From b5cc4f5fd7a2f59b29a3a4f59b6a774e227b0723 Mon Sep 17 00:00:00 2001 From: Jordan Borean Date: Fri, 6 May 2022 00:16:37 +1000 Subject: [PATCH] Mention admin requirement for runas become (#77722) (cherry picked from commit dd094a4413ff7f8af018f105c296005675215236) --- docs/docsite/rst/user_guide/become.rst | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/docs/docsite/rst/user_guide/become.rst b/docs/docsite/rst/user_guide/become.rst index cdf2c40b205..4c40d383600 100644 --- a/docs/docsite/rst/user_guide/become.rst +++ b/docs/docsite/rst/user_guide/become.rst @@ -284,6 +284,12 @@ To force ``become`` to open a new systemd session that goes through For more information, see `this systemd issue `_. +Resolving Temporary File Error Messsages +---------------------------------------- + +* Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user" +* This error can be resolved by installing the package that provides the ``setfacl`` command. (This is frequently the ``acl`` package but check your OS documentation.) + .. _become_network: Become and network automation @@ -389,12 +395,17 @@ delegation or accessing forbidden system calls like the WUA API. You can use ``become`` with the same user as ``ansible_user`` to bypass these limitations and run commands that are not normally accessible in a WinRM session. +.. Note:: + On Windows you cannot connect with an underprivileged account and use become + to elevate your rights. Become can only be used if your connection account + is already an Administrator of the target host. + Administrative rights --------------------- Many tasks in Windows require administrative privileges to complete. When using the ``runas`` become method, Ansible will attempt to run the module with the -full privileges that are available to the remote user. If it fails to elevate +full privileges that are available to the become user. If it fails to elevate the user token, it will continue to use the limited token during execution. A user must have the ``SeDebugPrivilege`` to run a become process with elevated @@ -749,11 +760,9 @@ Limitations of become on Windows * The Secondary Logon service ``seclogon`` must be running to use ``ansible_become_method: runas`` -Resolving Temporary File Error Messsages ----------------------------------------- - -"Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user" -* This error can be resolved by installing the package that provides the ``setfacl`` command. (This is frequently the ``acl`` package but check your OS documentation. +* The connection user must already be an Administrator on the Windows host to + use ``runas``. The target become user does not need to be an Administrator + though. .. seealso::