runas become 返回 Win32ErrorCode 1314:客户端不具备所需的特权

runas become 返回 Win32ErrorCode 1314:客户端不具备所需的特权

提前感谢您的阅读和支持。
当我从我的 Ansible 控制器向 Win10 Pro 22H2 主机使用 as become 方法时,我总是遇到标题中提到的错误runas。我在各种论坛资源上进行了研究,但没有一个能解决我的问题。

有人能告诉我我做错了什么吗?我在下面提供了有关我的实验室设置的信息。
提前致谢;

命令输出ansible -i win_inventory.yaml W10-testhost -m win_whoami -k -bK -vvv

The full traceback is:
Exception calling "CreateProcessAsUser" with "9" argument(s): "CreateProcessWithTokenW() failed (A required privilege is not held by the client, Win32ErrorCode 1314)"
At line:103 char:5
+     $result = [Ansible.Become.BecomeUtil]::CreateProcessAsUser($usern ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : Win32Exception

ScriptStackTrace:
at <ScriptBlock>, <No file>: line 103
at <ScriptBlock><End>, <No file>: line 137
at <ScriptBlock>, <No file>: line 11

System.Management.Automation.MethodInvocationException: Exception calling "CreateProcessAsUser" with "9" argument(s): "CreateProcessWithTokenW() failed (A required privilege is not held by the client, Win32ErrorCode 1314)" ---> Ansible.Process.Win32Exception: CreateProcessWithTokenW() failed (A required privilege is not held by the client, Win32ErrorCode 1314)
   at Ansible.Become.BecomeUtil.CreateProcessAsUser(String username, String password, LogonFlags logonFlags, LogonType logonType, String lpApplicationName, String lpCommandLine, String lpCurrentDirectory, IDictionary environment, Byte[] stdin) in c:\Users\LocalAdmin\AppData\Local\Temp\orxfw24j.1.cs:line 309
   at CallSite.Target(Closure , CallSite , Type , Object , Object , Object , Object , Object , Object , Object , Object , Object )
   --- End of inner exception stack trace ---
   at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
   at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
W10-testhost | FAILED! => {
    "changed": false,
    "msg": "internal error: failed to become user 'LocalAdmin': Exception calling \"CreateProcessAsUser\" with \"9\" argument(s): \"CreateProcessWithTokenW() failed (A required privilege is not held by the client, Win32ErrorCode 1314)\""
}

入境事实:

  • 控制器:Debian 11 amd64,Ansible 2.12.0,库:
    • python3-winrm 0.3.0-2;
    • python3-ntlm-auth 1.4.0-1;
    • python3-请求-ntlm 1.1.0-1.1;
  • Win10 Pro 22H2 x64 节点;
  • WinRM 设置了 HTTPS 和 NTLM 身份验证,标准本地管理员帐户通过winrm configSDDL default对话框被授予完全访问权限。

关于我的 WinRM 侦听器设置的 PowerShell 输出:

Type            Name                           SourceOfValue   Value                                                                                                                          
----            ----                           -------------   -----                                                                                                                          
System.String   Address                                        *                                                                                                                              
System.String   Transport                                      HTTPS                                                                                                                          
System.String   Port                                           5986                                                                                                                           
System.String   Hostname                                       W10-testhost                                                                                                                   
System.String   Enabled                                        true                                                                                                                           
System.String   URLPrefix                                      wsman                                                                                                                          
System.String   CertificateThumbprint                          <Omitted hash>                                                                                       
System.String   ListeningOn_1770022257                         127.0.0.1                                                                                                                      
System.String   ListeningOn_35909171                           <Omited IPv4>                                                                                                                 
System.String   ListeningOn_1414502903                         ::1                                                                                                                            

有关我的 WinRM 服务的 PowerShell 输出:

Type            Name                           SourceOfValue   Value                                                                                                                          
----            ----                           -------------   -----                                                                                                                          
System.String   RootSDDL                                       O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)(A;;GA;;;S-1-5-21-2796465674-2055441695-237597433-1001)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)  
System.String   MaxConcurrentOperations                        4294967295                                                                                                                     
System.String   MaxConcurrentOperationsPerUser                 1500                                                                                                                           
System.String   EnumerationTimeoutms                           240000                                                                                                                         
System.String   MaxConnections                                 300                                                                                                                            
System.String   MaxPacketRetrievalTimeSeconds                  120                                                                                                                            
System.String   AllowUnencrypted                               false                                                                                                                          
Container       Auth                                                                                                                                                                          
Container       DefaultPorts                                                                                                                                                                  
System.String   IPv4Filter                                     *                                                                                                                              
System.String   IPv6Filter                                     *                                                                                                                              
System.String   EnableCompatibilityHttpList...                 false                                                                                                                          
System.String   EnableCompatibilityHttpsLis...                 false                                                                                                                          
System.String   CertificateThumbprint                                                                                                                                                         
System.String   AllowRemoteAccess                              true

我的库存设置(来自-i win_inventory.yaml文件):

---
win10_hosts:
  vars:
    ansible_connection: winrm
    ansible_become_method: runas
    ansible_become_flags: 'logon_type=interactive'
  hosts:
    W10-testhost:
      ansible_host: '<Omitted IP>'
      ansible_winrm_transport: ntlm
      ansible_winrm_server_cert_validation: ignore
      ansible_user: 'LocalAdmin'
      ansible_become_user: 'LocalAdmin'
...

最后,我目前尝试过的解决方案:

  1. 根据官方文档,我尝试使用SYSTEM变量ansible_become_user。导致错误internal error: failed to become user 'SYSTEM': Exception calling \"CreateProcessAsUser\" with \"9\" argument(s): \"Failed to get token for NT AUTHORITY\\SYSTEM required for become as a service account or an account without a password\"
  2. 禁用Limit local account use of blank passwords to console logon only策略,重新启动 Win10 节点并再次尝试上述第 1 点 - 结果相同;
  3. 根据 MS 关于CreateProcessAsUserCreateProcessWithTokenW功能的文档,我尝试将以下权限分配给我的本地管理员帐户,然后重新启动 Win10:
    • SE_ASSIGNPRIMARYTOKEN_NAME(替换进程级令牌);
    • SE_INCREASE_QUOTA_NAME(调整进程的内存配额);
    • SE_IMPERSONATE_NAME(身份验证后模拟客户端)。

非常感谢您的想法和支持。

答案1

对我有用的最终解决方案,由@GregAskew 和Ansible PSexec 模块文档
由于我的实验室主机未加入域,因此我必须禁用 UAC 远程限制,然后它才开始工作。为了在计划的生产环境中使用,我决定仅暂时禁用它们。然后我将生产站加入 AD 域并重新启用限制。

关于权限:
如果在禁用 UAC 远程限制并重新启动站点后仍收到有关权限不足的错误,您还必须通过 GPO 添加权限并重新启动计算机。例如,在我的情况下,该CreateProcessAsUser功能需要SE_ASSIGNPRIMARYTOKEN权限,而CreateProcessWithTokenW该功能需要指令SE_IMPERSONATE_NAME中指定的用户拥有权限become_user

最后,我推荐的解决顺序是:

  1. 如果可以,将站点或服务器加入到域中;
  2. 如果没有,则禁用 UAC 远程限制并重新启动站点;
  3. 如果仍然不够,请通过 GPO 分配所需的权限,然后重新启动站。

相关内容