community.windows icon indicating copy to clipboard operation
community.windows copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

win_domain_computer: OU move is breaking the authentication

Open Udayendu opened this issue 3 years ago • 5 comments

SUMMARY

win_domain_computer is not able to handle the ou movement and breaking the authentication.

ISSUE TYPE
  • Bug Report
COMPONENT NAME
  • win_domain_computer
ANSIBLE VERSION
$ pip3 show ansible
Name: ansible
Version: 4.5.0
Summary: Radically simple IT automation
Home-page: https://ansible.com/
Author: Ansible, Inc.
Author-email: [email protected]
License: GPLv3+
Location: /usr/local/lib/python3.8/dist-packages
Requires: ansible-core
Required-by:

$ pip3 show ansible-core
Name: ansible-core
Version: 2.11.4
Summary: Radically simple IT automation
Home-page: https://ansible.com/
Author: Ansible, Inc.
Author-email: [email protected]
License: GPLv3+
Location: /usr/local/lib/python3.8/dist-packages
Requires: packaging, resolvelib, PyYAML, jinja2, cryptography
Required-by: ansible
COLLECTION VERSION
$ ansible-galaxy collection list community.windows

# /usr/local/lib/python3.8/dist-packages/ansible_collections
Collection        Version
----------------- -------
community.windows 1.6.0
CONFIGURATION
  • Two windows AD servers are configured
  • AD level replication has been enabled
  • Use auth type as CredSSP in the inventory
OS / ENVIRONMENT
  • Ubuntu 20.04 LTS
  • OEL 7.9
STEPS TO REPRODUCE
  • AD: There should be two AD and replication has to be configured
  • Deploy a windows system in 'LocalAdmin' OU under 'example.com' domain
  • Test the login using an AD user and make sure everything is working well
  • Then make a nested OU 'WebApp' under 'LocalAdmin'
  • Now move the VM from 'LocalAdmin' -> 'WebApp' in the AD using the below ansible play:
- name: Moving the WebApp vms from 'LocalAdmin' to 'WebApp' OU
  win_domain_computer:
    dns_hostname: "{{ item.name|upper }}"
    name: "{{ item.name|upper }}"
    ou: "ou=WebApp,ou=LocalAdmin,dc=example,dc=com"
    state: present
  loop: "{{ WebApp }}"
  when: WebApp is defined
  register: result
  • The moment migration will complete, ansible will give you the below error and failed to login to the system. Even win_ping wont work.
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: requests_credssp.exceptions.AuthenticationException: Server did not response with a CredSSP token after step Step 5. Delegate Credentials - actual 'Negotiate, Kerberos, CredSSP'
fatal: [xxxxxxxx]: FAILED! => {"msg": "Unexpected failure during module execution.", "stdout": ""}
EXPECTED RESULTS
  • It should work without breaking the AD authentictaion
ACTUAL RESULTS
  • Its breaking the AD authentication and generating the following error:
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: requests_credssp.exceptions.AuthenticationException: Server did not response with a CredSSP token after step Step 5. Delegate Credentials - actual 'Negotiate, Kerberos, CredSSP'
fatal: [xxxxxxxx]: FAILED! => {"msg": "Unexpected failure during module execution.", "stdout": ""}
  • And if will try to login using vm console, you can see the following error: 2021-10-26 11_27_56-Window

Udayendu avatar Oct 26 '21 11:10 Udayendu

@jborean93 could you please take a look at this ?

Udayendu avatar Nov 10 '21 02:11 Udayendu

See https://github.com/ansible-collections/community.windows/issues/317#issuecomment-964743634. I guess this is a question as to whether it's possible to move an object without it breaking the trust between the computer account and AD. If it isn't then there's not much the module can do.

jborean93 avatar Nov 10 '21 03:11 jborean93

See #317 (comment). I guess this is a question as to whether it's possible to move an object without it breaking the trust between the computer account and AD. If it isn't then there's not much the module can do.

Do you think if that feature is not available, we should file one RFE for the same ?

Udayendu avatar Nov 10 '21 03:11 Udayendu

I don't know, it requires the module author or someone knowledgeable about this setup to comment further. The fastest way to determine if this is possible is to do some research and try things out yourself, otherwise you will have to wait until someone who knows the answer to comment.

jborean93 avatar Nov 10 '21 03:11 jborean93

@Udayendu And similarly to my comment https://github.com/ansible-collections/community.windows/issues/317#issuecomment-1173910833 this is a situation where knowing the real OU names could be very helpful in figuring this out. From my own experience, moving computers between OUs with this module works fine and does not cause nay authentication issues. If we could know a little more about how this is being triggered in your environment it could help find a fix.

briantist avatar Jul 04 '22 14:07 briantist

The win_domain_computer module has been deprecated by https://github.com/ansible-collections/community.windows/pull/516 in favour of microsoft.ad.computer. See the migration guide for more info on how to change your code to use the newer module.

The module can certainly move a computer object through different OUs and in testing I was not able to replicate this problem. It could potentially be a problem with GPOs controlling the WinRM configuration and moving the computer object is changing that WinRM configuration breaking Ansible. If this is still a problem with microsoft.ad.computer then I recommend opening an issue with your reproducer at microsoft.ad.

jborean93 avatar May 29 '23 04:05 jborean93