community.windows
community.windows copied to clipboard
ansible-collections
win_domain_user module fails due to Get-ADPrincipalGroupMembership (The operation being requested was not performed because the user has not been authenticated)
SUMMARY
When attempting to create a new user with the win_domain_user module the Powershell cmdlet Get-ADPrincipalGroupMembership fails with "The operation being requested was not performed because the user has not been authenticated"
ISSUE TYPE
- Bug Report
COMPONENT NAME
win_domain_user
ANSIBLE VERSION
ansible 2.9.11
config file = None
configured module search path = [u'/home/user/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python2.7/dist-packages/ansible
executable location = /usr/local/bin/ansible
python version = 2.7.17 (default, Apr 15 2020, 17:20:14) [GCC 7.5.0]
CONFIGURATION
OS / ENVIRONMENT
Target OS Windows Server 2016 DataCenter
STEPS TO REPRODUCE
win_domain_user:
name: bob
domain_server: dc01
password: B0bP4ssw0rd
state: present
path: ou=USERS,ou=TESTDOMAIN,dc=SANDBOX,dc=LAB
groups:
- Domain Admins
EXPECTED RESULTS
User is created successfully and module completes successfully.
ACTUAL RESULTS
User is created, but is not added to the group, and task returns FAILED status.
The operation being requested was not performed because the user has not been authenticated
At line:280 char:29
+ ... ($group in (Get-ADPrincipalGroupMembership -Identity $username @extra ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (bob:ADPrincipal) [Get-ADPrincipalGroupMembership], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:1244,Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership
ScriptStackTrace:
at <ScriptBlock>, <No file>: line 280
Microsoft.ActiveDirectory.Management.ADException: The operation being requested was not performed because the user has not been authenticated ---> System.ServiceModel.FaultException`1[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADPrincipalGroupMembershipFault]: Active Directory returned an error processing the operation.
Server stack trace:
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManagement.GetADPrincipalGroupMembership(GetADPrincipalGroupMembershipRequest request)
at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADPrincipalGroupMembership(GetADPrincipalGroupMembershipRequest request)
--- End of inner exception stack trace ---
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForExtendedError(String extendedErrorMessage, Exception innerException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErrorCode(String message, String errorCode, String extendedErrorMessage, Exception innerException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(CustomActionFault caFault, FaultException faultException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADPrincipalGroupMembership(GetADPrincipalGroupMembershipRequest request)
at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADAccountManagement.GetADPrincipalGroupMembership(ADSessionHandle handle, GetADPrincipalGroupMembershipRequest request)
at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetPrincipalGroupMembership(String partitionDN, String principalDN, String resourceContextServer, String resourceContextPartition)
at Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership.GetGroupMembershipProcessCSRoutine()
at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
fatal: [obfuscated]: FAILED! => {
"changed": false,
"msg": "Unhandled exception while executing module: The operation being requested was not performed because the user has not been authenticated"
}
The code in this collection is set to warn on a failure instead of actually fail https://github.com/ansible-collections/community.windows/blob/6c811198795e7ef4a83061af1857a62cc9da4c59/plugins/modules/win_domain_user.ps1#L128-L133. It doesn't fix the underlying problem but at least allows the module to continue running.
I was able to make the module work as expected by replacing that cmdlet as mentioned on https://github.com/ansible-collections/community.windows/issues/116
Function Get-PrincipalGroups {
Param ($identity, $args_extra)
try{
# $groups = Get-ADPrincipalGroupMembership -Identity $identity @args_extra -ErrorAction Stop
$groups = Get-ADUser -Identity $name @extra_args -Properties memberOf | Select-Object -ExpandProperty memberOf | Get-ADGroup @extra_args
} catch {
Add-Warning -obj $result -message "Failed to enumerate user groups but continuing on.: $($_.Exception.Message)"
return @()
}
$result_groups = foreach ($group in $groups) {
$group.DistinguishedName
}
return $result_groups
}
Maybe not the best approach, but it works.
This seems to impact only some of my environments, does anyone know why?
I have essentially the same problem, but it’s very random and only happens sometimes.
I try to create users in a loop, and whenever I run this, it happens sometimes. But actually quite rarely. But it’s really annoying, since it runs in a pipeline and the thing just randomly fails, and if you rerun it either succeeds or fails randomly at another user.
EDIT: I don’t even map the user to a group. I simply try to add/change them.
I was able to make the module work as expected by replacing that cmdlet as mentioned on #116
Function Get-PrincipalGroups { Param ($identity, $args_extra) try{ # $groups = Get-ADPrincipalGroupMembership -Identity $identity @args_extra -ErrorAction Stop $groups = Get-ADUser -Identity $name @extra_args -Properties memberOf | Select-Object -ExpandProperty memberOf | Get-ADGroup @extra_args } catch { Add-Warning -obj $result -message "Failed to enumerate user groups but continuing on.: $($_.Exception.Message)" return @() } $result_groups = foreach ($group in $groups) { $group.DistinguishedName } return $result_groups }Maybe not the best approach, but it works.
@jsalatiel @janaurka i can confirm that the proposed change works. If someone could explain to me why that change works that would be interessting to know because i think we should raise a PR and ask someone to review and preferably merge this upstream asap as i don't want to be manually fixing/working with forked collections on my CICD pipelines
I was the customer site where this bug was discovered. It was partly resolved by updating to 1.2.0 which fixed Function Test-Credential {}
This is also to do with an account that has the SAM Name field populated incorrectly. If you do not populate Attributes: field with a SAM name, then the default is created with the same as your object name in AD. To fix this, here's an example of what I have in my attributes dictionary: - { key: "sAMAccountName",value: "{{ username |default(none) or omit }}" } being passed by the attributes: flag And I also have the identity: flag being populated with the "{{ username }}" so it searches for SAM based on this as well.
Setting sAMAccountName and identity to the username correctly and updating to 1.2.0 fixed this issue for me
For the record this problem occured for me when I connect this module to a slave Domain Controller, when a connect to the master Domain Controller the problem did not occured.
Will try probably a more recent version (now in a collection) than the one included in the 2.9 version of ansible
JYL
We had the same problem as @lenhof. We use the Directory Service from AWS. In our case the primary and secondary instance changed in the background. After switching the ip address it worked again.
I tried some versions from the windows collection but it did not work.
The win_domain_user module has been deprecated by https://github.com/ansible-collections/community.windows/pull/516 in favour of microsoft.ad.user. See the migration guide for more info on how to change your code to use the newer module.
The microsoft.ad.user module contains the new warning rather than failure behaviour reported here. The same does apply to win_domain_user is newer community.windows collection versions.