2.3 - 2.9 was a fairly rapid time when it came to become on windows. IIRC
2.8 introduced password less become functionality which added more
stringent checks onto the SYSTEM token that was used in the process. One of
these checks was to see if the token had the SeTcbPrivilege associated with
it.
In saying all that, the become flags you are wanting to use don't make too
much sense with the SYSTEM account. I'm not even sure if they would have
even applied in 2.7 hence why no error was shown then. Why are you trying
to use those flags with SYSTEM?
Thanks
Jordan
On Friday, May 26, 2023 at 5:39:47 AM UTC+10 sergey....@gmail.com wrote:
> I took CentOS8 Stream and install ansible-core 2.14.2-3.el8 and ansible
> 7.2.0-1.el8.next
> All of this was based on python 3.11.2, and it didn't work at all because
> it returned a None variable, which could not be processed. As I found out
> from the Internet it is a bug in python 3.11.2
>
> I have now installed a version of ansible (4.10.0)
> ansible-core (2.11.12)
> Exactly the same error as in version 2.9
>
> I wonder if this works for anyone else, or after version 2.7 this is
> broken?
>
> P.S. I have a kerberos authorization
>
> четверг, 25 мая 2023 г. в 07:37:31 UTC+4, sergey....@gmail.com:
>
>> I use 2.9 and playbook
>>
>> ---
>> - name: become as SYSTEM
>> win_whoami:
>> become: yes
>> become_method: runas
>> become_user: System
>> register: sys_whoami
>>
>> - debug: var=sys_whoami
>> ---
>>
>> All work no problem.
>> Add line : ansible_become_flags: logon_type=new_credentials
>> logon_flags=netcredentials_only
>>
>> ERROR:
>> ---
>> An exception occurred during task execution. To see the full traceback,
>> use -vvv. The error was: at
>> System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame
>>
>> frame)
>> fatal: [VM-WIN81-1.AD]: FAILED! => {"changed": false, "msg": "internal
>> error: failed to become user 'System': Exception calling
>> \"CreateProcessAsUser\" with \"9\" argument(s): \"Failed to get token for
>> NT AUTHORITY\\SYSTEM required for become as a service account or an account
>> without a password\""}
>> ============================================
>> I change ansible to version 2.7
>> Both options work without any problems.
>> =====
>> wbinfo -n "NT AUTHORITY\\SYSTEM"
>> S-1-5-18 SID_WKN_GROUP (5)
>> wbinfo -s S-1-5-18
>> NT AUTHORITY\system 5
>>
>> среда, 24 мая 2023 г. в 16:22:14 UTC+4, sergey....@gmail.com:
>>
>>> Pardon my English.
>>> I have a fully configured CentOS 7. I want to overwrite a file from a
>>> remote samba server (it enters AD via winbind) to a remote windows computer
>>> in the same domain.
>>>
>>> In the beginning, nothing worked. I added a line:
>>> ansible_become_flags: logon_type=new_credentials
>>> logon_flags=netcredentials_only
>>>
>>> Ansible 2.7 worked without any problems but 2.9 doesn't work.
>>>
>>> Is this really broken in 2.9 ?
>>> (ansible 2.9 from epel el7)
>>>
>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/2286c1e1-0d66-4870-97ae-aa8426ae73d8n%40googlegroups.com.
