\to\solve\this\issue
state: present
become: yes
become_method: runas
vars:
ansible_become_user: '{{ ansible_user }}'
ansible_become_pass: '{{ ansible_password }}'
Because you are using NTLM authentication, the task will not be able to
access the network path so become is being used to bypass that limitation.
If you are connecting with Ansible to one account but want the mapped drive
for another, change the become user/pass vars to the account in question.
What this task will do is create the mapped drive Z for the become user and
that drive will appear when they log on locally. When they try and access
it locally it will use their logon credentials to access the UNC path.
If you need to connect to the UNC path with custom credentials you can add
the following task *before* the win_mapped_drive one.
- win_credential:
name: bellagio.infra.vegas.net
type: domain_password
username: custom user
secret: password
state: present
become: yes
become_method: runas
vars:
ansible_become_user: '{{ ansible_user }}'
ansible_become_pass: '{{ ansible_password }}'
This task creates a credential for that host in the become user's
credential manager and it is used for any outbound authentication attempts
on that particular host. This enables you to save a credential for a
network host and then use that credential for the mapped drive. Once again
become is important for this task to work as the credential manager can
only be accessed through become when using WinRM. The win_credential module
is pretty much a wrapper for the same functionality that cmdkey.exe offers
[1].
2) to use this mapped drive as a 'repo place' for future purposes - to copy
> scrips, apps from this drive to VMs using Ansible?
>
This is not possible, ultimately it is next to impossible to do. A network
logon like WinRM will not mount the network mounts for you so even with
become it won't appear in Ansible. Technically it is possible to create a
"global" mapped drive which always appears but credential management in
this scenario is not ideal. I would highly recommend you don't create a
global mount at all, the blog post does mention how it can be possible
though.
For your problem, you should always use the full UNC path in your Ansible
scripts. This is beneficial for a few reasons
1. You are not relying on the host to be setup in a particular method
for your Ansible scripts to work
2. The Ansible playbook is self documenting as to where it is
referencing a file rather than something trying to figure out 'M:\path'
refers to this network host
3. Mapped drives are a pain and are really only designed for interactive
setups, which Ansible is not
If you just don't want to type out the full path for each task, use an
Ansible fact/variable that references the UNC path for you. If you are
having trouble trying to connect to a UNC path that's probably due to the
double hop problem with WinRM. See our documentation for more info on how
to overcome the double hop problem [2].
[1] -
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
[2] -
https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#limitations
Thanks
Jordan
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/bffc2e28-919f-45c2-95b3-2df192450579%40googlegroups.com.
