win_domain_user module fails due to Get-ADPrincipalGroupMembership cmdlet 'internal error'

[itblaked]

SUMMARY

Duplicate of bug 44573

When attempting to create a new user with the win_domain_user module the Powershell cmdlet Get-ADPrincipalGroupMembership fails with internal error. This is a known issue with the cmdlet however I have not been able to reproduce it outside of a production environment where I encountered it with a Windows 2012R2 domain.

Public conversations on the issue indicate it is related to the use of special characters in the DN of a group, OU or user associated with the usage of the cmdlet, however I testing the use of _ and \ using Windows 2012 R2, 2016, 2019 member servers and a Windows 2012 R2 domain and could not reproduce it outside of a production environment I was working with.

Request to replace the usage of this cmdlet with an alternative method to obtain group memberships, will raise pull request for same.

ISSUE TYPE

• Bug Report

COMPONENT NAME

win_domain_user

ANSIBLE VERSION

ansible 2.9.6

  config file = /etc/ansible/ansible.cfg

  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']

  ansible python module location = /usr/lib/python3.6/site-packages/ansible

  executable location = /bin/ansible

  python version = 3.6.8 (default, Oct 11 2019, 15:04:54) [GCC 8.3.1 20190507 (Red Hat 8.3.1-4)]

CONFIGURATION

OS / ENVIRONMENT

Target OS Windows 2012 R2 Domain Controller Tested on Windows 2012 R2 and 2019 Member servers

STEPS TO REPRODUCE

Attempt to create a

EXPECTED RESULTS

User is created successfully and module completes successfully.

ACTUAL RESULTS

User is created, however module fails with error associated with the Get-ADPrincipalGroupMembership cmdlet.

"exception": "The server was unable to process the request due to an internal error.  For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.\r\nAt line:355 char:25\r\n+     Foreach ($group in (Get-ADPrincipalGroupMembership $username @extra_args)) {\r\n+                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : NotSpecified: (ismzxf01:ADPrincipal) [Get-ADPrincipalGroupMembership], ADException\r\n    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership\r\n\r\nScriptStackTrace:\r\nat <ScriptBlock>, <No file>: line 355\r\n\r\nMicrosoft.ActiveDirectory.Management.ADException: The server was unable to process the request due to an internal error.  For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs. ---> System.ServiceModel.FaultException: The server was unable to process the request due to an internal error.  For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.\r\n\r\nServer stack trace: \r\n   at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)\r\n   at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)\r\n   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)\r\n   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)\r\n   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)\r\n\r\nException rethrown at [0]: \r\n   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)\r\n   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)\r\n   at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManagement.GetADPrincipalGroupMembership(GetADPrincipalGroupMembershipRequest request)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADPrincipalGroupMembership(GetADPrincipalGroupMembershipRequest request)\r\n   --- End of inner exception stack trace ---\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(FaultException faultException)\r\n   at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADPrincipalGroupMembership(GetADPrincipalGroupMembershipRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADAccountManagement.GetADPrincipalGroupMembership(ADSessionHandle handle, GetADPrincipalGroupMembershipRequest request)\r\n   at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetPrincipalGroupMembership(String partitionDN, String principalDN, String resourceContextServer, String resourceContextPartition)\r\n   at Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership.GetGroupMembershipProcessCSRoutine()\r\n   at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()\r\n   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()",
    "msg": "Unhandled exception while executing module: The server was unable to process the request due to an internal error.  For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.",
    "_ansible_no_log": false,
    "changed": false

[itblaked]

I realise I was not working with the latest version of the module, which now includes a catch and warning to handle this error, however it doesn't prevent the issue from occurring with the problematic cmdlet so wanted to see if we could remove it. #44573

[itblaked]

@jborean93 Would you be open to replacing the use of the cmdlet with something like the below to obtain group-membership? (Get-ADUser -Identity $username @extra_args -Properties memberOf | Select-Object -ExpandProperty memberOf | Get-ADGroup @extra_args ))

I would like to help if you're open to this idea?

[jsalatiel]

@itblaked can you provide a patch for it ?

[jsalatiel]

I was able to make it work by using this:

Function Get-PrincipalGroups {
    Param ($identity, $args_extra)
    try{
#        $groups = Get-ADPrincipalGroupMembership -Identity $identity @args_extra -ErrorAction Stop
        $groups = Get-ADUser -Identity $name @extra_args -Properties memberOf | Select-Object -ExpandProperty memberOf | Get-ADGroup @extra_args
    } catch {
        Add-Warning -obj $result -message "Failed to enumerate user groups but continuing on.: $($_.Exception.Message)"
        return @()
    }

    $result_groups = foreach ($group in $groups) {
        $group.DistinguishedName
    }
    return $result_groups
}

[GoozeyX]

@jsalatiel I can confirm that this works for me as well using this: ansible 2.10.7 config file = None configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/local/lib/python3.6/dist-packages/ansible executable location = /usr/local/bin/ansible python version = 3.6.9 (default, Jan 26 2021, 15:33:00) [GCC 8.4.0]

My Powershell skills are very rusty so no actual clue what the change does.. but it works.. should someone maybe open up a pull request to fix this? Or better question: do you know why that change fixes the issue?

I was able to make it work by using this:

Function Get-PrincipalGroups {
    Param ($identity, $args_extra)
    try{
#        $groups = Get-ADPrincipalGroupMembership -Identity $identity @args_extra -ErrorAction Stop
        $groups = Get-ADUser -Identity $name @extra_args -Properties memberOf | Select-Object -ExpandProperty memberOf | Get-ADGroup @extra_args
    } catch {
        Add-Warning -obj $result -message "Failed to enumerate user groups but continuing on.: $($_.Exception.Message)"
        return @()
    }

    $result_groups = foreach ($group in $groups) {
        $group.DistinguishedName
    }
    return $result_groups
}

[jsalatiel]

I have no idea why it works. Just tried from another comment.

[mwtrigg]

Maybe include a brief pause between the time the object is created and the time it is queried from the global catalog?

I believe there may be a slight delay before the object is available in the GC, it is only a partial replica of the naming context, but it is still a replica so it cannot be instantaneous. I mention this because this cmdlet specifically queries the Global Catalog ( as opposed to get-adviser or get-adgroupmember)

[ulysses-31]

I have run into issues with use of Get-ADPrincipalGroupMembership for groups with forward slashes "/". This technet forum link shows the module has had the issue for years MS technet link. Suggest Get-ADPrincipalGroupMembership is not used.

[jborean93]

Duplicate of https://github.com/ansible-collections/community.windows/issues/142