archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Mention admin requirement for runas become (#77722)

Browse Source 
(cherry picked from commit dd094a4413)
pull/77749/head
Jordan Borean 4 years ago committed by samccann
parent c48fd3b9a0
commit b5cc4f5fd7
1 changed files with 15 additions and 6 deletions
Show Stats Download Patch File Download Diff File

21
docs/docsite/rst/user_guide/become.rst
Unescape Escape View File

@ -284,6 +284,12 @@ To force ``become`` to open a new systemd session that goes through
For more information, see `this systemd issue For more information, see `this systemd issue
<https://github.com/systemd/systemd/issues/825#issuecomment-127917622>`_. <https://github.com/systemd/systemd/issues/825#issuecomment-127917622>`_.
Resolving Temporary File Error Messsages
----------------------------------------
* Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user"
* This error can be resolved by installing the package that provides the ``setfacl`` command. (This is frequently the ``acl`` package but check your OS documentation.)
.. _become_network: .. _become_network:
Become and network automation Become and network automation
@ -389,12 +395,17 @@ delegation or accessing forbidden system calls like the WUA API. You can use
``become`` with the same user as ``ansible_user`` to bypass these limitations ``become`` with the same user as ``ansible_user`` to bypass these limitations
and run commands that are not normally accessible in a WinRM session. and run commands that are not normally accessible in a WinRM session.
.. Note::
On Windows you cannot connect with an underprivileged account and use become
to elevate your rights. Become can only be used if your connection account
is already an Administrator of the target host.
Administrative rights Administrative rights
--------------------- ---------------------
Many tasks in Windows require administrative privileges to complete. When using Many tasks in Windows require administrative privileges to complete. When using
the ``runas`` become method, Ansible will attempt to run the module with the the ``runas`` become method, Ansible will attempt to run the module with the
full privileges that are available to the remote user. If it fails to elevate full privileges that are available to the become user. If it fails to elevate
the user token, it will continue to use the limited token during execution. the user token, it will continue to use the limited token during execution.
A user must have the ``SeDebugPrivilege`` to run a become process with elevated A user must have the ``SeDebugPrivilege`` to run a become process with elevated
@ -749,11 +760,9 @@ Limitations of become on Windows
* The Secondary Logon service ``seclogon`` must be running to use ``ansible_become_method: runas`` * The Secondary Logon service ``seclogon`` must be running to use ``ansible_become_method: runas``
Resolving Temporary File Error Messsages * The connection user must already be an Administrator on the Windows host to
---------------------------------------- use ``runas``. The target become user does not need to be an Administrator
though.
"Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user"
* This error can be resolved by installing the package that provides the ``setfacl`` command. (This is frequently the ``acl`` package but check your OS documentation.
.. seealso:: .. seealso::

Write Preview
Loading…
Cancel
Save