Re: [ansible-project] win_shell, kerberos and credential delegation

Thu, 14 May 2020 14:01:28 -0700 

It really depends on how the 'DB.Migrator.exe' binary is set to use 
credentials over a network path. If it's trying to find a credential in the 
user's DPAPI cred store then Kerberos with credential delegation is not 
enough to unlock it. Your options for this case are either:


   - Use become on the task with the connection user credentials
   - Use credssp as the transport

I would also suggest you use win_command and not win_shell for this task. 
The latter is only really useful if you want shell-isms, to run a binary 
win_command is usually enough for you. My personal preference here is to 
use become as that will do more than just fix credential delegation, it 
runs the task in a similar security context as to how it is run 
interactively.

Here is the task as I would write it with become

- name: Execute migrator
  win_command: >
    "{{ backup_path}}\Migrator\DB.Migrator.exe"
    -s
    -connstring "Server=application-listener.dev\applications,64000; 
Database=USERAPPDB; User ID=USERAPP; Integrated Security=True;"
  args:
    chdir: '{{ backup_path }}\Migrator'
  become: yes
  become_method: runas
  vars:
    ansible_become_user: '{{ ansible_user }}'
    ansible_become_pass: '{{ ansible_password }}'
  register: migrator
  failed_when: migrator.rc != 6
  run_once: true

A few things I've changed

   - I've done away with the set_fact task as it shouldn't be needed
   - Used win_command instead of win_shell, the latter shouldn't be needed 
   for your task
   - Using a yaml multiline syntax '>' that turns newlines into spaces so 
   the task line isn't too long
   - Use a double quote for the executable argument. Because it's in a yaml 
   multilines string you don't need to escape that or backslashes making the 
   command line more representative of what will run
   - Use single quotes for quoting YAML values like you need for chdir, no 
   need to escape double quotes
   - Added the become vars to run with become
   
Thanks

Jordan

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/0e36c3a2-579d-4cb8-9cfe-647f57a5b400%40googlegroups.com.

Reply via email to