Nesting groups from another domain with a 2-way trust in-place

[peacockjwp]

SUMMARY

I have two domains that are joined by a 2-way trust. I am trying to nest groups from one domain into a group of another. It works when manually doing this nesting. However when using this ansible odule it will not process the group when trying to nest a group from the other domain of the 2 way trust.

ISSUE TYPE

• Bug Report

COMPONENT NAME

community.windows.win_domain_group_membership

ANSIBLE VERSION

ansible 2.9.18
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/extpeajos/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.6.8 (default, Aug 18 2020, 08:33:21) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]

CONFIGURATION

Nothing returned

OS / ENVIRONMENT

Windows 2019 AD funtional level 2016

STEPS TO REPRODUCE

---

• hosts: Domain_Controllers gather_facts: no vars_files:

  • /etc/ansible/vars/global_windows_vars.yml
  • /etc/ansible/vars/global_vars.yml

  tasks:

  • name: Ensure Application top-level group Memberships are correct community.windows.win_domain_group_membership: domain_server: dc01.abc.org name: Fileshare - Administration members: - otherdomain\IT SECURITY state: present run_once: true

EXPECTED RESULTS

populate the group memberships with a domain group from the domain that is on the other end of the 2-way trust.

ACTUAL RESULTS

The full traceback is: An operations error occurred At line:53 char:19

• $members_before = Get-AdGroupMember -Identity $ADGroup @extra_args

•               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (CN=Fil...abc,DC=org:ADGroup) [Get-ADGroupMember], ADException
  • FullyQualifiedErrorId : ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

ScriptStackTrace: at <ScriptBlock>, <No file>: line 53

Microsoft.ActiveDirectory.Management.ADException: An operations error occurred ---> System.ServiceModel.FaultException`1[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADGroupMemberFault]: Active Directory returned an error processing the operation.

Server stack trace: at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManagement.GetADGroupMember(GetADGroupMemberRequest request) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request) --- End of inner exception stack trace --- at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForErrorCode(String message, String errorCode, String extendedErrorMessage, Exception innerException) at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(CustomActionFault caFault, FaultException faultException) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request) at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADAccountManagement.GetADGroupMember(ADSessionHandle handle, GetADGroupMemberRequest request) at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(String partitionDN, String groupDN, Boolean recursive) at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroupMemberProcessCSRoutine() at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke() at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord() fatal: [lm-scpv2-dc01.sanfordconnectpartnerlab.org]: FAILED! => { "changed": false, "msg": "Unhandled exception while executing module: An operations error occurred" }

[gamethis]

@peacockjwp just to make sure does your ansible_user have the rights to read/add/modify groups?

[peacockjwp]

Yes I tried with a DA account to make sure.

On Fri, Sep 17, 2021, 8:04 AM Larry @.***> wrote:

@peacockjwp https://github.com/peacockjwp just to make sure does your ansible_user have the rights to read/add/modify groups?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ansible-collections/community.windows/issues/240#issuecomment-921780255, or unsubscribe https://github.com/notifications/unsubscribe-auth/APQIY42JLJ56F7EXQTZHIWDUCM4F5ANCNFSM44HRFLVA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[jborean93]

The win_domain_computer module has been deprecated by https://github.com/ansible-collections/community.windows/pull/516 in favour of microsoft.ad.computer. See the migration guide for more info on how to change your code to use the newer module.

While I am unsure if this specific issue has been fixed the new microsoft.ad.computer module has been rewritten from scratch and may have solved this issue for you. If not I recommend opening a new issue on microsoft.ad.