Thank you very much for your reply. I understand what you mean. When I run whoami through anisble, the launching user and the user show that it is on and SeTcbPrivilege = enable and SeDebugPrivilege=enable
There is some software and I can only install it this way: 1. I log on to the windows computer myself - I am in the domain administrator group. (I am the one who starts the Ansible) 2. I open samba share and right click on the launcher and select run as administrator. This is the only way it works correctly. But for some reason as soon as I set up a system user in the ansiblel I can't copy anything from samba share. In samba logs all the time it says that : [2023/05/25 23:22:28.105807, 0] ../../source3/auth/auth_util.c:1889(check_account) check_account: Failed to convert SID S-1-5-21-1374489729-2609897191-470403182-4723 to a UID (dom_user[AD\vm-win81-1$]) If I look on my computer with samba, I see wbinfo -s S-1-5-21-1374489729-2609897191-470403182-4723 AD\VM-WIN81-1$ 1 But when I change the ansible to 2.7, there is no such error. That's right, users have UID but computers don't. пятница, 26 мая 2023 г. в 07:17:36 UTC+4, [email protected]: > 2.3 - 2.9 was a fairly rapid time when it came to become on windows. IIRC > 2.8 introduced password less become functionality which added more > stringent checks onto the SYSTEM token that was used in the process. One of > these checks was to see if the token had the SeTcbPrivilege associated with > it. > > In saying all that, the become flags you are wanting to use don't make too > much sense with the SYSTEM account. I'm not even sure if they would have > even applied in 2.7 hence why no error was shown then. Why are you trying > to use those flags with SYSTEM? > > Thanks > > Jordan > > On Friday, May 26, 2023 at 5:39:47 AM UTC+10 [email protected] wrote: > >> I took CentOS8 Stream and install ansible-core 2.14.2-3.el8 and ansible >> 7.2.0-1.el8.next >> All of this was based on python 3.11.2, and it didn't work at all because >> it returned a None variable, which could not be processed. As I found out >> from the Internet it is a bug in python 3.11.2 >> >> I have now installed a version of ansible (4.10.0) >> ansible-core (2.11.12) >> Exactly the same error as in version 2.9 >> >> I wonder if this works for anyone else, or after version 2.7 this is >> broken? >> >> P.S. I have a kerberos authorization >> >> четверг, 25 мая 2023 г. в 07:37:31 UTC+4, [email protected]: >> >>> I use 2.9 and playbook >>> >>> --- >>> - name: become as SYSTEM >>> win_whoami: >>> become: yes >>> become_method: runas >>> become_user: System >>> register: sys_whoami >>> >>> - debug: var=sys_whoami >>> --- >>> >>> All work no problem. >>> Add line : ansible_become_flags: logon_type=new_credentials >>> logon_flags=netcredentials_only >>> >>> ERROR: >>> --- >>> An exception occurred during task execution. To see the full traceback, >>> use -vvv. The error was: at >>> System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame >>> >>> frame) >>> fatal: [VM-WIN81-1.AD]: FAILED! => {"changed": false, "msg": "internal >>> error: failed to become user 'System': Exception calling >>> \"CreateProcessAsUser\" with \"9\" argument(s): \"Failed to get token for >>> NT AUTHORITY\\SYSTEM required for become as a service account or an account >>> without a password\""} >>> ============================================ >>> I change ansible to version 2.7 >>> Both options work without any problems. >>> ===== >>> wbinfo -n "NT AUTHORITY\\SYSTEM" >>> S-1-5-18 SID_WKN_GROUP (5) >>> wbinfo -s S-1-5-18 >>> NT AUTHORITY\system 5 >>> >>> среда, 24 мая 2023 г. в 16:22:14 UTC+4, [email protected]: >>> >>>> Pardon my English. >>>> I have a fully configured CentOS 7. I want to overwrite a file from a >>>> remote samba server (it enters AD via winbind) to a remote windows >>>> computer >>>> in the same domain. >>>> >>>> In the beginning, nothing worked. I added a line: >>>> ansible_become_flags: logon_type=new_credentials >>>> logon_flags=netcredentials_only >>>> >>>> Ansible 2.7 worked without any problems but 2.9 doesn't work. >>>> >>>> Is this really broken in 2.9 ? >>>> (ansible 2.9 from epel el7) >>>> >>> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f735f829-3bfa-4449-9405-acbfd83f8321n%40googlegroups.com.
