提前感谢您的阅读和支持。
当我从我的 Ansible 控制器向 Win10 Pro 22H2 主机使用 as become 方法时,我总是遇到标题中提到的错误runas
。我在各种论坛资源上进行了研究,但没有一个能解决我的问题。
有人能告诉我我做错了什么吗?我在下面提供了有关我的实验室设置的信息。
提前致谢;
命令输出ansible -i win_inventory.yaml W10-testhost -m win_whoami -k -bK -vvv
:
The full traceback is:
Exception calling "CreateProcessAsUser" with "9" argument(s): "CreateProcessWithTokenW() failed (A required privilege is not held by the client, Win32ErrorCode 1314)"
At line:103 char:5
+ $result = [Ansible.Become.BecomeUtil]::CreateProcessAsUser($usern ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : Win32Exception
ScriptStackTrace:
at <ScriptBlock>, <No file>: line 103
at <ScriptBlock><End>, <No file>: line 137
at <ScriptBlock>, <No file>: line 11
System.Management.Automation.MethodInvocationException: Exception calling "CreateProcessAsUser" with "9" argument(s): "CreateProcessWithTokenW() failed (A required privilege is not held by the client, Win32ErrorCode 1314)" ---> Ansible.Process.Win32Exception: CreateProcessWithTokenW() failed (A required privilege is not held by the client, Win32ErrorCode 1314)
at Ansible.Become.BecomeUtil.CreateProcessAsUser(String username, String password, LogonFlags logonFlags, LogonType logonType, String lpApplicationName, String lpCommandLine, String lpCurrentDirectory, IDictionary environment, Byte[] stdin) in c:\Users\LocalAdmin\AppData\Local\Temp\orxfw24j.1.cs:line 309
at CallSite.Target(Closure , CallSite , Type , Object , Object , Object , Object , Object , Object , Object , Object , Object )
--- End of inner exception stack trace ---
at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
W10-testhost | FAILED! => {
"changed": false,
"msg": "internal error: failed to become user 'LocalAdmin': Exception calling \"CreateProcessAsUser\" with \"9\" argument(s): \"CreateProcessWithTokenW() failed (A required privilege is not held by the client, Win32ErrorCode 1314)\""
}
入境事实:
- 控制器:Debian 11 amd64,Ansible 2.12.0,库:
- python3-winrm 0.3.0-2;
- python3-ntlm-auth 1.4.0-1;
- python3-请求-ntlm 1.1.0-1.1;
- Win10 Pro 22H2 x64 节点;
- WinRM 设置了 HTTPS 和 NTLM 身份验证,标准本地管理员帐户通过
winrm configSDDL default
对话框被授予完全访问权限。
关于我的 WinRM 侦听器设置的 PowerShell 输出:
Type Name SourceOfValue Value
---- ---- ------------- -----
System.String Address *
System.String Transport HTTPS
System.String Port 5986
System.String Hostname W10-testhost
System.String Enabled true
System.String URLPrefix wsman
System.String CertificateThumbprint <Omitted hash>
System.String ListeningOn_1770022257 127.0.0.1
System.String ListeningOn_35909171 <Omited IPv4>
System.String ListeningOn_1414502903 ::1
有关我的 WinRM 服务的 PowerShell 输出:
Type Name SourceOfValue Value
---- ---- ------------- -----
System.String RootSDDL O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)(A;;GA;;;S-1-5-21-2796465674-2055441695-237597433-1001)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
System.String MaxConcurrentOperations 4294967295
System.String MaxConcurrentOperationsPerUser 1500
System.String EnumerationTimeoutms 240000
System.String MaxConnections 300
System.String MaxPacketRetrievalTimeSeconds 120
System.String AllowUnencrypted false
Container Auth
Container DefaultPorts
System.String IPv4Filter *
System.String IPv6Filter *
System.String EnableCompatibilityHttpList... false
System.String EnableCompatibilityHttpsLis... false
System.String CertificateThumbprint
System.String AllowRemoteAccess true
我的库存设置(来自-i win_inventory.yaml
文件):
---
win10_hosts:
vars:
ansible_connection: winrm
ansible_become_method: runas
ansible_become_flags: 'logon_type=interactive'
hosts:
W10-testhost:
ansible_host: '<Omitted IP>'
ansible_winrm_transport: ntlm
ansible_winrm_server_cert_validation: ignore
ansible_user: 'LocalAdmin'
ansible_become_user: 'LocalAdmin'
...
最后,我目前尝试过的解决方案:
- 根据官方文档,我尝试使用
SYSTEM
变量ansible_become_user
。导致错误internal error: failed to become user 'SYSTEM': Exception calling \"CreateProcessAsUser\" with \"9\" argument(s): \"Failed to get token for NT AUTHORITY\\SYSTEM required for become as a service account or an account without a password\"
; - 禁用
Limit local account use of blank passwords to console logon only
策略,重新启动 Win10 节点并再次尝试上述第 1 点 - 结果相同; - 根据 MS 关于
CreateProcessAsUser
和CreateProcessWithTokenW
功能的文档,我尝试将以下权限分配给我的本地管理员帐户,然后重新启动 Win10:- SE_ASSIGNPRIMARYTOKEN_NAME(替换进程级令牌);
- SE_INCREASE_QUOTA_NAME(调整进程的内存配额);
- SE_IMPERSONATE_NAME(身份验证后模拟客户端)。
非常感谢您的想法和支持。
答案1
对我有用的最终解决方案,由@GregAskew 和Ansible PSexec 模块文档。
由于我的实验室主机未加入域,因此我必须禁用 UAC 远程限制,然后它才开始工作。为了在计划的生产环境中使用,我决定仅暂时禁用它们。然后我将生产站加入 AD 域并重新启用限制。
关于权限:
如果在禁用 UAC 远程限制并重新启动站点后仍收到有关权限不足的错误,您还必须通过 GPO 添加权限并重新启动计算机。例如,在我的情况下,该CreateProcessAsUser
功能需要SE_ASSIGNPRIMARYTOKEN
权限,而CreateProcessWithTokenW
该功能需要指令SE_IMPERSONATE_NAME
中指定的用户拥有权限become_user
。
最后,我推荐的解决顺序是:
- 如果可以,将站点或服务器加入到域中;
- 如果没有,则禁用 UAC 远程限制并重新启动站点;
- 如果仍然不够,请通过 GPO 分配所需的权限,然后重新启动站。