Coder Social home page Coder Social logo

microsoft.ad's Introduction

Ansible Collection: microsoft.ad

Build Status codecov

The microsoft.ad collection includes the plugins supported by Ansible to help the management of Microsoft Active Directory.

Ansible version compatibility

This collection has been tested against following Ansible versions: >=2.14.

Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions. PEP440 is the schema used to describe the versions of Ansible.

Collection Documentation

Browsing the latest collection documentation will show docs for the latest version released in the Ansible package not the latest version of the collection released on Galaxy.

Browsing the devel collection documentation shows docs for the latest version released on Galaxy.

We also separately publish latest commit collection documentation which shows docs for the latest commit in the main branch.

If you use the Ansible package and don't update collections independently, use latest, if you install or update this collection directly from Galaxy, use devel. If you are looking to contribute, use latest commit.

Release Policy

This collection follows semantic versioning (major.minor.patch) which in short means:

  • A patch release can only contain bug fixes
  • A minor release can contain bug fixes, features, and new deprecations
  • A major release can contain bug fixes, features, new deprecations, removal of features, and other breaking changes

Deprecated features can be removed only 2 years after the deprecation warning was added. Once a deprecation warning has lasted for 2 years, they will be removed in the next major release.

Installation and Usage

Installing the Collection from Ansible Galaxy

Before using the Active Directory collection, you need to install it with the ansible-galaxy CLI:

ansible-galaxy collection install microsoft.ad

You can also include it in a requirements.yml file and install it via ansible-galaxy collection install -r requirements.yml using the format:

collections:
- name: microsoft.ad

Contributing to this collection

We welcome community contributions to this collection. If you find problems, please open an issue or create a PR against the Ansible Active Directory collection repository. See Contributing to Ansible-maintained collections for details.

See Developing modules for Windows for specifics on Windows modules.

You can also join us on the #ansible-windows libera.chat IRC channel.

See the Ansible Community Guide for details on contributing to Ansible.

Code of Conduct

This collection follows the Ansible project's Code of Conduct. Please read and familiarize yourself with this document.

Testing with ansible-test

The tests directory contains configuration for running sanity and integration tests using ansible-test.

You can run the collection's test suites with the commands:

ansible-test sanity --docker
ansible-test windows-integration --docker

Publishing New Version

The current process for publishing new versions of the Microsoft AD Collection is done through a tagged release which triggers a Zuul run. Before the tag is set, the following steps must be done.

  • Update galaxy.yml with the new version for the collection.
  • Update the CHANGELOG:
    • Make sure you have antsibull-changelog installed pip install antsibull-changelog.
    • Make sure there are fragments for all known changes in changelogs/fragments.
    • Add a new release_summary fragment: echo "release_summary: Release summary for v..." > changelogs/fragments/release-summary.yml
    • Run antsibull-changelog release.
  • Commit the changes and wait for CI to be green
  • Create a release with the tag that matches the version number
    • The tag is the version number itself, and should not start with anything
    • This will trigger a build and publish the collection to AH and Galaxy
    • The Zuul job progress will be listed here

After the version is published, verify it exists on the Active Directory Galaxy page.

More Information

For more information about Ansible's Windows integration, join the #ansible-windows channel on libera.chat IRC, and browse the resources in the Windows Working Group Community wiki page.

License

GNU General Public License v3.0 or later

See COPYING to see the full text.

microsoft.ad's People

Contributors

aristotelos avatar briantist avatar gianlu avatar gotit96 avatar jborean93 avatar timway avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

jborean93 briantist pierre-claranet ncallison buratina gotit96 nwerker timway luehm quiphius shaneholloman techn0mad gpa7407 gianlu no-12 ley0x aristotelos

microsoft.ad's Issues

microsoft.ad.computer fails to move existing computer when it already exists using name, path parameters

SUMMARY

I'm encountering an issue when using the microsoft.ad.computer module in Ansible to move computer objects to a desired OU. The same task works without issue when using the community.windows.win_domain_computer module.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

microsoft.ad.computer

ANSIBLE VERSION
ansible [core 2.14.2]
  config file = /usr/local/Ansible/Windows/ansible.cfg
  configured module search path = ['/home/svc-account/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.11/site-packages/ansible
  ansible collection location = /home/svc-account/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.11.2 (main, Jun  6 2023, 07:39:01) [GCC 8.5.0 20210514 (Red Hat 8.5.0-18)] (/usr/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
Collection   Version
------------ -------
microsoft.ad 1.2.0
CONFIGURATION
CONFIG_FILE() = /usr/local/Ansible/Windows/ansible.cfg
DEFAULT_HOST_LIST(/usr/local/Ansible/Windows/ansible.cfg) = ['/usr/local/Ansible/Windows/hosts']
DEFAULT_TIMEOUT(/usr/local/Ansible/Windows/ansible.cfg) = 30
DEFAULT_VAULT_PASSWORD_FILE(/usr/local/Ansible/Windows/ansible.cfg) = /home/svc-account/.vpf
HOST_KEY_CHECKING(/usr/local/Ansible/Windows/ansible.cfg) = False
OS / ENVIRONMENT

Windows Server 2019+ environment

STEPS TO REPRODUCE
- name: Move computer objects to desired OU "{{ ou }}"
  microsoft.ad.computer:
    domain_server: "{{ domain_server }}"
    domain_username: "{{ domain_server }}\\{{ domain_admin_username }}"
    domain_password: "{{ domain_admin_password }}"
    name: "{{ item | strip_fqdn }}"
    path: "{{ ou }}"
    enabled: yes
    state: present
  loop: "{{ groups[domain + '_provision_servers'] }}"
  register: move_ou
EXPECTED RESULTS

Expecting pre-existing computer object(s) to move OU's to what is defined in path on name: short computer name

ACTUAL RESULTS

  • Computer MYSERVER pre-exists in CN=MYSERVER,OU=Test,OU=Managed Servers,DC=mydomain,DC=lab,DC=local

  • Tries to issue New-ADComputer when it should be Move-ADObject, why is the module not aware that the object exists?

  • I am passing in the Name of the object so MYSERVER

  • I briefly looked at the source and it seems like it performs a Get-* operation and determines whether it needs to use New-AdComputer vs Move-ADComputer

  • Does name need to be the Distinguished Name or does the module abstract that for me?

{
  "changed": false,
  "invocation": {
    "module_args": {
      "domain_server": "mydomain.lab.local",
      "protect_from_deletion": null,
      "sam_account_name": "MYSERVER$",
      "identity": null,
      "upn": null,
      "path": "OU=Web,OU=Managed Servers,DC=mydomain,DC=lab,DC=local",
      "dns_hostname": "MYSERVER.mydomain.lab.local",
      "trusted_for_delegation": null,
      "state": "present",
      "description": null,
      "kerberos_encryption_types": null,
      "domain_username": "mydomain.lab.local\\[email protected]",
      "enabled": true,
      "delegates": null,
      "spn": null,
      "managed_by": null,
      "location": null,
      "domain_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
      "attributes": {
        "add": {},
        "set": {},
        "remove": {}
      },
      "display_name": null,
      "name": "MYSERVER"
    }
  },
  "distinguished_name": null,
  "object_guid": null,
  "failed": true,
  "msg": "New-ADComputer failed: The specified account already exists",
  "exception": "The specified account already exists\r\nAt line:963 char:29\r\n+                 $adObject = \u0026 $newCommand @newParams @adParams\r\n+                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : ResourceExists: (CN=MYSERVER,...lab,DC=local:String) [New-ADComputer], ADIdentityAlreadyExistsException\r\n    + FullyQualifiedErrorId : ActiveDirectoryServer:1316,Microsoft.ActiveDirectory.Management.Commands.NewADComputer\r\n\r\nScriptStackTrace:\r\nat Invoke-AnsibleADObject, \u003cNo file\u003e: line 963\r\nat \u003cScriptBlock\u003e, \u003cNo file\u003e: line 204"
}

microsoft.ad.ldap inventory plugin filters on objectclass "computer" per default

SUMMARY

By default, the microsoft.ad.ldap inventory plugin uses the ldap filter (objectClass=computer). Using the plugin parameter filter, it is possible to specify custom ldap filter definitions and search for specific objects in the ldap tree. However, the custom filter definition is always used in combination with the default filter.

This behavior leads to errors on systems that have a custom ldap/ad scheme and do not contain the objectClass computer.

It seems like the following code lines are responsible for the explained behavior:

microsoft.ad/plugins/inventory/ldap.py

Lines 272 to 282 in 6bf01b5

computer_filter = sansldap.FilterEquality("objectClass", b"computer")
final_filter: sansldap.LDAPFilter
if ldap_filter:
final_filter = sansldap.FilterAnd(
filters=[
computer_filter,
sansldap.LDAPFilter.from_string(ldap_filter),
]
)
else:
final_filter = computer_filter

ISSUE TYPE
  • Bug Report
COMPONENT NAME

microsoft.ad.ldap inventory plugin

ANSIBLE VERSION
ansible [core 2.15.0]
  config file = /home/USER/ansible.cfg
  configured module search path = ['/home/USER/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  ansible collection location = /home/USER/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.9.16 (main, May 29 2023, 00:00:00) [GCC 11.3.1 20221121] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
Collection   Version
------------ -------
microsoft.ad 1.2.0
CONFIGURATION
CACHE_PLUGIN(env: ANSIBLE_CACHE_PLUGIN) = jsonfile
DEFAULT_STDOUT_CALLBACK(env: ANSIBLE_STDOUT_CALLBACK) = awx_display
HOST_KEY_CHECKING(env: ANSIBLE_HOST_KEY_CHECKING) = False
RETRY_FILES_ENABLED(env: ANSIBLE_RETRY_FILES_ENABLED) = False
OS / ENVIRONMENT
  • LDAP server with a custom scheme, objectClass computer does not exist
STEPS TO REPRODUCE

To reproduce the issue, a ldap server with a custom scheme is required. Afterwards, an example of the inventory configuration is provided.

---
plugin: microsoft.ad.ldap

### LDAP connection options

server: hostname.example.com
port: 389

encrypt: false
auth_protocol: simple
cert_validation: ignore

### Search Options

search_base: "ou=Test,DC=test,DC=com"
search_scope: subtree

filter: "(objectClass=test)"

When the configuration of the inventory is finished, the ansible-inventory command can be used to receive a list of all hosts.

ansible-inventory -i test.microsoft.ad.ldap.yml --list
EXPECTED RESULTS

The filters aren't combined. The expected result is that the filter is set correctly and the query returns a list of all hosts in the ldap tree.

ACTUAL RESULTS
[WARNING]:  * Failed to parse /home/USER/test.microsoft.ad.ldap.yml with ansible_collections.microsoft.ad.plugins.inventory.ldap plugin: 'attributeTypes'

The system cannot find the file specified.

SUMMARY

Trying to join a number of Windows server 2022 to a test domain and they all keep failing saying "the system cannot find the file specified.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

microsoft.ad.membership

ANSIBLE VERSION
ansible 2.10.8
COLLECTION VERSION
Collection   Version
------------ -------
microsoft.ad 1.4.1
CONFIGURATION
DEFAULT_ROLES_PATH(env: ANSIBLE_ROLES_PATH) = ['/home/user/repos/lab/ansible/roles~']
HOST_KEY_CHECKING(/home/user/repos/lab/ansible/ansible.cfg) = False
OS / ENVIRONMENT

Server 2022

STEPS TO REPRODUCE

I am using the following play:

    - name: Join members to domain
      microsoft.ad.membership:
        dns_domain_name: "{{ dns_domain_name }}"
        domain_admin_user: "{{ domain_admin_user }}"
        domain_admin_password: "{{ domain_admin_password }}"
        domain_ou_path: "{{ domain_join_ou_path }}"
        state: domain
        reboot: true

with these groupvars:

dns_domain_name: "lab.com"
domain_netbios_name: "LAB"
domain_admin_user: "[email protected]"
domain_admin_password: "mypassword"
domain_join_ou_path: "OU=Windows,OU=Servers,DC=lab,DC=com"
EXPECTED RESULTS

Servers should be joined to the domain

ACTUAL RESULTS
The full traceback is:
Computer 'sql-1' failed to join domain 'lab.com' from its current workgroup 'WORKGROUP' with following error message: The system cannot find the file specified.
At line:210 char:13
+             Add-Computer @joinParams
+             ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (sql-1:String) [Add-Computer], InvalidOperationException
    + FullyQualifiedErrorId : FailToJoinDomainFromWorkgroup,Microsoft.PowerShell.Commands.AddComputerCommand

ScriptStackTrace:
at <ScriptBlock>, <No file>: line 210
fatal: [sql-1]: FAILED! => {
    "changed": false,
    "msg": "Unhandled exception while executing module: Computer 'sql-1' failed to join domain 'raxlab.com' from its current workgroup 'WORKGROUP' with following error message: The system cannot find the file specified."
}

Add AD member to group in multidomain env fails

SUMMARY

Process fails when trying to add the user from Domain A to AD group in Domain B
community.windows.win_domain_group_membership module has an option under the members attribute: If the member object is part of another domain in a multi-domain forest, you must add the domain and “\” in front of the name.
this concept doesnt work in microsoft.ad.group module.
i have also tested to use DN name but no luck.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

microsoft.ad.group

ANSIBLE VERSION
ansible [core 2.15.2]
  config file = /home/user/myprojects/priv/ad/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/.local/lib/python3.9/site-packages/ansible
  ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/user/.local/bin/ansible
  python version = 3.9.13 (main, Nov 16 2022, 15:31:39) [GCC 8.5.0 20210514 (Red Hat 8.5.0-15)] (/usr/bin/python)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
microsoft.ad 1.1.0
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE
- name: Add user to AD group
      microsoft.ad.group:
        domain_server: "{{ domain_b }}"
        identity: "{{ vdi_ad_group }}"
        name: "{{ vdi_ad_group }}"
        members: "{{ vdi_owner_names }}"
      become: true
     vars:
       vdi_owner_names:
           - domain_a\user
        vdi_ad_group: test_group # group is in domain_b
EXPECTED RESULTS

add user from domain A into group in domain B

ACTUAL RESULTS

message saying that it cant find the object

Failed to find the following ad objects for group members: domain_a\user

Unable to parse microsoft.ad.ldap.yaml

Summary

ansible-inventory -i inventories/microsoft.ad.ldap.yml --list -vvv

Gets error about not able to parse yaml file.

Issue Type

Bug Report

Component Name

microsoft.ad.ldap dynamic inventory

Ansible Version

$ ansible --version
ansible-core.x86_64                                                           1:2.14.9-1.el9

Configuration

ansible [core 2.14.9]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  ansible collection location = /home/ansible/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.9.18 (main, Jan  4 2024, 00:00:00) [GCC 11.4.1 20230605 (Red Hat 11.4.1-2)] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

pip3.9 is installed and pip3.11

[ansible@ct01 inventories]$ pip3.11 list
Package      Version
------------ -------
cffi         1.16.0
cryptography 42.0.2
pip          22.3.1
pycparser    2.21
pyspnego     0.10.2
setuptools   65.5.1

OS / Environment

Red Hat Enterprise Linux release 9.3 (Plow)

Steps to Reproduce

ansible-inventory -i inventories/microsoft.ad.ldap.yml --list -vvv

ansible-inventory [core 2.14.9]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  ansible collection location = /home/ansible/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible-inventory
  python version = 3.9.18 (main, Jan  4 2024, 00:00:00) [GCC 11.4.1 20230605 (Red Hat 11.4.1-2)] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True
Using /etc/ansible/ansible.cfg as config file
host_list declined parsing /home/ansible/inventories/inventories/microsoft.ad.ldap.yml as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
script declined parsing /home/ansible/inventories/inventories/microsoft.ad.ldap.yml as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
auto declined parsing /home/ansible/inventories/inventories/microsoft.ad.ldap.yml as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
yaml declined parsing /home/ansible/inventories/inventories/microsoft.ad.ldap.yml as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
ini declined parsing /home/ansible/inventories/inventories/microsoft.ad.ldap.yml as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
toml declined parsing /home/ansible/inventories/inventories/microsoft.ad.ldap.yml as it did not pass its verify_file() method
[WARNING]: Unable to parse /home/ansible/inventories/inventories/microsoft.ad.ldap.yml as an inventory source
[WARNING]: No inventory was parsed, only implicit localhost is available
{
    "_meta": {
        "hostvars": {}
    },
    "all": {
        "children": [
            "ungrouped"
        ]
    }
}
[ansible@ct01 inventories]$

Expected Results

Should not do that I expect to list target hosts.

Actual Results

[ansible@ct01 inventories]$ ansible-inventory -i inventories/microsoft.ad.ldap.yml --list -vvv
ansible-inventory [core 2.14.9]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  ansible collection location = /home/ansible/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible-inventory
  python version = 3.9.18 (main, Jan  4 2024, 00:00:00) [GCC 11.4.1 20230605 (Red Hat 11.4.1-2)] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True
Using /etc/ansible/ansible.cfg as config file
host_list declined parsing /home/ansible/inventories/inventories/microsoft.ad.ldap.yml as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
script declined parsing /home/ansible/inventories/inventories/microsoft.ad.ldap.yml as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
auto declined parsing /home/ansible/inventories/inventories/microsoft.ad.ldap.yml as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
yaml declined parsing /home/ansible/inventories/inventories/microsoft.ad.ldap.yml as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
ini declined parsing /home/ansible/inventories/inventories/microsoft.ad.ldap.yml as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
toml declined parsing /home/ansible/inventories/inventories/microsoft.ad.ldap.yml as it did not pass its verify_file() method
[WARNING]: Unable to parse /home/ansible/inventories/inventories/microsoft.ad.ldap.yml as an inventory source
[WARNING]: No inventory was parsed, only implicit localhost is available
{
    "_meta": {
        "hostvars": {}
    },
    "all": {
        "children": [
            "ungrouped"
        ]
    }
}
[ansible@ct01 inventories]$

Code of Conduct

  • I agree to follow the Ansible Code of Conduct

microsoft.ad.user - Created user not found while deleting by ad-hoc command

Summary

Two user created successfully. I was able to delete first user by adhoc command.
But 2nd user not found while trying to delete by adhoc command. But 2nd user exists in Windows AD.
Play book and logs are attached below:

SUMMARY
ISSUE TYPE

 Bug Report

COMPONENT NAME

 microsoft.ad.user

Ansible version:

ansible --version
ansible [core 2.15.10]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/ericsson_nbanik/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ericsson_nbanik/env/lib/python3.9/site-packages/ansible
  ansible collection location = /home/ericsson_nbanik/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ericsson_nbanik/env/bin/ansible
  python version = 3.9.6 (default, Mar 26 2024, 17:37:43) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] (/home/ericsson_nbanik/env/bin/python3.9)
  jinja version = 3.1.3
  libyaml = True

Galaxy version:

➜  ansible-galaxy collection list | grep microsoft.ad
microsoft.ad                  1.4.1

Here is my var files:

users:
- name: bob
  firstname: Bob
  surname: Smith
  company: Ericsson
  password: tWelvepass!12tWelvepass!12
  email: [email protected]
- name: magnus
  firstname: Magnus
  surname: Smith
  company: Ericsson
  password: tWelvepass!12tWelvepass!12
  email: [email protected]

My playbook:

---
- name: Create windows User
  hosts: win
  vars_files: ad_user.yml
  tasks:
  - name: Create windows user
    microsoft.ad.user:
      name: "{{ item.name }}"
      firstname: "{{ item.firstname }}"
      surname: "{{ item.surname }}"
      company: "{{ item.company }}"
      password: "{{ item.password }}"
      email: "{{ item.email }}"
      state: present
      groups:
        set:
        - BL_DBSS_VPN
        - Domain Admins
    with_items: "{{ users }}"
...

Play book run logs:

➜  ansible-playbook playbook/windows_user.yml -i dc1prod-hosts 

PLAY [Create windows User] ******************************************************************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************************************************************
ok: [10.74.2.10]

TASK [Create windows user] ******************************************************************************************************************************************************************************************************
changed: [10.74.2.10] => (item={'name': 'bob', 'firstname': 'Bob', 'surname': 'Smith', 'company': 'Ericsson', 'password': 'tWelvepass!12tWelvepass!12', 'email': '[email protected]'})
changed: [10.74.2.10] => (item={'name': 'magnus', 'firstname': 'Magnus', 'surname': 'Smith', 'company': 'Ericsson', 'password': 'tWelvepass!12tWelvepass!12', 'email': '[email protected]'})
[WARNING]: Failed to enumerate user groups but continuing on: The operation being requested was not performed because the user has not been authenticated

PLAY RECAP **********************************************************************************************************************************************************************************************************************
10.74.2.10                 : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

bob user delete:

➜  ansible -m ansible.windows.win_user -a 'name=bob state=absent' -i dc1prod-hosts win                           
10.74.2.10 | CHANGED => {
    "changed": true,
    "msg": "User 'bob' deleted successfully",
    "name": "bob",
    "state": "absent"
}

magnus user delete:

➜  ansible -m ansible.windows.win_user -a 'name=magnus state=absent' -i dc1prod-hosts win        
10.74.2.10 | SUCCESS => {
    "changed": false,
    "msg": "User 'magnus' was not found",
    "name": "magnus",
    "state": "absent"
}

Why magnus user not found?

Though in windows AD user exists:

image

Please check why magnus user is not found?
If we replace magnus with other name. It works.

Add action_groups

SUMMARY

Add action groups so one can specify username, password etc. only once

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

meta/runtime.yml

ADDITIONAL INFORMATION

domain_server would be specified once and then used by all following commands

- name: Check Active Directory
  delegate_to: <win-host>
  module_defaults:
    group/microsoft:
        domain_server: "{{ domain_server }}"
        domain_username: "{{ domain_username }}"
        domain_password: "{{ domain_password }}"
  vars:
    ansible_connection: ssh
    ansible_shell_type: cmd
  block:
    - name: Ensure OU is present & protected
      microsoft.ad.ou:
        name: Fancy_OU
        path: OU=Permissions,OU=Groups,DC=example,DC=com
        state: present
        protect_from_deletion: true

    - name: Ensure other OU is present & protected
      microsoft.ad.ou:
        name: Fancy_OU2
        path: OU=Permissions,OU=Groups,DC=example,DC=com
        state: present
        protect_from_deletion: true

Groups does not compare category/scope correctly

SUMMARY

Setting the categoryor scope of a group leads to an change as the enum for GroupCategory or GroupScope is not resolved from the integer value back to the name. Therefor the group is never ok but always changed.

TASK [Group Bug test] ************************************************************************************************************************************************************************************
--- before
+++ after
@@ -1,7 +1,7 @@
 {
     "attributes": {},
-    "category": 1,
+    "category": "security",
     "name": "ansible.test.group",
     "path": "OU=XXX",
-    "scope": 2
+    "scope": "universal"
 }
ISSUE TYPE
  • Bug Report
COMPONENT NAME

group

ANSIBLE VERSION
ansible [core 2.14.5]
  config file = /home/user/ansible/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/ansible_7.5.0/lib/python3.10/site-packages/ansible
  ansible collection location = /home/user/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.10.6 (main, Mar 10 2023, 10:55:28) [GCC 11.3.0] (/opt/ansible_7.5.0/bin/python)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
# /home/user/ansible/collections/ansible_collections
Collection   Version
------------ -------
microsoft.ad 1.1.0  

# /opt/ansible_7.5.0/lib/python3.10/site-packages/ansible_collections
Collection   Version
------------ -------
microsoft.ad 1.0.0
CONFIGURATION
ANSIBLE_PIPELINING(/home/user/ansible/ansible.cfg) = True
CACHE_PLUGIN(env: ANSIBLE_CACHE_PLUGIN) = redis
CACHE_PLUGIN_CONNECTION(/home/user/ansible/ansible.cfg) = 127.0.0.1:6379:0
CACHE_PLUGIN_TIMEOUT(/home/user/ansible/ansible.cfg) = 3600
COLLECTIONS_PATHS(/home/user/ansible/ansible.cfg) = ['/home/user/ansible/collections']
CONFIG_FILE() = /home/user/ansible/ansible.cfg
DEFAULT_BECOME(/home/user/ansible/ansible.cfg) = True
DEFAULT_BECOME_ASK_PASS(/home/user/ansible/ansible.cfg) = False
DEFAULT_BECOME_METHOD(/home/user/ansible/ansible.cfg) = sudo
DEFAULT_BECOME_USER(/home/user/ansible/ansible.cfg) = root
DEFAULT_GATHERING(/home/user/ansible/ansible.cfg) = smart
DEFAULT_HOST_LIST(/home/user/ansible/ansible.cfg) = ['/home/mrieder/ansible/inventories/scs_linux/hosts']
DEFAULT_LOG_PATH(env: ANSIBLE_LOG_PATH) = /var/log/ansible/ansible.log
DEFAULT_MANAGED_STR(/home/user/ansible/ansible.cfg) = Ansible managed by SCS IT
DEFAULT_REMOTE_USER(/home/user/ansible/ansible.cfg) = scsitansible
DEFAULT_ROLES_PATH(/home/user/ansible/ansible.cfg) = ['/home/user/ansible/galaxy', '/home/user/ansible/roles']
DEPRECATION_WARNINGS(/home/user/ansible/ansible.cfg) = False
HOST_KEY_CHECKING(/home/user/ansible/ansible.cfg) = False
OS / ENVIRONMENT

Ansible on Ubuntu 22 LTS
Windows on 2019 Server

STEPS TO REPRODUCE
---
- name: Test
  hosts: vm-arizona
  tasks:
    - name: 'Group Bug test'
      microsoft.ad.group:
        name: 'ansible.test.group'
        scope: universal
        category: security
        path: 'OU=XXX'
EXPECTED RESULTS

The task always return changed when scope and category is set. Even when set to the same value as they are in ad.

ACTUAL RESULTS

The task should return ok when scope and category is set to the same value as they are in ad.


TASK [Group Bug test] ************************************************************************************************************************************************************************************
task path: /home/user/ansible/windows-test.yml:5
Using module file /home/user/ansible/collections/ansible_collections/microsoft/ad/plugins/modules/group.ps1
Pipelining is enabled.
<win2019-server> ESTABLISH WINRM CONNECTION FOR USER: user@DOMAIN on PORT 5985 TO win2019-server
EXEC (via pipeline wrapper)
--- before
+++ after
@@ -1,7 +1,7 @@
 {
     "attributes": {},
-    "category": 1,
+    "category": "security",
     "name": "ansbile.test.group",
     "path": "OU=XXX",
-    "scope": 2
+    "scope": "universal"
 }

changed: [vm-arizona] => {
    "changed": true,
    "diff": {
        "after": {
            "attributes": {},
            "category": "security",
            "name": "ansbile.test.group",
            "path": "OU=XXX",
            "scope": "universal"
        },
        "before": {
            "attributes": {},
            "category": 1,
            "name": "ansbile.test.group",
            "path": "OU=XXX",
            "scope": 2
        }
    },
    "distinguished_name": "CN=ansbile.test.group,OU=XXX",
    "invocation": {
        "module_args": {
            "attributes": {
                "add": {},
                "remove": {},
                "set": {}
            },
            "category": "security",
            "description": null,
            "display_name": null,
            "domain_password": null,
            "domain_server": null,
            "domain_username": null,
            "homepage": null,
            "identity": null,
            "managed_by": null,
            "members": null,
            "name": "ansbile.test.group",
            "path": "OU=XXX",
            "protect_from_deletion": null,
            "sam_account_name": null,
            "scope": "universal",
            "state": "present"
        }
    },
    "object_guid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "sid": "S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx"
}

microsoft.ad.group fails if group already exists

SUMMARY

In the microsoft.ad.group module if I execute a playbook to add a computer to an existing security group it fails with the following error - New-ADGroup failed: The specified group already exists. I'm not sure if I'm just missing something in this new module compared to the old community.windows.win_domain_group_membership one but I am unable to solve this and can't find where I'm going wrong. My role is structured the exact same as one of the examples within the docs so I feel like this should "just work".

ISSUE TYPE
  • Bug Report
COMPONENT NAME

microsoft.ad.group

ANSIBLE VERSION
ansible-playbook [core 2.14.2]
  config file = /runner/project/ansible.cfg
  configured module search path = ['/home/runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  ansible collection location = /runner/requirements_collections:/home/runner/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible-playbook
  python version = 3.9.13 (main, Nov  9 2022, 13:16:24) [GCC 8.5.0 20210514 (Red Hat 8.5.0-15)] (/usr/bin/python3.9)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
Collection   Version
------------ -------
microsoft.ad 1.2.0
CONFIGURATION
CONFIG_FILE() = /etc/ansible/ansible.cfg
OS / ENVIRONMENT
  • Ansible Automation Platform Controller 4.2.0 running on Red Hat Enterprise Linux release 8.8
  • delegate_to host is Windows Server 2019, Version 1809
STEPS TO REPRODUCE

Here is the role managed_servers_group

- name: Add server to group
  microsoft.ad.group:
    name: 'managed_windows_servers'
    scope: global
    members:
     add:
       - 'servername01$'
    state: present
  delegate_to: jumpbox

The playbook

- name: Provisioning Windows
  hosts: all
  gather_facts: no

  roles:
     - { role: managed_servers_group}

Executing

ansible-playbook -i myinventory main.yml -l servername01
EXPECTED RESULTS

The AD group doesn't currently have servername01 in it. I would expect it to be added in addition to the current members being maintained.

ACTUAL RESULTS
The full traceback is:
The specified group already exists
At line:963 char:29
+                 $adObject = & $newCommand @newParams @adParams
+                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=managed_wind...DC=domain,DC=com:String) [New-ADGroup], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:1318,Microsoft.ActiveDirectory.Management.Commands.NewADGroup

ScriptStackTrace:
at Invoke-AnsibleADObject, <No file>: line 963
at <ScriptBlock>, <No file>: line 211
fatal: [servername01 -> jumpbox]: FAILED! => {
    "changed": false,
    "distinguished_name": null,
    "invocation": {
        "module_args": {
            "attributes": {
                "add": {},
                "remove": {},

microsoft.ad.user groups documentation should detail which formats it accepts

SUMMARY

The documentation for Groups in User Module does not detail the supported group formats.
Looking in the code, I found this module uses the Get-ADGroup and Add-ADGroupMember commandlets, and going by the -Identity flag for those commandlets, I've determined this module supports groups add/set/remove in the format of DN, sAMAccountName, GUID and SID.

Please can this be brought inline with the other modules in this collection, similar to how the Group module outlines the supported formats in the Member Parameter here

ISSUE TYPE
  • Documentation Report
COMPONENT NAME

microsoft.ad.user

ANSIBLE VERSION

microsoft.ad.object can't assign attribute PrincipalsAllowedToRetrieveManagedPassword

SUMMARY

I have been trying to set the attribute PrincipalsAllowedToRetrieveManagedPassword for a MSA (msDS-GroupManagedServiceAccount) account. Not sure if this is a bug or a feature request.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

microsoft.ad.object

ANSIBLE VERSION
ansible [core 2.14.1]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.10/dist-packages/ansible
  ansible collection location = /ansible/collections:/etc/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.10.12 (main, Jun 11 2023, 05:26:28) [GCC 11.4.0] (/usr/bin/python3.10)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
/ansible/collections/ansible_collections
Collection   Version
------------ -------
microsoft.ad 1.4.1
CONFIGURATION
ANSIBLE_FORCE_COLOR(env: ANSIBLE_FORCE_COLOR) = True
CALLBACKS_ENABLED(/etc/ansible/ansible.cfg) = ['profile_tasks']
COLLECTIONS_PATHS(/etc/ansible/ansible.cfg) = ['/ansible/collections', '/etc/ansible']
CONFIG_FILE() = /etc/ansible/ansible.cfg
OS / ENVIRONMENT

Windows Server 2022

STEPS TO REPRODUCE
    - name: Get all properties for the specified account using its DistinguishedName
      microsoft.ad.object_info:
        identity: "CN=<**>L,CN=Managed Service Accounts,{{ domain_dn }}"
        properties: "*"

    - name: Create Service Accounts - ansible module
      microsoft.ad.object:
        attributes:
          set:
            PrincipalsAllowedToRetrieveManagedPassword: "<**>"
        name: <**>
        path: "CN=Managed Service Accounts,{{ domain_dn }}"
        protect_from_deletion: true
        state: present
        type: "msDS-GroupManagedServiceAccount"
EXPECTED RESULTS

I expect to set PrincipalsAllowedToRetrieveManagedPassword attribute

ACTUAL RESULTS
TASK [Create Service Accounts - ansible module] ********************************
task path: /ansible/collections/ansible_collections/**/**/playbooks/prep_ad_post.yml:76
Tuesday 20 February 2024  18:48:45 +0000 (0:00:03.119)       0:00:49.050 ****** 
Using module file /ansible/collections/ansible_collections/microsoft/ad/plugins/modules/object.ps1
Pipelining is enabled.
<**IP**> ESTABLISH WINRM CONNECTION FOR USER: <**User**> on PORT <**Port**> TO <**IP**>
EXEC (via pipeline wrapper)
The full traceback is:
   at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
fatal: [<**Host**>]: FAILED! => {
    "changed": false,
    "msg": "Unhandled exception while executing module: The specified directory service attribute or value does not exist\r\nParameter name: PrincipalsAllowedToRetrieveManagedPassword"
}

microsoft.ad.group: Member names (sAMAccountName) with more than 20 characters not supported

SUMMARY

I use microsoft.ad.group to add members to an already existing group. This module complains it cannot find some groups that should be added as members. The groups it cannot find are groups that have a sAMAccountName with more than 20 characters.

I know there was an antique limit of 20 characters for sAMAccountNames. But since Winodows Server 2000, we can have sAMAccountNames with max. length of 256.

The deprecated community.windows.win_domain_group_membership module actually can handle members whose names are longer than 20 characters.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

group

ANSIBLE VERSION
ansible [core 2.15.2]
  config file = /home/user/.ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/.local/lib/python3.9/site-packages/ansible
  ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/user/.local/bin/ansible
  python version = 3.9.16 (main, Jan 17 2023, 18:53:15) [GCC 8.5.0 20210514 (Red Hat 8.5.0-18)] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
# /home/user/.local/lib/python3.9/site-packages/ansible_collections
Collection   Version
------------ -------
microsoft.ad 1.2.0
CONFIGURATION
CONFIG_FILE() = /home/user/.ansible.cfg
DEFAULT_STDOUT_CALLBACK(/home/user/.ansible.cfg) = yaml
OS / ENVIRONMENT

Target OS: Windows Server 2019

STEPS TO REPRODUCE
- name: Add group members
  microsoft.ad.group:
    name: Protected Users
    identity: S-1-5-21-XXX-525
    members:
      add:
        - GroupNameOK
        - GroupNameWayTooLongAndNotOK
EXPECTED RESULTS

OK

ACTUAL RESULTS
fatal: [hostname]: FAILED! => changed=false 
  distinguished_name: CN=Protected Users,CN=Users,DC=my,DC=domain,DC=com
  msg: 'Failed to find the following ad objects for group members: ''GroupNameWayTooLongAndNotOK'''
  object_guid: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

String was not recognized as a valid DateTime

SUMMARY

Data Example format does not work with value "2019-09-07T15:50:00+00"

ISSUE TYPE
PS C:\Windows\System32\WindowsPowerShell\v1.0> $dt = '2019-09-07T15:50:00+00'
$dtVal = [DateTimeOffset]::ParseExact(
    $dt,
    [string[]]@("yyyy-MM-dd'T'HH:mm:ss.FFFFFFFK"),
    [System.Globalization.CultureInfo]::InvariantCulture,
    [System.Globalization.DateTimeStyles]::AssumeUniversal)
$dtVal.UtcDateTime.ToFileTimeUtc()
Exception calling "ParseExact" with "4" argument(s): "String was not recognized as a valid DateTime."
At line:2 char:1
+ $dtVal = [DateTimeOffset]::ParseExact(
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : FormatException
 
132123450000000000

PS C:\Windows\System32\WindowsPowerShell\v1.0>
COMPONENT NAME

microsoft.ad.user

ANSIBLE VERSION
ansible [core 2.13.9]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/demo/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/demo/.local/lib/python3.8/site-packages/ansible
  ansible collection location = /home/demo/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.10 (default, Nov 14 2022, 12:59:47) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
Collection        Version
----------------- -------
community.general 6.6.0
OS / ENVIRONMENT

Linux 5.10.102.1-microsoft-standard-WSL2 #1 SMP Wed Mar 2 00:30:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

STEPS TO REPRODUCE
- microsoft.ad.user:
    name: MyUser
    state: present
    attributes:
      set:
        accountExpires:
          type: date_time
          value: '2019-09-07T15:50:00+00'

ansible-playbook -i hosts microsoft.ad.user.yaml

EXPECTED RESULTS

It should not generate "String was not recognized as a valid DateTime." and should set the expiry time

ACTUAL RESULTS

"msg": "Unhandled exception while executing module: Exception calling \"ParseExact\" with \"4\" argument(s): \"String was not recognized as a valid DateTime.\""

microsoft.ad.group module : Set members to an empty list

SUMMARY
Process fails when trying to set tan empty list to remove all members from a group.
microsoft.ad.group module – Manage Active Directory group objects module has an option under the members attribute: to set an empty list

ISSUE TYPE

  • Bug Report

COMPONENT NAME
microsoft.ad.group module

ANSIBLE VERSION
ansible [core 2.16.4]
config file = None
python version = 3.11.2 (main, Mar 13 2023, 12:18:29)
jinja version = 3.1.3
libyaml = True

COLLECTION VERSION
microsoft.ad collection (version 1.4.1)

CONFIGURATION
- name: Creat ADDC groups whith members
  microsoft.ad.group:
    name: "{{ item.name }}"
    description : "{{ item.description }}"
    scope: "{{ item.scope }}"
    path: "{{ group_fqdn_path }}"
    state: present
    members:
      set: ""    
    protect_from_deletion: true
  loop: "{{ site_ADDC_groups }}"


site_ADDC_groups:
  - { UID: 'GRP_001', name: "GG_F_{{site_name}}_ADMIN-EAR-RW", scope: "global", path: "", description: "Administrateurs Reseau (Switch/Firewall/NTP)", member_of: ""}

différent configuration as been tested

  1. members:
   set: ''  

  2. members:
   set: 
     - ""

...

OS / ENVIRONMENT
Debian 12

STEPS TO REPRODUCE
Execute command with an empty list

EXPECTED RESULTS
remove groups if already existing

ACTUAL RESULTS
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: à System.Management.Automation.CommandProcessorBase.Complete()
failed: [DR3SP-MULIWX01V] (item={'UID': 'GRP_002', 'name': 'GG_F_ULI_ADMIN-VIR-RW', 'scope': 'global', 'path': '', 'description': 'Administrateurs Virtualisation (Vmware, ProxMox, Hyper-V)', 'member_of': ''}) => {"ansible_loop_var": "item", "changed": false, "item": {"UID": "GRP_002", "description": "Administrateurs Virtualisation (Vmware, ProxMox, Hyper-V)", "member_of": "", "name": "GG_F_ULI_ADMIN-VIR-RW", "path": "", "scope": "global"}, "msg": "Unhandled exception while executing module: Impossible de lier l'argument au paramètre « Identity », car il s'agit d'une chaîne vide."}

microsoft.ad.domain fails with 'InstallDNS' not recognized error

SUMMARY

microsoft.ad.domain task always fails with the error The specified argument 'InstallDNS' was not recognized. It seems that this issue has been fixed years back but somehow came back? InstallDNS is supposed to be with lowercase InstallDns. I checked the source file and it seems to be correct but somehow it still fails.

COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT

Controller: Ubuntu 22
Target: Windows Server 2019

STEPS TO REPRODUCE
- name: Ensure that domain exists
  microsoft.ad.domain:
    dns_domain_name: somedomain.local
    safe_mode_password: StrongPass123!
  register: check_domain
EXPECTED RESULTS

Expect the task to run and save the result

ACTUAL RESULTS
Using module file /home/egorp/.ansible/collections/ansible_collections/microsoft/ad/plugins/modules/domain.ps1
Pipelining is enabled.
<192.168.56.10> ESTABLISH WINRM CONNECTION FOR USER: vagrant on PORT 5986 TO 192.168.56.10
EXEC (via pipeline wrapper)
The full traceback is:
The specified argument 'InstallDNS' was not recognized.

At line:164 char:16
+         $res = Install-ADDSForest @installParams
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Install-ADDSForest], DCPromoExecutionException
    + FullyQualifiedErrorId : DCPromo.General.77,Microsoft.DirectoryServices.Deployment.PowerShell.Commands.InstallADDSForestCommand

ScriptStackTrace:
at <ScriptBlock>, <No file>: line 164
fatal: [192.168.56.10]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "create_dns_delegation": null,
            "database_path": null,
            "dns_domain_name": "octopusadlab.local",
            "domain_mode": null,
            "domain_netbios_name": null,
            "forest_mode": null,
            "install_dns": false,
            "log_path": null,
            "reboot": false,
            "safe_mode_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "sysvol_path": null
        }
    },
    "msg": "Failed to install ADDSForest, DCPromo exited with 77: The specified argument 'InstallDNS' was not recognized.\r\n",
    "reboot_required": false
}
ISSUE TYPE
  • Bug Report
COMPONENT NAME

microsoft.ad.domain

ANSIBLE VERSION
ansible [core 2.15.6]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/egorp/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/egorp/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.10.6 (main, Mar 10 2023, 10:55:28) [GCC 11.3.0] (/usr/bin/python3)
  jinja version = 3.0.3
  libyaml = True

New-ADUser failed: A parameter cannot be found that matches parameter name 'PasswordExpired'."

SUMMARY

Unable to set password expired to at the time user creation. password_expired can only be set once user is created. otherwise its generate error "New-ADUser failed: A parameter cannot be found that matches parameter name 'PasswordExpired'."

ISSUE TYPE

"msg": "New-ADUser failed: A parameter cannot be found that matches parameter name 'PasswordExpired'.", "object_guid": null}

COMPONENT NAME

microsoft.ad.user

ANSIBLE VERSION
ansible [core 2.13.9]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/demo/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/demo/.local/lib/python3.8/site-packages/ansible
  ansible collection location = /home/demo/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.10 (default, Nov 14 2022, 12:59:47) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
Collection        Version
----------------- -------
community.general 6.6.0
OS / ENVIRONMENT

Linux 5.10.102.1-microsoft-standard-WSL2 #1 SMP Wed Mar 2 00:30:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

STEPS TO REPRODUCE
    - name: prepare user for login
      microsoft.ad.user:
        name: test
        upn : [email protected]
        firstname: login
        lastname: testuser
        password: password
       password_expired: true

ansible-playbook -i hosts microsoft.ad.user.yaml

If I create following tasks playbook than it does not throw error

    - name: prepare user for login
      microsoft.ad.user:
        name: test
        upn : [email protected]
        firstname: login
        lastname: testuser
        password: password

    - name: password expiry
      microsoft.ad.user:
        name: test
        password_expired: true

ansible-playbook -i hosts microsoft.ad.user.yaml

EXPECTED RESULTS

It should not generate "A parameter cannot be found " and should create the user with PasswordExpired attribute

ACTUAL RESULTS

"msg": "New-ADUser failed: A parameter cannot be found that matches parameter name 'PasswordExpired'.", "object_guid": null}

Not able to run module, giving an error AnsibleADObject not found

SUMMARY

"exception": "The term 'Invoke-AnsibleADObject' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.\r\nAt line:39 char:1\r\n+ Invoke-AnsibleADObject @setParams\r\n+ ~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : ObjectNotFound: (Invoke-AnsibleADObject:String) [], ParentContainsErrorRecordException\r\n + FullyQualifiedErrorId : CommandNotFoundException\r\n\r\nScriptStackTrace:\r\nat , : line 39\r\n",
"msg": "Unhandled exception while executing module: The term 'Invoke-AnsibleADObject' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.",
"_ansible_no_log": false,

ISSUE TYPE

Unable to use microsoft.ad module
Tested with microsoft.ad.computer and microsoft.ad.object

COMPONENT NAME

Minimum requirements such as krb5 to connect to Windows and windows machine with AD module for powershell

ANSIBLE VERSION

ansible = 2.14


##### COLLECTION VERSION
collections:
microsoft.ad 1.41

##### CONFIGURATION
<!--- Paste verbatim output from "ansible-config dump --only-changed" between quotes -->
```paste below
OS / ENVIRONMENT

Windows 2019

STEPS TO REPRODUCE

Playbook executed with microsoft.ad to delete an object from Active Directory. Module seems to run but at the point that needs to pick this line Invoke-AnsibleADObject @setParams is not able to continue. Seems like the powershell module is not found




EXPECTED RESULTS


Be able to execute ansible playbook with result  "change = true"


ACTUAL RESULTS


"exception": "The term 'Invoke-AnsibleADObject' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.\r\nAt line:39 char:1\r\n+ Invoke-AnsibleADObject @setParams\r\n+ ~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : ObjectNotFound: (Invoke-AnsibleADObject:String) [], ParentContainsErrorRecordException\r\n    + FullyQualifiedErrorId : CommandNotFoundException\r\n\r\nScriptStackTrace:\r\nat , : line 39\r\n",

"msg": "Unhandled exception while executing module: The term 'Invoke-AnsibleADObject' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.",

"_ansible_no_log": false,



    

  
    

    
 
      

        After migrating from win_domain_computer unable to remove computer from AD
      

      




SUMMARY



After migrating from win_domain_computer unable to remove computer from AD.


ISSUE TYPE


    

  • Bug Report
    • 



COMPONENT NAME



microsoft.ad.computer


ANSIBLE VERSION



ansible [core 2.14.1]
  config file = None
  configured module search path = ['/home/XXX/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.11/site-packages/ansible
  ansible collection location = /home/XXX/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.11.4 (main, Jun  7 2023, 00:00:00) [GCC 12.3.1 20230508 (Red Hat 12.3.1-1)] (/usr/bin/python3)
  jinja version = 3.0.3
  libyaml = True



COLLECTION VERSION



Collection   Version
------------ -------
microsoft.ad 1.3.0  



CONFIGURATION



CONFIG_FILE() = None



OS / ENVIRONMENT



STEPS TO REPRODUCE




    - name: Remove computer from Active Directory using a windows machine
      microsoft.ad.computer:
        name: "{{ selfdeploy_hostname | upper }}"
        state: absent
        domain_server: "adc.XXXX.LOCAL"
        domain_username: "{{adm_username}}@XXXX.LOCAL"
        domain_password: "{{adm_password}}"
      delegate_to: D1VMANSWIN01.XXXX.local



ok: [dcvmansexatst20.XXXX.local -> D1VMANSWIN01.XXXX.local] => {
    "changed": false,
    "distinguished_name": null,
    "invocation": {
        "module_args": {
            "attributes": {
                "add": {},
                "remove": {},
                "set": {}
            },
            "delegates": null,
            "description": null,
            "display_name": null,
            "dns_hostname": null,
            "domain_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "domain_server": "adc.XXXX.local",
            "domain_username": "[email protected]",
            "enabled": null,
            "identity": null,
            "kerberos_encryption_types": null,
            "location": null,
            "managed_by": null,
            "name": "DCVMANSEXATST20",
            "path": null,
            "protect_from_deletion": null,
            "sam_account_name": null,
            "spn": null,
            "state": "absent",
            "trusted_for_delegation": null,
            "upn": null
        }
    },
    "object_guid": null
}




EXPECTED RESULTS



ACTUAL RESULTS



No change. The computer stays in AD.






    

  
    

    
 
      

        microsoft.ad.inventory connecting to port 22 and not ldap
      

      




SUMMARY


I have created inventory file with name microsoft.ad.ldap.yml. I added server details of microsoft active directory. Created self sign certificate. Created ansible playbook to create group in active directory with microsoft.a.group module. When I run ansible playbook by refering microsoft.ad.ldap.yml as inventory it is connecting over port 22 and not ldap


ISSUE TYPE


    

  • Bug Report
    • 



COMPONENT NAME



microsoft.ad.inventory


ANSIBLE VERSION



2.15.3



COLLECTION VERSION







CONFIGURATION







OS / ENVIRONMENT



Alpine Linux


STEPS TO REPRODUCE



created file microsoft.ad.ldap.yml


plugin: microsoft.ad.ldap

server: ad-ip
tls_mode: ldaps
username: [email protected]
password: password
auth_protocol: ntlm
certificate: cert.crt
certificate_key: cert.key
certificate_password: "password"
cert_validation: "ignore"
search_base: OU=Users,DC=name1,DC=name2,DC=com

attributes:
  sAMAccountName:
    sam_account_name:
  objectSid:
    computer_sid:
  pwdLastSet:
    password_last_set: this | microsoft.ad.as_datetime
  comment:
    host_comment
  memberOf:
    computer_membership: this | map("regex_search", '^CN=(?P<name>.+?)((?<!\\),)', '\g<name>') | flatten 


created playbook yml file with microsoft.ad.group module

run ansible playbook ansible-playbook -i microsoft.ad.ldap.yml playbook name -e 'variable=value'



---
- name: Execute Command on Remote Windows Machine
  hosts: localhost  # Replace 'windows_hosts' with the group or host where your Windows machines are defined.
  gather_facts: no     # Disable gathering facts as it's not required for this playbook.
  ignore_unreachable: true
  tasks:
    - name: Add group and specify the AD domain services to use for the create
      microsoft.ad.group:
        name: "{{ permission_set_name | lower }}"
        scope: global
        category: security
        state: present
      delegate_to: <ad-ip> 
      register: result   # Store the output of the command in the 'result' variable.

    - name: Display Command Output
      debug:
        var: result.stdout_lines   # Print the standard output of the executed command.



EXPECTED RESULTS



Connect to active directory and create group


ACTUAL RESULTS



connecting over port 22 and timing out

msg": "Unable to execute ssh command line on a controller due to: [Errno 2] No such file or directory: b'ssh'"






    

  
    
      

    
    
  

    

    
 
      

        Error: The term 'Get-ADRootDSE' is not recognized as the name of a cmdlet
      

      
Hi Team,


When I m using any of the examples I get the following error.


I also installed the ActiveDirectory module on AD but still no luck.


The term 'Get-ADRootDSE' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

    

  
    

    
 
      

        How to secure credentials with microsoft.ad.ldap inventory plugin
      

      
SUMMARY


I can't see a way to secure the credentials required for microsoft.ad.ldap inventory plugin. The documented examples show the different authentication options, but how do you use the plugin without entering the credentials in plaintext?


This will lead to issues using the plugin with AWX or automation controller where we would typically pull the inventory configuration from source control.


ISSUE TYPE


    

  • Feature Idea
    • 



COMPONENT NAME


microsoft.ad.ldap inventory plugin


ADDITIONAL INFORMATION


Typically inventory plugins have the option of using environment variables which allow us to source them from a project in AWX and then use custom credential types in AWX to inject the necessary environment variables. This means we don't need to store the credentials with the inventory configuration in source control.


Looking at nearly all inventory plugins you'll see examples of this. For example the AWX inventory plugin - https://docs.ansible.com/ansible/latest/collections/awx/awx/controller_inventory.html#ansible-collections-awx-awx-controller-inventory

    

  
    

    
 
      

        microsoft.ad.user failed due to "protect_from_deletion" parameter as "ProtectedFromAccidentalDeletion" cannot be found
      

      




SUMMARY



Failed to update AD user accounts with microsoft.ad.user module by adding protect_from_deletion parameter. Got error message: A parameter cannot be found that matches parameter name 'ProtectedFromAccidentalDeletion'.


ISSUE TYPE


    

  • Bug Report
    • 



COMPONENT NAME



microsoft.ad.user


ANSIBLE VERSION



ansible [core 2.15.2]
  config file = /Users/ericca/sources/OrionHealth/nzms-ansible/ansible.cfg
  configured module search path = ['/Users/ericca/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/ericca/sources/OrionHealth/nzms-ansible/.venv/lib/python3.11/site-packages/ansible
  ansible collection location = /Users/ericca/sources/OrionHealth/nzms-ansible/galaxy/collections
  executable location = /Users/ericca/sources/OrionHealth/nzms-ansible/.venv/bin/ansible
  python version = 3.11.4 (main, Jun 20 2023, 17:23:00) [Clang 14.0.3 (clang-1403.0.22.14.1)] (/Users/ericca/sources/OrionHealth/nzms-ansible/.venv/bin/python)
  jinja version = 3.1.2
  libyaml = True



COLLECTION VERSION



Collection   Version
------------ -------
microsoft.ad 1.2.0



CONFIGURATION



COLLECTIONS_PATHS(/Users/ericca/sources/OrionHealth/nzms-ansible/ansible.cfg) = ['/Users/ericca/sources/OrionHealth/nzms-ansible/galaxy/collections']
CONFIG_FILE() = /Users/ericca/sources/OrionHealth/nzms-ansible/ansible.cfg
DEFAULT_ROLES_PATH(/Users/ericca/sources/OrionHealth/nzms-ansible/ansible.cfg) = ['/Users/ericca/sources/OrionHealth/nzms-ansible/galaxy/roles']
DEFAULT_TIMEOUT(/Users/ericca/sources/OrionHealth/nzms-ansible/ansible.cfg) = 30
DEPRECATION_WARNINGS(/Users/ericca/sources/OrionHealth/nzms-ansible/ansible.cfg) = False
HOST_KEY_CHECKING(/Users/ericca/sources/OrionHealth/nzms-ansible/ansible.cfg) = False
PAGER(env: PAGER) = less
RETRY_FILES_ENABLED(/Users/ericca/sources/OrionHealth/nzms-ansible/ansible.cfg) = False



OS / ENVIRONMENT



Target host:


    

  • OS: Microsoft Windows Server 2019 Datacenter
    • 

  • PowerShell:
    • 



PS C:\Windows\system32> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.17763.4644
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.4644
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1�



AD: AWS managed Active Directory


    

  • OS: Windows Server 2019
    • 



Ansible master host:


    

  • OS: Mac OS Ventura 13.5 arm64 Darwin Kernel Version 22.6.0
    • 



STEPS TO REPRODUCE




- name: Ensure service AD accounts exist
  microsoft.ad.user:
    name: "{{ item.name }}"
    upn: "{{ item.name }}@{{ ad_domain }}"
    firstname: "{{ item.name }}"
    password: "{{ item.password }}"
    description: "{{ item.description }}"
    path: "OU=Users,{{ ad_root_ou }}"
    state: present
    groups:
      add: "{{ item.groups | default([]) }}"
    update_password: when_changed
    password_never_expires: "{{ item.password_never_expires | default(omit) }}"
    user_cannot_change_password: "{{ item.user_cannot_change_password | default(omit) }}"
    spn:
      set: "{{ item.spn | default([]) }}"
    email: "{{ NZMS_email }}"
    domain_server: "{{ ad_domain }}"
    protect_from_deletion: true
    loop: "{{ service_ad_accounts }}"


Added protect_from_deletion: true into above existing task and run Ansible playbook to update the existing AD user accounts.



EXPECTED RESULTS



The AD user accounts could be updated successfully by adding protect_from_deletion: true.


ACTUAL RESULTS



Update failed with error message:


A parameter cannot be found that matches parameter name 'ProtectedFromAccidentalDeletion'.
At line:1091 char:66
+ ...       $finalADObject = & $setCommand @commonParams @setParams @adPara ...
+                                                        ~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Set-ADUser], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.ActiveDirectory.Management.Commands.SetADUser

ScriptStackTrace:
at Invoke-AnsibleADObject, <No file>: line 1091
at <ScriptBlock>, <No file>: line 458







    

  
    

    
 
      

        microsoft.ad.identity working example
      

      
Please add the example of microsoft.ad.identity parameter. Its not clear in description how this should work and how it could change the sAMAccountName

    

  
    

    
 
      

        microsoft.ad.user - having trouble updating user password
      

      




SUMMARY


I'm attempting to update a service account (standard ad user, not a gmsa, etc.), but I'm having trouble getting this module to work as a replacement for win_domain_user. Ideally, I would like to pass in the sam account name of the service account, and update the password.


    

  • I have tried using the identity property exclusively (to initially find the object) but I receive an error that "name" is required.
    • 

  • I have tried using the name property exclusively (to initially find the object) but I receive an error that account already exists. I'm assuming the module needs "path" in this case?
    • 

  • I have tried using the identity and name property together, but this creates and issue where the module is trying to rename/move the ad user object.
    • 



The accounts will be in separate OU's, so I cannot hardcode the path. I do see an object_info module where I could query for the user object first, but it seems the ad.user module should be able to accomplish the task at hand (as it's a replacement for win_domain_user).


Do you have any suggestions on the use case above?


ISSUE TYPE


    

  • Bug Report
    • 



COMPONENT NAME


microsoft.ad.user


ANSIBLE VERSION



ansible [core 2.12.10]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/opt/ansible-venv/5.10.0-core-2.12.10/share/ansible/plugins/modules']
  ansible python module location = /opt/ansible-venv/5.10.0-core-2.12.10/lib/python3.8/site-packages/ansible
  ansible collection location = /opt/ansible-venv/5.10.0-core-2.12.10/share/ansible/collections
  executable location = /opt/ansible-venv/5.10.0-core-2.12.10/bin/ansible
  python version = 3.8.0 (default, Dec  9 2021, 17:53:27) [GCC 8.4.0]
  jinja version = 3.1.2
  libyaml = True




COLLECTION VERSION



Collection   Version
------------ -------
microsoft.ad 1.2.0




CONFIGURATION



COLLECTIONS_PATHS(/etc/ansible/ansible.cfg) = ['/opt/ansible-venv/5.10.0-core-2.12.10/share/ansible/collections']
DEFAULT_CALLBACK_PLUGIN_PATH(/etc/ansible/ansible.cfg) = ['/opt/ansible-venv/5.10.0-core-2.12.10/share/ansible/plugins/callback']
DEFAULT_FILTER_PLUGIN_PATH(/etc/ansible/ansible.cfg) = ['/opt/ansible-venv/5.10.0-core-2.12.10/share/ansible/plugins/filter']
DEFAULT_FORKS(/etc/ansible/ansible.cfg) = 20
DEFAULT_HOST_LIST(/etc/ansible/ansible.cfg) = ['/etc/ansible/inventory/running']
DEFAULT_LOG_PATH(/etc/ansible/ansible.cfg) = /var/log/ansible/ansible.log
DEFAULT_MODULE_PATH(/etc/ansible/ansible.cfg) = ['/opt/ansible-venv/5.10.0-core-2.12.10/share/ansible/plugins/modules']




OS / ENVIRONMENT



STEPS TO REPRODUCE


See summary above.



EXPECTED RESULTS



microsoft.ad.user can update user account passwords by passing in samaccountname similar to win_domain_user.


ACTUAL RESULTS







    

  
    
      

    
    
  

    

    
 
      

        Manage AD Object Permissions
      

      
SUMMARY


We need to set/modify permissions on OUs and sometimes Groups. It would be nice to do this with ansible too. This includes enabling and disabling permission inheritance as well as add/set/remove of permisions. I am not sure if this should be a new module microsoft.ad.acl or should be integrated into ADObject.


ISSUE TYPE


    

  • Feature Idea
    • 



COMPONENT NAME


microsoft.ad.ou, microsoft.ad.group, microsoft.ad.user, microsoft.ad.object, microsoft.ad.computer


ADDITIONAL INFORMATION




- name: Ensure OU is protected
  microsoft.ad.acl:
    path: OU=AnsibleFest,DC=ansible,DC=local
    permissions:
      set:
        - group: Everyone
          rights: DeleteChild, DeleteTree, Delete
          type: deny
        - group: NT AUTHORITY\SYSTEM
          rights: GenericAll
        - group: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
          rights: GenericRead
        - group: ANSIBLE\Domänen-Admins
          rights: GenericAll
        - group: ANSIBLE\AnsibleFestAdmins
          rights: CreateChild, DeleteChild
          object_type: bf967aba-0de6-11d0-a285-00aa003049e2
        - group: ANSIBLE\AnsibleFestAdmins
          rights: GenericAll
          inherited_object_type: bf967aba-0de6-11d0-a285-00aa003049e2
          inheritance: Descendents


- name: Ensure OU is present & protected
  microsoft.ad.ou:
    name: AnsibleFest
    permissions:
      set:
        - group: Everyone
          rights: DeleteChild, DeleteTree, Delete
          type: deny
        - group: NT AUTHORITY\SYSTEM
          rights: GenericAll
        - group: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
          rights: GenericRead
        - group: ANSIBLE\Domänen-Admins
          rights: GenericAll
        - group: ANSIBLE\AnsibleFestAdmins
          rights: CreateChild, DeleteChild
          object_type: bf967aba-0de6-11d0-a285-00aa003049e2
        - group: ANSIBLE\AnsibleFestAdmins
          rights: GenericAll
          inherited_object_type: bf967aba-0de6-11d0-a285-00aa003049e2
          inheritance: Descendents

    

  
    

    
 
      

        Allow passing username/password from env variables
      

      



SUMMARY



In the microsoft.ad.ldap module, if I specify the credentials as:


...
username: "{{ lookup('env', 'ansible_user_windows_sig') }}"
password: "{{ lookup('env', 'ansible_password_windows_sig') }}"
...


I get an error:


❯ ansible-inventory  --inventory /home/fabrice/projects/SS.INFRA.Ansible/inventories/microsoft.ad.ldap.yml --list
[WARNING]:  * Failed to parse /home/fabrice/projects/SS.INFRA.Ansible/inventories/microsoft.ad.ldap.yml with
ansible_collections.microsoft.ad.plugins.inventory.ldap plugin: Received LDAPResult error bind failed -
INVALID_CREDENTIALS - 8009030C: LdapErr: DSID-0C0905E2, comment: AcceptSecurityContext error, data 52e, v3839
[WARNING]:  * Failed to parse /home/fabrice/projects/SS.INFRA.Ansible/inventories/microsoft.ad.ldap.yml with
ansible_collections.ansible.builtin.plugins.inventory.yaml plugin: Plugin configuration YAML file, not YAML inventory
[WARNING]:  * Failed to parse /home/fabrice/projects/SS.INFRA.Ansible/inventories/microsoft.ad.ldap.yml with
ansible_collections.ansible.builtin.plugins.inventory.ini plugin: Invalid host pattern 'plugin:' supplied, ending in ':'
is not allowed, this character is reserved to provide a port.
[WARNING]: Unable to parse /home/fabrice/projects/SS.INFRA.Ansible/inventories/microsoft.ad.ldap.yml as an inventory
source
[WARNING]: No inventory was parsed, only implicit localhost is available
{
    "_meta": {
        "hostvars": {}
    },
    "all": {
        "children": [
            "ungrouped"
        ]
    }
}


(this works ok in https://docs.ansible.com/ansible/devel/collections/microsoft/ad/object_info_module.html#ansible-collections-microsoft-ad-object-info-module-requirements, ie. )


...
        domain_username: "{{ lookup('env', 'ansible_user_windows_sig') }}"
        domain_password: "{{ lookup('env', 'ansible_password_windows_sig') }}"
...


ISSUE TYPE


    

  • Feature Idea
    • 



While putting in the username: [email protected] and password: <password for the user> works, and I can obtain a kerberos ticket with kinit, ideally I would like to retrieve my credential from env vars....


COMPONENT NAME



microsoft.ad.ldap


ADDITIONAL INFORMATION







    

  
    

    
 
      

        Module to create a new domain in an existing forest
      

      
SUMMARY


win_domain should support creating a new domain within an existing forest. It currently only seems to support creating a new Forest.


ISSUE TYPE


    

  • Feature Idea
    • 



COMPONENT NAME


win_domain


ADDITIONAL INFORMATION


Solves the problem of creating a child domain within an existing forest.


Example playbook, creating a parent domain in a new forest and creating a child domain within the existing forest using a proposed within_forest parameter:


- hosts: dc01
  tasks:
  - name: Make parent domain
    win_domain:
      dns_domain_name: parentdomain.local
      safe_mode_password: Password123
    register: create_forest
  - name: Reboot upon promotion
    win_reboot:
      reboot_timeout: 1800
      post_reboot_delay: 15
    when: create_forest.reboot_required
- hosts: dc02
  tasks:
  - name: Make child domain
    win_domain:
      dns_domain_name: childdomain.parentdomain.local
      within_forest: parentdomain.local
      safe_mode_password: Password123
    register: create_domain
  - name: Reboot upon promotion
    win_reboot:
      reboot_timeout: 1800
      post_reboot_delay: 15
    when: create_domain.reboot_required

    

  
    

    
 
      

        microsoft.ad.user doesn't work idempotently when setting "accountExpires" attribute
      

      




SUMMARY



The microsoft.ad.user module doesn't idempotently when setting "accountExpires" attribute. The Ansible task always outputs "changed" status even when the actual value is not change.


ISSUE TYPE


    

  • Bug Report
    • 



COMPONENT NAME



microsoft.ad.user


ANSIBLE VERSION



ansible [core 2.15.2]
  config file = /Users/ericca/sources/OrionHealth/nzms-ansible/ansible.cfg
  configured module search path = ['/Users/ericca/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/ericca/sources/OrionHealth/nzms-ansible/.venv/lib/python3.11/site-packages/ansible
  ansible collection location = /Users/ericca/sources/OrionHealth/nzms-ansible/galaxy/collections
  executable location = /Users/ericca/sources/OrionHealth/nzms-ansible/.venv/bin/ansible
  python version = 3.11.4 (main, Jun 20 2023, 17:23:00) [Clang 14.0.3 (clang-1403.0.22.14.1)] (/Users/ericca/sources/OrionHealth/nzms-ansible/.venv/bin/python)
  jinja version = 3.1.2
  libyaml = True



COLLECTION VERSION



Collection   Version
------------ -------
microsoft.ad 1.2.0



CONFIGURATION



COLLECTIONS_PATHS(/Users/ericca/sources/OrionHealth/nzms-ansible/ansible.cfg) = ['/Users/ericca/sources/OrionHealth/nzms-ansible/galaxy/collections']
CONFIG_FILE() = /Users/ericca/sources/OrionHealth/nzms-ansible/ansible.cfg
DEFAULT_ROLES_PATH(/Users/ericca/sources/OrionHealth/nzms-ansible/ansible.cfg) = ['/Users/ericca/sources/OrionHealth/nzms-ansible/galaxy/roles']
DEFAULT_TIMEOUT(/Users/ericca/sources/OrionHealth/nzms-ansible/ansible.cfg) = 30
DEPRECATION_WARNINGS(/Users/ericca/sources/OrionHealth/nzms-ansible/ansible.cfg) = False
HOST_KEY_CHECKING(/Users/ericca/sources/OrionHealth/nzms-ansible/ansible.cfg) = False
PAGER(env: PAGER) = less
RETRY_FILES_ENABLED(/Users/ericca/sources/OrionHealth/nzms-ansible/ansible.cfg) = False



OS / ENVIRONMENT



Target host: Microsoft Windows Server 2019 Datacenter
AD: AWS managed Active Directory, OS Windows Server 2019
Ansible master host: Mac OS Ventura 13.5 arm64 Darwin Kernel Version 22.6.0



STEPS TO REPRODUCE




- name: Manage AD user accounts for individual end users
  microsoft.ad.user:
    name: "{{ item.name }}"
    upn: "{{ item.name }}@{{ ad_domain }}"
    firstname: "{{ item.firstname }}"
    surname: "{{ item.surname }}"
    email: "{{ item.email }}"
    company: "{{ item.company }}"
    # Generate a random password
    password: "{{ lookup('community.general.random_string', min_lower=1, min_upper=1, min_special=1, min_numeric=1, length=15) }}"
    path: "OU=Users,{{ ad_root_ou }}"
    # When 'present': creates or updates the user account; When 'absent': removes the user account if it exists.
    state: "{{ item.state | default('present') }}"
    # Always append 'Domain Users' as the default AD user group
    groups: 
      set: "{{ item.groups | default([]) + ['Domain Users'] }}"
    enabled: "{{ item.enabled | default(false) }}"
    update_password: on_create
    user_cannot_change_password: false
    domain_server: "{{ ad_domain }}"
    attributes:
      set:
        accountExpires:
          # Set the value to '0' to make the account never expires. Otherwise the value should be a 'date_time' type.
          # Refer to https://learn.microsoft.com/en-us/windows/win32/adschema/a-accountexpires
          type: "{{ item.expiry is defined | ternary('date_time', 'int') }}"
          value: "{{ item.expiry is defined | ternary(item.expiry, '0') }}"
  loop: "{{ ad_user_accounts }}"
  when: ad_user_accounts is defined
  tags: ad_user


I use a list group variable ad_user_accounts to manage multiple AD user accounts.



EXPECTED RESULTS



The task should not change anything and output in green if no any value of the ad_user_accounts group var is changed.


ACTUAL RESULTS



The tasks always output in yellow (changed) even no any value of the ad_user_accounts group var is changed.


Tried to change to use add instead of set under attributes and got the same result.


If I comment out the entire section to set attributes then it works expectedly and idempotently.


    attributes:
      set:
        accountExpires:
          # Set the value to '0' to make the account never expires. Otherwise the value should be a 'date_time' type.
          # Refer to https://learn.microsoft.com/en-us/windows/win32/adschema/a-accountexpires
          type: "{{ item.expiry is defined | ternary('date_time', 'int') }}"
          value: "{{ item.expiry is defined | ternary(item.expiry, '0') }}"




    

  
    

    
 
      

        Feature Request: Collection-level Metadata for better execution-environment handling
      

      
SUMMARY


Dear maintainers,


Please add and maintain the python requirements of the collection in its "Collection-level Metadata" so that people can more easily use the collection in execution-environments when using it with awx or ansible automation controller.


The Collection-level Metadata makes it more easy to include the collection in execution-environments, since the python dependencies will be automatically installed, when building the execution-environment with ansible-builder.


As you are already maintaining the requirements.txt file, this would simply require a few more lines of yaml in form of an execution-environment.yml file. I would be glad to contribute a pull request with the necessary lines of code later today. I'm also willing to contribute to testing and building example execution environments in the future, even if it involves an increase in dependencies.


Thanks in advance


ISSUE TYPE


    

  • Feature Idea
    • 



COMPONENT NAME


Metadata


ADDITIONAL INFORMATION


If you need further information about the Collection-level Metadata here is some documentation from the ansible-builder project Documentation.

    

  
    
      

    
    
  

    

    
 
      

        error in object_info Unable to find type [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException].
      

      




SUMMARY



When I execute this task:


    - name: Find user samaccountname
      microsoft.ad.object_info:
        domain_server: denverco.gov
        domain_password: "{{ Upass }}"
        domain_username: "{{ Uname }}"
        filter: UserPrincipalName -eq "[email protected]"
        properties:
          - samaccountname
      delegate_to:  "{{ jumpserver }}"
      register: user_ad_info
      become: true



I get this error:

`

The full traceback is:

Unable to find type [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException].

At line:239 char:22


    

  • ... f ($exp -is [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundE ...
    • 

  • 

                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    

      

    • CategoryInfo          : InvalidOperation: (Microsoft.Activ...tFoundException:TypeName) [], ParentContainsErrorRecordException
      • 

    • FullyQualifiedErrorId : TypeNotFound
      • 

    

    • 



ScriptStackTrace:

at , : line 239

fatal: [localhost -> ansapp004p.denverco.gov]: FAILED! => {

"changed": false,

"msg": "Unhandled exception while executing module: Unable to find type [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException]."

}

`

This is on a windows 2019 server with the ActiveDirectory module installed

If I run this on a windows 2022 server everything works as expected.

Both are have dot net 4.8 installed powershell 5


ISSUE TYPE


    

  • Bug Report
    • 



COMPONENT NAME



microsoft/ad/plugins/modules/object_info.ps1


ANSIBLE VERSION



 ansible --version
ansible [core 2.15.3]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.9.16 (main, May 31 2023, 12:21:58) [GCC 8.5.0 20210514 (Red Hat 8.5.0-18)] (/usr/bin/python3.9)
  jinja version = 3.1.2
  libyaml = True



COLLECTION VERSION



1.3.0



CONFIGURATION







OS / ENVIRONMENT



STEPS TO REPRODUCE



see summary



    - name: Find user samaccountname
      microsoft.ad.object_info:
        domain_server: denverco.gov
        domain_password: "{{ Upass }}"
        domain_username: "{{ Uname }}"
        filter: UserPrincipalName -eq "[email protected]"
        properties:
          - samaccountname
      delegate_to:  "{{ jumpserver }}"
      register: user_ad_info
      become: true



EXPECTED RESULTS



TASK [show results] ******************************************************************************************************************************************

ok: [localhost] => {

"msg": [

{

"changed": false,

"failed": false,

"objects": [

{

"DistinguishedName": "CN=Troy........",

"Name": "Troy, Holly -......",

"ObjectClass": "user",

"ObjectGUID": "44118295-......7e3a24c53d9",

"samaccountname": "20....."

}

]

}

]

}


ACTUAL RESULTS



TASK [Find user samaccountname] ******************************************************************************************************************************

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: at , : line 239

fatal: [localhost -> ansapp004p.denverco.gov]: FAILED! => {"changed": false, "msg": "Unhandled exception while executing module: Unable to find type [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException]."}






    

  
    

    
 
      

        New Release of microsoft.ad
      

      



SUMMARY


I'm currently in the process of switching from the deprecated community.windows to the new microsoft.ad Modules in Ansible.

Therefore, the issue with long group names is blocking me.

So my Question is, is it possible to release a new Version from microsoft.ad to include this Fix:

#95


I would support with preparing the new Release if it is necessary.


ISSUE TYPE


New Release


COMPONENT NAME


win_domain_group_membership_module.html

microsoft.ad.group


ADDITIONAL INFORMATION



    

  
    

    
 
      

        microsoft.ad.user - New-ADUser failed: A parameter cannot be found that matches parameter name 'LockedOut'
      

      


SUMMARY


ISSUE TYPE


* Bug Report



COMPONENT NAME


* microsoft.ad.user



ANSIBLE VERSION




  ansible [core 2.16.2]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.11/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.11.5 (main, Oct 25 2023, 14:45:39) [GCC 8.5.0 20210514 (Red Hat 8.5.0-21)] (/usr/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True





COLLECTION VERSION




ansible-galaxy 2.10.17
$ ansible-galaxy collection list | grep microsoft.ad
microsoft.ad                  1.3.0





OS / ENVIRONMENT


* Testing on a Windows Server 2016



STEPS TO REPRODUCE


* Try to add a user object with the following flag using "microsoft.ad.user" module:
  account_locked: true/false





- name: Configure ActiveDirectory users
  microsoft.ad.user:
    state: "{{ item.ensure | default(active_directory_ensure) }}"
    name: "{{ item.name }}"
    display_name: "{{ item.displayname }}"
    firstname: "{{ item.first_name }}"
    surname: "{{ item.last_name }}"
    password_expired: "{{ item.password_change | default(active_directory_expired_password) }}"
    user_cannot_change_password: "{{ item.user_cant_change_password | default(active_directory_user_cannot_change_password_enabled) }}"
    account_locked: "{{ item.locked_enabled | default(active_directory_account_locked_enabled) }}"





EXPECTED RESULTS


* AD User gets created successfully with the "account_locked" attribute as true or false



ACTUAL RESULTS


* Task fails as below:



"msg": "New-ADUser failed: A parameter cannot be found that matches parameter name 'LockedOut'."




    

  
    

    
 
      

        microsoft.ad.computer fails if computer already exists
      

      
SUMMARY


The microsoft.ad.computer module fails if the computer already exists.


ISSUE TYPE


    

  • Bug Report
    • 



COMPONENT NAME


microsoft.ad.computer


ANSIBLE VERSION


ansible [core 2.13.3]
  config file = /path/ansible.cfg
  configured module search path = ['/home/ubuntu/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /path/lib/python3.8/site-packages/ansible
  ansible collection location = /home/ubuntu/.ansible/collections:/usr/share/ansible/collections
  executable location = /path/bin/ansible
  python version = 3.8.10 (default, May 26 2023, 14:05:08) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = False



COLLECTION VERSION


# /home/ubuntu/.ansible/collections/ansible_collections
Collection   Version
------------ -------
microsoft.ad 1.2.0



CONFIGURATION



ANSIBLE_PIPELINING(/path/playbooks/ansible.cfg) = True
CALLBACKS_ENABLED(/path/playbooks/ansible.cfg) = ['log_plays', 'profile_roles', 'profile_tasks', 'timer']
DEFAULT_FILTER_PLUGIN_PATH(/path/playbooks/ansible.cfg) = ['/path/playbooks/filter_plugins']
DEFAULT_FORKS(/path/playbooks/ansible.cfg) = 100
DEFAULT_LOAD_CALLBACK_PLUGINS(/path/playbooks/ansible.cfg) = True
DEFAULT_STDOUT_CALLBACK(/path/playbooks/ansible.cfg) = yaml
DEFAULT_TIMEOUT(/path/playbooks/ansible.cfg) = 600
HOST_KEY_CHECKING(/pathplaybooks/ansible.cfg) = False



OS / ENVIRONMENT


Ansible host: Ubuntu 20.04

Ansible target: Microsoft Windows Server 2016


STEPS TO REPRODUCE


- name: Add domain computer twice
  microsoft.ad.computer:
    name: "{{ item.name }}"
  loop:
   - name: Host1
   - name: Host1



EXPECTED RESULTS


Expect to get a CHANGED status and then an OK status


ACTUAL RESULTS


Second attempt to create computer results in failure with error: New-ADComputer failed: The specified account already exists


Using module file /home/ubuntu/.ansible/collections/ansible_collections/microsoft/ad/plugins/modules/computer.ps1
Pipelining is enabled.
PSRP: EXEC (via pipeline wrapper)
Using module file /home/ubuntu/.ansible/collections/ansible_collections/microsoft/ad/plugins/modules/computer.ps1
Pipelining is enabled.
PSRP: EXEC (via pipeline wrapper)
<10.1.1.10> PSRP RC: 1
<10.1.1.10> PSRP STDOUT: {"changed":false,"invocation":{"module_args":{"domain_server":null,"protect_from_deletion":null,"sam_account_name":null,"identity":null,"upn":null,"path":null,"dns_hostname":null,"trusted_for_delegation":null,"state":"present","description":null,"kerberos_encryption_types":n
ull,"domain_username":null,"enabled":null,"delegates":null,"spn":null,"managed_by":null,"location":null,"domain_password":null,"attributes":{"add":{},"set":{},"remove":{}},"display_name":null,"name":"Host1"}},"distinguished_name":null,"object_guid":null,"failed":true,"msg":"New-ADCompu
ter failed: The specified account already exists","exception":"The specified account already exists\r\nAt line:963 char:29\r\n+                 $adObject = \u0026 $newCommand @newParams @adParams\r\n+                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : Res
ourceExists: (CN=Host1,DC=example,DC=local:String) [New-ADComputer], ADIdentityAlreadyExistsException\r\n    + FullyQualifiedErrorId : ActiveDirectoryServer:1316,Microsoft.ActiveDirectory.Management.Commands.NewADComputer\r\n\r\nScriptStackTrace:\r\nat Invoke-AnsibleADObject, \u003cNo file\u003
e: line 963\r\nat \u003cScriptBlock\u003e, \u003cNo file\u003e: line 204"}
<10.1.1.10> PSRP STDERR:
The full traceback is:
The specified account already exists
At line:963 char:29
+                 $adObject = & $newCommand @newParams @adParams
+                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceExists: (CN=Host1,DC=example,DC=local:String) [New-ADComputer], ADIdentityAlreadyExistsException
    + FullyQualifiedErrorId : ActiveDirectoryServer:1316,Microsoft.ActiveDirectory.Management.Commands.NewADComputer

ScriptStackTrace:
at Invoke-AnsibleADObject, <No file>: line 963
at <ScriptBlock>, <No file>: line 204
failed: [dc] (item={'name': 'Host1'}) => changed=false
  ansible_loop_var: item
  distinguished_name: null
  invocation:
    module_args:
      attributes:
        add: {}
        remove: {}
        set: {}
      delegates: null
      description: null
      display_name: null
      dns_hostname: null
      domain_password: null
      domain_server: null
      domain_username: null
      enabled: null
      identity: null
      kerberos_encryption_types: null
      location: null
      managed_by: null
      name: Host1
      path: null
      protect_from_deletion: null
      sam_account_name: null
      spn: null
      state: present
      trusted_for_delegation: null
      upn: null
  item:
    name: Host1
  msg: 'New-ADComputer failed: The specified account already exists'
  object_guid: null


    

  
    

    
 
      

        How do you actually execute modules in this collection (requires powershell)?
      

      
SUMMARY


I'm trying to leverage microsoft.ad.group to manage groups in AD.  The module documentation and examples are relatively straightforward.  However, what's NOT straightforward is the connectivity/interpreter requirements to execute the module(s).


I keep encountering this error:


module_stderr: |-
    /bin/sh: 1: powershell: not found
  module_stdout: ''
  msg: |-
    The module failed to execute correctly, you probably need to set the interpreter.
    See stdout/stderr for the exact error



So far, I've tried the following, all with the same error:


    

  1. targeting localhost (no fact gathering) with ansible_connection: local and just using the module as shown in examples
    2. 

  2. tried using args.executable like you would in the shell module, pointing it to powershell core installed on controller (/usr/bin/pwsh)
    3. 

  3. tried setting the variable ansible_python_interpreter at the task level and setting it to the path of powershell core installed on the controller (/usr/bin/pwsh)
    4. 

  4. tried executing the playbook against a native Windows host that has powershell and AD modules installed
    5. 

  5. tried delegating the task to a Windows host
    6. 



I feel like I've scoured all of the usual sources (chats, forums, GH issues), but see no clear cut examples of execution or host setup/dependencies outside of the "Powershell ActiveDirectory module".


ISSUE TYPE


    

  • Documentation Report
    • 



COMPONENT NAME


microsoft.ad.group


ANSIBLE VERSION


ansible [core 2.14.4]
  config file = /home/ben/workspace/kiewit/ansible/playbooks/ap_azure/ansible.cfg
  configured module search path = ['/home/ben/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ben/venvs/venv3_ansible-7.4.0/lib/python3.10/site-packages/ansible
  ansible collection location = /home/ben/workspace/kiewit/ansible/playbooks/ap_azure/collections:/home/ben/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ben/venvs/venv3_ansible-7.4.0/bin/ansible
  python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/home/ben/venvs/venv3_ansible-7.4.0/bin/python3)
  jinja version = 3.1.2
  libyaml = True


    

  
    
      

    
    
  

    

    
 
      

        Missing @adParams for Rename-ADObject and Move-ADObject
      

      




SUMMARY


Moving or Renaming Objects doesn't work as expected, specified dc is not used, auth should not be working (I guess)


ISSUE TYPE


    

  • Bug Report
    • 



COMPONENT NAME


_ADObject.psm1 used by all modules

Move-ADObejct and Rename-ADObject is missing @adParams


ANSIBLE VERSION



ansible [core 2.13.11]
  config file = 
  configured module search path = 
  ansible python module location = 
  ansible collection location = 
  executable location = 
  python version = 3.8.0 (default, Feb 28 2023, 16:22:29) [GCC 8.4.0]
  jinja version = 3.1.2
  libyaml = True



COLLECTION VERSION



Collection   Version
------------ -------
microsoft.ad 1.2.0



CONFIGURATION



not relevant



OS / ENVIRONMENT



not relevant


STEPS TO REPRODUCE




- microsoft.ad.group:
    domain_server: xyz




EXPECTED RESULTS



The Group is renamed/moved using the DC specified by domain_server


ACTUAL RESULTS



The Group is renamed/moved using the default DC of the server connected to

Leads to replcation delays etc.

    

  
    

    
 
      

        microsoft.ad.ldap inventory plugin attribute values ("__ansible_unsafe")
      

      
SUMMARY


Hello!

I'm trying to use microsoft.ad collection with AWX 22.5.0

I've prepared custom AWX-EE with all dependencies and everything looks ok, except custom attributes of inventory plugin.

Inventory plugin documentation say:




Attributes that are denoted as single value in the LDAP schema are returned as that single value, multi valued attributes are returned as a list of values.




But when i am trying to get attribute from AD:




attributes:

operatingSystem:

operating_system:




It returns dictionary like that:


{
  "ansible_host": "hostname",
  "microsoft_ad_distinguished_name": "CN=hostname,OU=Servers,DC=EXAMPLE,DC=local",
  "operating_system": {
    "__ansible_unsafe": "Windows Server 2016 Standard"
  }
}



This behaviour tested on versions of ansible core 2.12 and 2.15.3rc1 and it is same for all custom attributes, but standart fields like microsoft_ad_distinguished_name and ansible_host looks good.


ISSUE TYPE


    

  • Bug Report
    • 



COMPONENT NAME


microsoft.ad.ldap inventory plugin


ANSIBLE VERSION


ansible-inventory [core 2.15.3rc1]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  ansible collection location = /runner/requirements_collections:/root/.ansible/collections:/usr/share/ansible/collections:/usr/share/automation-controller/collections
  executable location = /usr/local/bin/ansible-inventory
  python version = 3.9.17 (main, Jun 26 2023, 00:00:00) [GCC 11.4.1 20230605 (Red Hat 11.4.1-2)] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True



COLLECTION VERSION



Collection              Version
----------------------- -------
microsoft.ad            1.2.0



CONFIGURATION



CONFIG_FILE() = None



OS / ENVIRONMENT



Microsoft AD Server


STEPS TO REPRODUCE




plugin: microsoft.ad.ldap
tls_mode: ldaps
cert_validation: ignore
search_base: DC=EXAMPLE,DC=local
filter: (&(objectCategory=CN=Computer,CN=Schema,CN=Configuration,DC=EXAMPLE,DC=local))
# Only allow Kerberos authentication.
auth_protocol: kerberos

attributes:
  operatingSystem:
    operating_system:




EXPECTED RESULTS



{

"ansible_host": "hostname",

"microsoft_ad_distinguished_name": "CN=hostname,OU=Servers,DC=EXAMPLE,DC=local",

"operating_system": "Windows Server 2016 Standard"

}


ACTUAL RESULTS



{

"ansible_host": "hostname",

"microsoft_ad_distinguished_name": "CN=hostname,OU=Servers,DC=EXAMPLE,DC=local",

"operating_system": {

"__ansible_unsafe": "Windows Server 2016 Standard"

}

}






    

  
    

    
 
      

        Adding members to a group requires an explicit path to be set
      

      
SUMMARY


When using version 1.1 of the module, the microsoft.ad.group module returns an access denied, unless a "Path" variable is defined. I suspect that the module tries to move the specific AD group. When the "Path" variable is added, the code works as expected, and adds the user to the AD group.


The task is delegated to a server with the correct AD tools, and has been verified to work correctly with the usage of the previous module (community.windows.win_domain_group). The username and password are also correct and verified using the community.windows.win_domain_group module.


ISSUE TYPE


    

  • Bug Report
    • 



COMPONENT NAME



microsoft.ad.group


ANSIBLE VERSION



ansible [core 2.15.6]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  ansible collection location = /home/runner/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.9.18 (main, Sep 22 2023, 17:58:34) [GCC 8.5.0 20210514 (Red Hat 8.5.0-20)] (/usr/bin/python3.9)
  jinja version = 3.1.2
  libyaml = True



COLLECTION VERSION



Collection   Version
------------ -------
microsoft.ad 1.1.0




CONFIGURATION



CONFIG_FILE() = /etc/ansible/ansible.cfg



OS / ENVIRONMENT



Target OS is a mix of 2019 and 2022 servers, behavior does not change between them.


STEPS TO REPRODUCE



The following code fails, and returns an error (see screenshot below the ansible code). When the Path variable is added, the playbook seems to work as expected.


image



- name: Add user's AD- account to group membership
  microsoft.ad.group:
    name: "AD-Group-Name"
    members:
      add:
      - "{{ form_username }}"
    scope: global
    category: security
    domain_username: "{{ domain_username }}"
    domain_password: "{{ domain_password }}"
  delegate_to: "{{ delegation_server_win }}"
  vars:
    ansible_user: "{{ ansible_user }}"
    ansible_password: "{{ ansible_password }}"
    ansible_winrm_server_cert_validation: ignore
    ansible_winrm_transport: kerberos



EXPECTED RESULTS



User added to group


ACTUAL RESULTS



Received the following fatal error:


image



FAILED! => {"changed": false, "distinguished_name": null, "msg": "New-ADGroup failed: Access is denied", "object_guid": null}


    

  
    

    
 
      

        Does Not Move Object
      

      
Per https://docs.ansible.com/ansible/devel/collections/microsoft/ad/object_module.html


you are able to move an object.


- name: Move a contact object
  microsoft.ad.object:
    identity: '{{ contact_object.object_guid }}'
    name: MyContact
    path: OU=Contacts,DC=domain,DC=test
    type: contact
    state: present

all this actually does is create a NEW object in the path stated.  Either this is a documentation issue or a bug.   If a bug please support moving AD objects from whoever they are currently in AD to where the Path above is specified.  



in my case i'm trying to move an computer object that exists in AD.  It's sAMACCountname is D0000002$.  I need to ensure that this computer object is always in a defined OU.  Thus i'm using the path to define where the object should be moved to.  Below is the play i'm using.  I've tried various things like removing the name and only specifying the identity.  Each time it just creates a new computer object into the path defined below.  


- name: Move Computer
  microsoft.ad.object:
    domain_username: "{{  WIN_USERNAME  }}"
    domain_password: "{{  WIN_PASSWORD  }}"
    name: D0000002
    identity: D0000002$
    path: "OU=Workstations,DC=Domain,DC=com"
    type: computer
    state: present
  delegate_to: "{{  automation_server  }}"


    

  
    

    
 
      

        Using microsoft.ad.group to set members of a group does not work when both groups are in different OUs
      

      




SUMMARY


Using microsoft.ad.group to set members of a group does not work when both groups are in different OUs


ISSUE TYPE


    

  • Bug Report
    • 



COMPONENT NAME



microsoft.ad.group


ANSIBLE VERSION



ansible [core 2.16.3]
python version = 3.12.1



COLLECTION VERSION



Collection                    Version
----------------------------- -------
microsoft.ad                  1.4.1



CONFIGURATION







OS / ENVIRONMENT



STEPS TO REPRODUCE




- name: Add TEST-MS-SQL-Server-abc-Administratoren to TEST-MS-SQL-DBE-abc-sysadmin
  microsoft.ad.group:
    identity: TEST-MS-SQL-DBE-abc-sysadmin
    members:
      set:
        - TEST-MS-SQL-Server-abc-Administratoren
  delegate_to: "powershell_host"



EXPECTED RESULTS



Add Group "TEST-MS-SQL-Server-abc-Administratoren" as a member of "TEST-MS-SQL-DBE-abc-sysadmin"

OU from "TEST-MS-SQL-Server-abc-Administratoren": "CN=TEST-MS-SQL-DBE-abc-sysadmin,OU=Test-MS-SQL,OU=Test-Anwendungen,OU=Test-AD-Rollengruppe,OU=Test-Group,DC=test,DC=test,DC=de"

OU from "TEST-MS-SQL-DBE-abc-sysadmin": "CN=TEST-MS-SQL-DBE-abc-sysadmin,OU=Test-MS-SQL,OU=Test-Anwendungen,OU=Test-AD-Berechtigungsgruppen,OU=Test-Group,DC=test,DC=test,DC=de"


ACTUAL RESULTS




["msg": "Failed to find the following ad objects for group members: 'TEST-MS-SQL-Server-abc-Administratoren'", "object_guid": "f9981696-73a7-4d48-9b71-a99602f6a48e"}](fatal: [ANSIBLE-TESTVM-WINDOWS-W2K22 -> powershell_host]: FAILED! => {"changed": false, "distinguished_name": "CN=TEST-MS-SQL-DBE-abc-sysadmin,OU=Test-MS-SQL,OU=Test-Anwendungen,OU=Test-AD-Berechtigungsgruppen,OU=Test-Group,DC=test,DC=test,DC=de", "msg": "Failed to find the following ad objects for group members: 'TEST-MS-SQL-Server-abc-Administratoren'", "object_guid": "f9981696-73a7-4d48-9b71-a99602f6a48e"})


    

  
    
      

    
    
  

    

    
 
      

        microsoft.ad.group module : Set members list
      

      
SUMMARY

The process fails when you try to list multiple group members. Some groups are not found by the module although it was previously created by it.

microsoft.ad.group module – Manage Active Directory group objects module has an option under the members attribute: to set an groups list


ISSUE TYPE


    

  • Bug Report
    • 



COMPONENT NAME

microsoft.ad.group module


ANSIBLE VERSION

ansible [core 2.16.4]

config file = None

python version = 3.11.2 (main, Mar 13 2023, 12:18:29)

jinja version = 3.1.3

libyaml = True


COLLECTION VERSION

microsoft.ad collection (version 1.4.1)


CONFIGURATION


- name: Creat ADDC groups whith members
  microsoft.ad.group:
    name: "{{ item.name }}"
    description : "{{ item.description }}"
    scope: "{{ item.scope }}"
    path: "{% if item.path != '' %}OU={{ item.path }},{{ fqdn_path }}{% else %}{{ group_fqdn_path }}{% endif %}"
    state: present
    members:
      set: "{{ item.member_of.split(',') }}"    
    protect_from_deletion: true
  loop: "{{ site_ADDC_groups }}"


site_ADDC_groups:
  - { UID: 'GRP_001', name: "GG_F_{{site_name}}_ADMIN-EAR-RW", scope: "global", path: "", description: "Administrateurs Reseau (Switch/Firewall/NTP)", member_of: ""}
  - { UID: 'GRP_038', name: "GG_F_{{site_name}}_PDT-RO", scope: "global", path: "", description: "Groupe d'authentification radius des postes de travail", member_of: "GG-NoLogon"}
  - { UID: 'GRP_039', name: "GG_F_{{site_name}}_SERVICE-RW", scope: "global", path: "", description: "Groupe des comptes de service", member_of: "GG-NoLogon,Utilisateurs du domaine"}
  - { UID: 'GRP_040', name: "GG_F_{{site_name}}_ADMIN-ITNI-RW", scope: "global", path: "", description: "Administrateurs System ITNI", member_of: "GG_F_{{site_name}}_ADMIN-EAR-RW,Admins du domaine"}


it also tested with


    members:
      set: 
        - "GG-NoLogon"
        - "GG_F_{{site_name}}_ADMIN-EAR-RW"


OS / ENVIRONMENT

Debian 12


STEPS TO REPRODUCE

Somes groups are working and others are not find

use upper configuration to reproduce probleme, add for exemple GG_F_{{site_name}}_ADMIN-EAR-RW in the group list


ACTUAL RESULTS


some groups are working like


ok: [DR3SP-MULIWX01V] => (item={'UID': 'GRP_005', 'name': 'GG_F_ULI_ADMIN-AD-RW', 'scope': 'global', 'path': '', 'description': 'Administrateurs du domaine', 'member_of': 'Admins du domaine'})
ok: [DR3SP-MULIWX01V] => (item={'UID': 'GRP_038', 'name': 'GG_F_ULI_PDT-RO', 'scope': 'global', 'path': '', 'description': "Groupe d'authentification radius des postes de travail", 'member_of': 'GG-NoLogon'})



some groups doesn't work


failed: [DR3SP-MULIWX01V] (item={'UID': 'GRP_039', 'name': 'GG_F_ULI_SERVICE-RW', 'scope': 'global', 'path': '', 'description': 'Groupe des comptes de service', 'member_of': 'GG-NoLogon,Utilisateurs du domaine'}) => {"ansible_loop_var": "item", "changed": false, "distinguished_name": "CN=GG_F_ULI_SERVICE-RW,OU=Groupes,DC=ULI-3SP,DC=local", "item": {"UID": "GRP_039", "description": "Groupe des comptes de service", "member_of": "GG-NoLogon,Utilisateurs du domaine", "name": "GG_F_ULI_SERVICE-RW", "path": "", "scope": "global"}, "msg": "Failed to find the following ad objects for group members: 'Utilisateurs du domaine'", "object_guid": "b900f8a3-8dcc-4bb8-8fd0-b9750c641838"}
failed: [DR3SP-MULIWX01V] (item={'UID': 'GRP_040', 'name': 'GG_F_ULI_ADMIN-ITNI-RW', 'scope': 'global', 'path': '', 'description': 'Administrateurs System ITNI', 'member_of': 'GG_F_ULI_ADMIN-EAR-RW,Admins du domaine'}) => {"ansible_loop_var": "item", "changed": false, "distinguished_name": "CN=GG_F_ULI_ADMIN-ITNI-RW,OU=Groupes,DC=ULI-3SP,DC=local", "item": {"UID": "GRP_040", "description": "Administrateurs System ITNI", "member_of": "GG_F_ULI_ADMIN-EAR-RW,Admins du domaine", "name": "GG_F_ULI_ADMIN-ITNI-RW", "path": "", "scope": "global"}, "msg": "Failed to find the following ad objects for group members: 'GG_F_ULI_ADMIN-EAR-RW'", "object_guid": "cbc22327-476a-4665-96cc-59a880e8de2f"}


    

  
    

    
 
      

        Docstring Does Match Code
      

      




SUMMARY


The docstring does not match the code. In this case it could significantly hamper a user that just reads the docs in getting the inventory plugin to pass the verify_file method.


ISSUE TYPE


    

  • Documentation Report
    • 



COMPONENT NAME


microsoft.ad.ldap


ANSIBLE VERSION


ansible [core 2.15.2]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/abcd/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /tmp/tmp.U0EmnSLyUv/ansible-core/lib64/python3.11/site-packages/ansible
  ansible collection location = /home/abcd/.ansible/collections:/usr/share/ansible/collections
  executable location = /tmp/tmp.U0EmnSLyUv/ansible-core/bin/ansible
  python version = 3.11.4 (main, Jun  7 2023, 00:00:00) [GCC 13.1.1 20230511 (Red Hat 13.1.1-2)] (/tmp/tmp.U0EmnSLyUv/ansible-core/bin/python)
  jinja version = 3.1.2
  libyaml = True


    

  
    

    
 
      

        microsoft.ad.membership add reboot timeout option
      

      



SUMMARY



Would be great to add option in this module to set the reboot timeout. Currently when joining physical servers to domain im getting module errors due to reboot timeout

Its not a big deal as i can work around it by not using this option and instead using the standard reboot module - just an idea


ISSUE TYPE


    

  • Feature Idea
    • 



COMPONENT NAME



microsoft.ad.membership


ADDITIONAL INFORMATION



"msg": "Timed out waiting for last boot time check (timeout=600)",



{
    "changed": true,
    "msg": "Failed to reboot after module returned reboot_required, see reboot_result and module_result for more details",
    "reboot_result": {
        "changed": true,
        "elapsed": 605,
        "failed": true,
        "unreachable": false,
        "rebooted": true,
        "msg": "Timed out waiting for last boot time check (timeout=600)",
        
    },
    "module_result": {
        "changed": true,
        "reboot_required": true
    },
    "invocation": {
        "module_args": {
            "reboot": true,
            "dns_domain_name": "domain",
            "domain_admin_user": "domain_admin",
            "offline_join_blob": null,
            "domain_admin_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "workgroup_name": null,
            "state": "domain",
            "hostname": "server1",
            "domain_ou_path": null
        }
    },
    "_ansible_no_log": null,
    "_ansible_delegated_vars": {
        "ansible_host": "10.10.10.10",
        "ansible_port": 5986,
        "ansible_user": "{{ username }}",
        "ansible_connection": "winrm"
    }
}



    

  
    

    
 
      

        Getting an error while running the microsoft.ad module
      

      
SUMMARY



Getting an error while running the microsoft.ad

Modules that error occurs:

microsoft.ad.user

microsoft.ad.group


ISSUE TYPE


    

  • Bug Report
    • 



COMPONENT NAME


microsoft.ad.group

microsoft.ad.user


ANSIBLE VERSION



ansible 2.9.27
  config file = /ansible/microsoft/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.9.18 (main, Feb 17 2024, 05:09:41) [GCC 10.3.1 20210703 (ALT Sisyphus 10.3.1-alt2)]



COLLECTION VERSION



 "collection_info": {
  "namespace": "microsoft",
  "name": "ad",
  "version": "1.5.0",
  "authors": [
   "Jordan Borean @jborean93",
   "Matt Davis @nitzmahone"
  ],
.....
}



CONFIGURATION



ESC[0;33mCOLLECTIONS_PATHS(/ansible/microsoft/ansible.cfg) = ['/ansible/microsoft/collections']ESC[0m
ESC[0;33mDEFAULT_BECOME_FLAGS(/ansible/microsoft/ansible.cfg) = -H -SESC[0m
ESC[0;33mDEFAULT_CALLBACK_WHITELIST(/ansible/microsoft/ansible.cfg) = ['profile_tasks']ESC[0m
ESC[0;33mDEFAULT_FORKS(/ansible/microsoft/ansible.cfg) = 50ESC[0m
ESC[0;33mDEFAULT_GATHERING(/ansible/microsoft/ansible.cfg) = smartESC[0m
ESC[0;33mDEFAULT_HOST_LIST(/ansible/microsoft/ansible.cfg) = ['/ansible/microsoft/inventory']ESC[0m
ESC[0;33mDEFAULT_LOG_PATH(/ansible/microsoft/ansible.cfg) = /ansible/microsoft/logsESC[0m
ESC[0;33mDEFAULT_TIMEOUT(/ansible/microsoft/ansible.cfg) = 60ESC[0m
ESC[0;33mINVENTORY_CACHE_ENABLED(/ansible/microsoft/ansible.cfg) = TrueESC[0m
ESC[0;33mINVENTORY_CACHE_PLUGIN(/ansible/microsoft/ansible.cfg) = jsonfileESC[0m



OS / ENVIRONMENT



Target OS Windows Server 2019 Standard where user or group should be created.


STEPS TO REPRODUCE




- name: Create AD Client Tenant Group
  hosts: ad
  tasks:
    - name: Create Group
      microsoft.ad.group:
        name: Client001
        scope: global
        path: OU=Clients,DC=stg-ost,DC=daas,DC=cloud
        state: present




EXPECTED RESULTS



New group created


ACTUAL RESULTS




ansible-playbook 2.9.27
  config file = /ansible/microsoft/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/site-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 3.9.18 (main, Feb 17 2024, 05:09:41) [GCC 10.3.1 20210703 (ALT Sisyphus 10.3.1-alt2)]
Using /ansible/microsoft/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /ansible/microsoft/inventory/hosts as it did not pass its verify_file() method
script declined parsing /ansible/microsoft/inventory/hosts as it did not pass its verify_file() method
auto declined parsing /ansible/microsoft/inventory/hosts as it did not pass its verify_file() method
Parsed /ansible/microsoft/inventory/hosts inventory source with ini plugin
Loading callback plugin default of type stdout, v2.0 from /usr/lib/python3/site-packages/ansible/plugins/callback/default.py
Skipping callback 'actionable', as we already have a stdout callback.
Skipping callback 'counter_enabled', as we already have a stdout callback.
Skipping callback 'debug', as we already have a stdout callback.
Skipping callback 'dense', as we already have a stdout callback.
Skipping callback 'dense', as we already have a stdout callback.
Skipping callback 'full_skip', as we already have a stdout callback.
Skipping callback 'json', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'null', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
Loading callback plugin profile_tasks of type aggregate, v2.0 from /usr/lib/python3/site-packages/ansible/plugins/callback/profile_tasks.py
Skipping callback 'selective', as we already have a stdout callback.
Skipping callback 'skippy', as we already have a stdout callback.
Skipping callback 'stderr', as we already have a stdout callback.
Skipping callback 'unixy', as we already have a stdout callback.
Skipping callback 'yaml', as we already have a stdout callback.

PLAYBOOK: create-group.yaml **********************************************************************************************************************************
Positional arguments: create-group.yaml
verbosity: 4
connection: smart
timeout: 60
become_method: sudo
tags: ('all',)
inventory: ('/ansible/microsoft/inventory',)
forks: 50
1 plays in create-group.yaml

PLAY [Create AD Client Tenant Group] *************************************************************************************************************************

TASK [Gathering Facts] ***************************************************************************************************************************************
task path: /ansible/microsoft/create-group.yaml:2
Tuesday 21 May 2024  17:18:50 +0300 (0:00:00.026)       0:00:00.026 ***********
Using module file /usr/lib/python3/site-packages/ansible/modules/windows/setup.ps1
Pipelining is enabled.
<10.234.10.10> ESTABLISH WINRM CONNECTION FOR USER: STG-OST.DAAS.CLOUD\ansible on PORT 5985 TO 10.234.10.10
EXEC (via pipeline wrapper)
ok: [10.234.10.10]
META: ran handlers

TASK [Create Group] ******************************************************************************************************************************************
task path: /ansible/microsoft/create-group.yaml:5
Tuesday 21 May 2024  17:18:56 +0300 (0:00:06.322)       0:00:06.349 ***********
Using module file /ansible/microsoft/collections/ansible_collections/microsoft/ad/plugins/modules/group.ps1
Pipelining is enabled.
<10.234.10.10> ESTABLISH WINRM CONNECTION FOR USER: STG-OST.DAAS.CLOUD\ansible on PORT 5985 TO 10.234.10.10
EXEC (via pipeline wrapper)
The full traceback is:
The term 'Invoke-AnsibleADObject' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:211 char:1
+ Invoke-AnsibleADObject @setParams
+ ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Invoke-AnsibleADObject:String) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : CommandNotFoundException

ScriptStackTrace:
at <ScriptBlock>, <No file>: line 211
fatal: [10.234.10.10]: FAILED! => {
    "changed": false,
    "msg": "Unhandled exception while executing module: The term 'Invoke-AnsibleADObject' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again."
}

PLAY RECAP ***************************************************************************************************************************************************
10.234.10.10               : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Tuesday 21 May 2024  17:18:59 +0300 (0:00:02.795)       0:00:09.144 ***********
===============================================================================
Gathering Facts --------------------------------------------------------------------------------------------------------------------------------------- 6.32s
/ansible/microsoft/create-group.yaml:2 ----------------------------------------------------------------------------------------------------------------------
Create Group ------------------------------------------------------------------------------------------------------------------------------------------ 2.80s
/ansible/microsoft/create-group.yaml:5 ----------------------------------------------------------------------------------------------------------------------




    

  
    

    
 
      

        Encrypt LAPS credentials with ansible-vault
      

      
SUMMARY


It would be nice to have an option to encrypt the LAPS credentials fetched by the ldap inventory plugin with ansible-vault.

This would make storing the LAPS credentials in AWX a little bit more secure and won't allow users with read permissions on the inventory to view the credentials.

This would also be useful if you run this plugin without AWX to generate a "static" inventory file.


ISSUE TYPE


    

  • Feature Idea
    • 



COMPONENT NAME


microsoft.ad.ldap inventory

    

  
    
      

    
    
  

    

    
 
      

        Logging verbosity
      

      
SUMMARY



I was doing some troubleshooting and another developer was inspecting your code.  It doesn't appear when you increase Ansible logging by raising the verbosity that the output is improved.


ISSUE TYPE


    

  • Add improved logging verbosity levels for troubleshooting
    • 



COMPONENT NAME



Logging


ADDITIONAL INFORMATION



It would aid users who need to debug issues with the microsoft ad plugin






    

  
    

    
 
      

        Error: Skip computer 'x' with new name 'x' because the new name is the same as the current name.
      

      
SUMMARY


The microsoft.ad.membership fails if the computer name is longer than 15 characters.


ISSUE TYPE


    

  • Bug Report
    • 



COMPONENT NAME


microsoft.ad.membership


ANSIBLE VERSION



2.9.27



COLLECTION VERSION



microsoft.ad:1.5.0



CONFIGURATION







OS / ENVIRONMENT


Windows 10.


STEPS TO REPRODUCE


Join a computer to a domain using the following task. Use a computer name that is longer than 15 characters:


    - name: Join AD domain
      microsoft.ad.membership:
        dns_domain_name: "test.local"
        domain_admin_user: "{{ domain_admin_user}}"
        domain_admin_password: "{{ domain_admin_password }}"
        hostname: "my-long-computer-name"
        state: "domain"
        reboot: true


EXPECTED RESULTS


The step should succeed without changes because of idempotency.


ACTUAL RESULTS


Run: [2024-04-24 22:56:39,277][INFO][CMD]: TASK [ad-joined : Join AD domain]  **********************************************
Run: [2024-04-24 22:56:42,784][INFO][CMD]: fatal: [workstation] FAILED! => {"changed": false, "msg": "Skip computer 'my-long-computer-name' with new name 'my-long-computer-name' because the new name is the same as the current name.", "reboot_required": false}
Run: [2024-04-24 22:56:42,785][INFO][CMD]: 	to retry, use: --limit @/app/data/playbook.retry


    

  
    

    
 
      

        Ansible Semaphore compatibility
      

      




SUMMARY



I am trying to use this plugin with Ansible Semaphore.


    

  • I am using a custom docker file:
    • 



# Dockerfile

FROM semaphoreui/semaphore:latest

USER root

# Install required packages and configure krb5.conf

#^ apk
RUN apk --no-cache add \
    su-exec \
    python3 \
    py3-pip \
    build-base \
    python3-dev \
    krb5-dev \
    krb5

#^ pip3 and packages 
RUN pip3 install --upgrade pip \
    && pip3 install \
    pywinrm \
    requests \
    pykerberos \
    krb5 \
    ldap3 \
    dnspython \
    pyspnego \
    pyspnego[kerberos] \
    sansldap

#FIXME: change your realms and domain controllers to your desired
#^ confiugre Kerberos
RUN  { \
        echo '[logging]'; \
        echo '# default = FILE:/var/log/krb5libs.log'; \
        echo '# kdc = FILE:/var/log/krb5kdc.log'; \
        echo '# admin_server = FILE:/var/log/kadmind.log'; \
        echo ''; \
        echo '[libdefaults]'; \
        echo 'dns_lookup_realm = false'; \
        echo 'ticket_lifetime = 24h'; \
        echo 'renew_lifetime = 7d'; \
        echo 'forwardable = true'; \
        echo 'rdns = false'; \
        echo ''; \
        echo '[realms]'; \
        echo 'DOMAIN1.COM = {'; \
        echo '  kdc = dc1.DOMAIN1.COM'; \
        echo '  kdc = dc2.DOMAIN1.COM'; \
        echo '}'; \
        echo 'DOMAIN2.COM = {'; \
        echo '  kdc = dc1.DOMAIN2.COM'; \
        echo '  kdc = dc2.DOMAIN2.COM'; \
        echo '}'; \
        echo ''; \
        echo '[domain_realm]'; \
        echo ''; \
    } > /etc/krb5.conf 

USER semaphore



(this, as basic as it is, meant to address all the pre-requisites for winrm and kerberos, including the modules listed as pre-requisites for this plugin).


deployed stack:


---
#FIXME: passwords should be comming from env vars - until this is fixed this file is Git-ignored
version: "2"

services:
  mysql:
    ports:
      - 3306:3306
    image: mysql:5.6
    container_name: mysql
    hostname: mysql
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "yes"
      MYSQL_DATABASE: semaphore_db
      MYSQL_USER: semaphore_user
      MYSQL_PASSWORD: < strong password >
    volumes:
      - semaphore-mysql:/var/lib/mysql

  semaphore:
    build: .
    ports:
      - 443:3000
    container_name: semaphore
    environment:
      SEMAPHORE_DB_USER: semaphore_user
      SEMAPHORE_DB_PASS: < strong password >
      SEMAPHORE_DB_HOST: mysql
      SEMAPHORE_DB_PORT: 3306
      SEMAPHORE_DB: semaphore_db
      SEMAPHORE_PLAYBOOK_PATH: /tmp/semaphore/
      SEMAPHORE_ADMIN_PASSWORD: < password >
      SEMAPHORE_ADMIN_NAME: admin
      SEMAPHORE_ADMIN_EMAIL: [email protected]
      SEMAPHORE_ADMIN: admin
      SEMAPHORE_ACCESS_KEY_ENCRYPTION: MflCLIUF5bn6Lgkuwy4BoAdIFhoZ4Ief2oocXmuZSjs=
    depends_on:
      - mysql
volumes:
  semaphore-mysql: # to use postgres, switch to: semaphore-postgres


But it looks like Ansible / Semaphore has a hard time using this....


ISSUE TYPE


    

  • Bug Report
    • 



COMPONENT NAME



Not sure.


ANSIBLE VERSION



~ $ ansible --version
ansible [core 2.14.5]
  config file = None
  configured module search path = ['/home/semaphore/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.11/site-packages/ansible
  ansible collection location = /home/semaphore/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.11.6 (main, Oct  4 2023, 06:22:18) [GCC 12.2.1 20220924] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True




COLLECTION VERSION



~ $ ansible-galaxy collection list community.general

# /usr/lib/python3.11/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 6.6.0
~ $



CONFIGURATION




~ $ ansible-config dump --only-changed
CONFIG_FILE() = None
~ $





but actually in the repo I use I have this:


[defaults]
collections_paths = /etc/ansible/collections:/opt/ansible/collections:collections
roles_path = /etc/ansible/roles:/opt/ansible/roles:roles

# You’ll also need to make sure that requiretty is disabled
# in /etc/sudoers on the remote host, or become won’t work
# with pipelining enabled.
[ssh_connection]
pipelining = True


OS / ENVIRONMENT



it is docker, but in the container:


~ $ cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.18.3
PRETTY_NAME="Alpine Linux v3.18"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
~ $


STEPS TO REPRODUCE




# cat sig.microsoft.ad.ldap.yml
plugin: microsoft.ad.ldap
server: dc1.DOMAIN1.COM
port: 389
search_base: DC=domain1,DC=com
filter: (operatingSystem=*server*)
groups:
  windows: true
  all: true
  sig: true

# cat win_ping.yml
---
- name: Ping WIN hosts
  hosts: all
  gather_facts: false
  tasks:
    - name: Use Windows ping module
      win_ping:




EXPECTED RESULTS



ACTUAL RESULTS



5:22:01 PM
[WARNING]: * Failed to parse
5:22:01 PM
/tmp/semaphore/repository_1_8/inventories/sig.microsoft.ad.ldap.yml with auto
5:22:01 PM
plugin: inventory config
5:22:01 PM
'/tmp/semaphore/repository_1_8/inventories/sig.microsoft.ad.ldap.yml' specifies
5:22:01 PM
unknown plugin 'microsoft.ad.ldap'
5:22:01 PM
[WARNING]: * Failed to parse
5:22:01 PM
/tmp/semaphore/repository_1_8/inventories/sig.microsoft.ad.ldap.yml with yaml
5:22:01 PM
plugin: Plugin configuration YAML file, not YAML inventory
5:22:01 PM
[WARNING]: * Failed to parse
5:22:01 PM
/tmp/semaphore/repository_1_8/inventories/sig.microsoft.ad.ldap.yml with ini
5:22:01 PM
plugin: Invalid host pattern 'plugin:' supplied, ending in ':' is not allowed,
5:22:01 PM
this character is reserved to provide a port.
5:22:01 PM
[WARNING]: Unable to parse
5:22:01 PM
/tmp/semaphore/repository_1_8/inventories/sig.microsoft.ad.ldap.yml as an
5:22:01 PM
inventory source
5:22:01 PM
[WARNING]: No inventory was parsed, only implicit localhost is available
5:22:01 PM
[WARNING]: provided hosts list is empty, only localhost is available. Note that
5:22:01 PM
the implicit localhost does not match 'all'







    

  
    

    
 
      

        microsoft.ad.computer - Parameter "ProtectedFromAccidentalDeletion" cannot be found
      

      




SUMMARY



ISSUE TYPE


    

  • Bug Report
    • 



COMPONENT NAME



    

  • microsoft.ad.computer
    • 



ANSIBLE VERSION



ansible 2.10.17
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/share/venv/lib/python3.7/site-packages/ansible
  executable location = /usr/share/venv/bin/ansible
  python version = 3.7.5 (default, Jun  8 2023, 02:25:10) [GCC 7.3.0]



COLLECTION VERSION



ansible-galaxy 2.10.17
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/share/venv/lib/python3.7/site-packages/ansible
  executable location = /usr/share/venv/bin/ansible-galaxy
  python version = 3.7.5 (default, Jun  8 2023, 02:25:10) [GCC 7.3.0]
Using /etc/ansible/ansible.cfg as config file

# /usr/share/ansible/collections/ansible_collections
Collection   Version
------------ -------
microsoft.ad 1.2.0  

# /usr/share/venv/lib/python3.7/site-packages/ansible_collections
Collection   Version
------------ -------
microsoft.ad 1.2.0  



CONFIGURATION



ansible-config 2.10.17
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/share/venv/lib/python3.7/site-packages/ansible
  executable location = /usr/share/venv/bin/ansible-config
  python version = 3.7.5 (default, Jun  8 2023, 02:25:10) [GCC 7.3.0]
Using /etc/ansible/ansible.cfg as config file
ANSIBLE_FORCE_COLOR(env: ANSIBLE_FORCE_COLOR) = True
ANSIBLE_SSH_ARGS(/etc/ansible/ansible.cfg) = -o ControlMaster=auto -o ControlPersist=120s
ANSIBLE_SSH_RETRIES(/etc/ansible/ansible.cfg) = 3
CACHE_PLUGIN(/etc/ansible/ansible.cfg) = ansible.builtin.jsonfile
CACHE_PLUGIN_CONNECTION(/etc/ansible/ansible.cfg) = ./tmp/ansible_facts
COLLECTIONS_PATHS(/etc/ansible/ansible.cfg) = ['/root/.ansible/collections', '/ws1dev/collections', '/usr/share/ansible/collections']
DEFAULT_ACTION_PLUGIN_PATH(env: ANSIBLE_ACTION_PLUGINS) = ['/usr/share/venv/lib/python3.7/site-packages/ara/plugins/action']
DEFAULT_CALLBACK_PLUGIN_PATH(env: ANSIBLE_CALLBACK_PLUGINS) = ['/usr/share/venv/lib/python3.7/site-packages/ara/plugins/callback']
DEFAULT_CALLBACK_WHITELIST(env: ANSIBLE_CALLBACK_WHITELIST) = ['profile_tasks', 'timer', 'junit']
DEFAULT_FORKS(/etc/ansible/ansible.cfg) = 25
DEFAULT_GATHERING(/etc/ansible/ansible.cfg) = smart
DEFAULT_LOAD_CALLBACK_PLUGINS(/etc/ansible/ansible.cfg) = True
DEFAULT_LOOKUP_PLUGIN_PATH(env: ANSIBLE_LOOKUP_PLUGINS) = ['/usr/share/venv/lib/python3.7/site-packages/ara/plugins/lookup']
DEFAULT_MANAGED_STR(/etc/ansible/ansible.cfg) = Ansible Managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
DEFAULT_ROLES_PATH(/etc/ansible/ansible.cfg) = ['/root/.ansible/roles', '/ws1dev/roles', '/usr/share/ansible/roles']
DEFAULT_STDOUT_CALLBACK(/etc/ansible/ansible.cfg) = yaml
DEFAULT_VERBOSITY(env: ANSIBLE_VERBOSITY) = 3
DEPRECATION_WARNINGS(/etc/ansible/ansible.cfg) = False
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
RETRY_FILES_ENABLED(/etc/ansible/ansible.cfg) = True
RETRY_FILES_SAVE_PATH(/etc/ansible/ansible.cfg) = /etc/ansible/tmp



OS / ENVIRONMENT



    

  • Testing on a Windows 2019
    • 



STEPS TO REPRODUCE



    

  • Try to add a computer object with the following flag using "microsoft.ad.computer" module:
    
protect_from_deletion: true
    • 




- Pass the following dictionary for the module to consume:
# AD objects Dictionary
ado_computers:
  - name: "{{ inventory_hostname }}"
    sam_account_name: "{{ inventory_hostname }}"
    dns_hostname: "{{ inventory_hostname }}.test.lab"
    description: "{{ inventory_hostname }} is a test object"
    ou_dn: CN=Computers,DC=test,DC=lab
    enabled: true
    protect_from_deletion: true
    type: computer
    path: CN=Computers,DC=test,DC=lab



EXPECTED RESULTS



    

  • Computer object gets created successfully with the "protect_from_deletion" attribute as true
    • 



ACTUAL RESULTS



    

  • Task fails as below:
    • 




"msg": "New-ADComputer failed: A parameter cannot be found that matches parameter name 'ProtectedFromAccidentalDeletion'."


    

  
    

    
 
      

        "changed": false, "distinguished_name": null, "msg": "New-ADUser failed: The specified account already exists", "object_guid": null
      

      
SUMMARY


Unable to set password/change password of the user that already exist in domain.password can only be set at the time of user creation otherwise its generate error "Unable to set password expired to at the time user creation. password_expired can only be set once user is created. otherwise its generate error "FAILED! => {"changed": false, "distinguished_name": null, "msg": "New-ADUser failed: The specified account already exists", "object_guid": null}"


ISSUE TYPE


FAILED! => {"changed": false, "distinguished_name": null, "msg": "New-ADUser failed: The specified account already exists", "object_guid": null}


COMPONENT NAME


microsoft.ad.user


ANSIBLE VERSION


ansible [core 2.15.0]
  config file = None
  configured module search path = ['/home/demo/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/demo/.pyenv/versions/3.11.3/lib/python3.11/site-packages/ansible
  ansible collection location = /home/demo/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/demo/.pyenv/versions/3.11.3/bin/ansible
  python version = 3.11.3 (main, Jun  2 2023, 11:09:30) [GCC 11.3.0] (/home/demo/.pyenv/versions/3.11.3/bin/python3)
  jinja version = 3.1.2
  libyaml = True




COLLECTION VERSION


Collection        Version
----------------- -------
community.general 6.6.0



CONFIGURATION


    - name: prepare user for login
      microsoft.ad.user:
        name: test.pass
        password: password
        password_expired: true
       account_locked: false



OS / ENVIRONMENT


Linux  5.10.102.1-microsoft-standard-WSL2 #1 SMP Wed Mar 2 00:30:59 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux



STEPS TO REPRODUCE


    - name: prepare user for login
      microsoft.ad.user:
        name: test.pass
        password: password
        password_expired: true
       account_locked: false



ansible-playbook -i hosts microsoft.ad.user.yaml



EXPECTED RESULTS


The account password should be reset


ACTUAL RESULTS

    

  






        

          

          

            
            
              

            
            
            
            

Recommend Projects

            
    
              
  • 
                
    
    
  
              
    • 
              
              
  • 
                

    
  
    
    
      
      React photo
      
      React
    
  
    
  
    A declarative, efficient, and flexible JavaScript library for building user interfaces.
    

    

              
    • 
              
              
  • 
                

    
  
    
    
      
      Vue.js photo
      
      Vue.js
    
  
    
  
    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
    

    

              
    • 
              
              
  • 
                

    
  
    
    
      
      Typescript photo
      
      Typescript
    
  
    
  
    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
    

    

              
    • 
              
              
  • 
                

    
  
    
    
      
      TensorFlow photo
      
      TensorFlow
    
  
    
  
    An Open Source Machine Learning Framework for Everyone
    

    

              
    • 
              
              
  • 
                

    
  
    
    
      
      Django photo
      
      Django
    
  
    
  
    The Web framework for perfectionists with deadlines.
    

    

              
    • 
              
              
  • 
                


              
    • 
              
              
  • 
                

    
  
    
    
      
      D3 photo
      
      D3
    
  
    
  
    Bring data to life with SVG, Canvas and HTML. 📊📈🎉
    

    

              
    • 
              
              
  • 
                
    
                  
    
    
  
                
    
              
    • 
            

          


          

            
            

Recommend Topics

            
    
              
              
  • 
                

    
  
    
    
      
      javascript
    
  
    
  
    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
    

    

              
    • 
              
              
  • 
                

    
  
    
    
      
      web
    
  
    
  
    Some thing interesting about web. New door for the world.
    

    

              
    • 
              
              
  • 
                

    
  
    
    
      
      server
    
  
    
  
    A server is a program made to process requests and deliver data to clients.
    

    

              
    • 
              
              
  • 
                

    
  
    
    
      
      Machine learning
    
  
    
  
    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
    

    

              
    • 
              
              
  • 
                


              
    • 
              
              
  • 
                

    
  
    
    
      
      Game
    
  
    
  
    Some thing interesting about game, make everyone happy.
    

    

              
    • 
              
              
  • 
                
    
    
  
              
    • 
            

          


          

            
            

Recommend Org

            
    
              
              
  • 
                

    
  
    
    
      
      Facebook photo
      
      Facebook
    
  
    
  
    We are working to build community through open source technology. NB: members must have two-factor auth.
    

    

              
    • 
              
              
  • 
                

    
  
    
    
      
      Microsoft photo
      
      Microsoft
    
  
    
  
    Open source projects and samples from Microsoft.
    

    

              
    • 
              
              
  • 
                

    
  
    
    
      
      Google photo
      
      Google
    
  
    
  
    Google ❤️ Open Source for everyone.
    

    

              
    • 
              
              
  • 
                


              
    • 
              
              
  • 
                

    
  
    
    
      
      D3 photo
      
      D3
    
  
    
  
    Data-Driven Documents codes.
    

    

              
    • 
              
              
  • 
                


              
    • 
              
              
  • 
                
    
    
  
              
    •