Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

microsoft.ad.computer fails if computer already exists #43

Closed
cobbr opened this issue Jun 17, 2023 · 6 comments · Fixed by #59
Closed

microsoft.ad.computer fails if computer already exists #43

cobbr opened this issue Jun 17, 2023 · 6 comments · Fixed by #59

Comments

@cobbr
Copy link

cobbr commented Jun 17, 2023

SUMMARY

The microsoft.ad.computer module fails if the computer already exists.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

microsoft.ad.computer

ANSIBLE VERSION
ansible [core 2.13.3]
  config file = /path/ansible.cfg
  configured module search path = ['/home/ubuntu/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /path/lib/python3.8/site-packages/ansible
  ansible collection location = /home/ubuntu/.ansible/collections:/usr/share/ansible/collections
  executable location = /path/bin/ansible
  python version = 3.8.10 (default, May 26 2023, 14:05:08) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = False
COLLECTION VERSION
# /home/ubuntu/.ansible/collections/ansible_collections
Collection   Version
------------ -------
microsoft.ad 1.2.0
CONFIGURATION
ANSIBLE_PIPELINING(/path/playbooks/ansible.cfg) = True
CALLBACKS_ENABLED(/path/playbooks/ansible.cfg) = ['log_plays', 'profile_roles', 'profile_tasks', 'timer']
DEFAULT_FILTER_PLUGIN_PATH(/path/playbooks/ansible.cfg) = ['/path/playbooks/filter_plugins']
DEFAULT_FORKS(/path/playbooks/ansible.cfg) = 100
DEFAULT_LOAD_CALLBACK_PLUGINS(/path/playbooks/ansible.cfg) = True
DEFAULT_STDOUT_CALLBACK(/path/playbooks/ansible.cfg) = yaml
DEFAULT_TIMEOUT(/path/playbooks/ansible.cfg) = 600
HOST_KEY_CHECKING(/pathplaybooks/ansible.cfg) = False
OS / ENVIRONMENT

Ansible host: Ubuntu 20.04
Ansible target: Microsoft Windows Server 2016

STEPS TO REPRODUCE
- name: Add domain computer twice
  microsoft.ad.computer:
    name: "{{ item.name }}"
  loop:
   - name: Host1
   - name: Host1
EXPECTED RESULTS

Expect to get a CHANGED status and then an OK status

ACTUAL RESULTS

Second attempt to create computer results in failure with error: New-ADComputer failed: The specified account already exists

Using module file /home/ubuntu/.ansible/collections/ansible_collections/microsoft/ad/plugins/modules/computer.ps1
Pipelining is enabled.
PSRP: EXEC (via pipeline wrapper)
Using module file /home/ubuntu/.ansible/collections/ansible_collections/microsoft/ad/plugins/modules/computer.ps1
Pipelining is enabled.
PSRP: EXEC (via pipeline wrapper)
<10.1.1.10> PSRP RC: 1
<10.1.1.10> PSRP STDOUT: {"changed":false,"invocation":{"module_args":{"domain_server":null,"protect_from_deletion":null,"sam_account_name":null,"identity":null,"upn":null,"path":null,"dns_hostname":null,"trusted_for_delegation":null,"state":"present","description":null,"kerberos_encryption_types":n
ull,"domain_username":null,"enabled":null,"delegates":null,"spn":null,"managed_by":null,"location":null,"domain_password":null,"attributes":{"add":{},"set":{},"remove":{}},"display_name":null,"name":"Host1"}},"distinguished_name":null,"object_guid":null,"failed":true,"msg":"New-ADCompu
ter failed: The specified account already exists","exception":"The specified account already exists\r\nAt line:963 char:29\r\n+                 $adObject = \u0026 $newCommand @newParams @adParams\r\n+                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : Res
ourceExists: (CN=Host1,DC=example,DC=local:String) [New-ADComputer], ADIdentityAlreadyExistsException\r\n    + FullyQualifiedErrorId : ActiveDirectoryServer:1316,Microsoft.ActiveDirectory.Management.Commands.NewADComputer\r\n\r\nScriptStackTrace:\r\nat Invoke-AnsibleADObject, \u003cNo file\u003
e: line 963\r\nat \u003cScriptBlock\u003e, \u003cNo file\u003e: line 204"}
<10.1.1.10> PSRP STDERR:
The full traceback is:
The specified account already exists
At line:963 char:29
+                 $adObject = & $newCommand @newParams @adParams
+                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceExists: (CN=Host1,DC=example,DC=local:String) [New-ADComputer], ADIdentityAlreadyExistsException
    + FullyQualifiedErrorId : ActiveDirectoryServer:1316,Microsoft.ActiveDirectory.Management.Commands.NewADComputer

ScriptStackTrace:
at Invoke-AnsibleADObject, <No file>: line 963
at <ScriptBlock>, <No file>: line 204
failed: [dc] (item={'name': 'Host1'}) => changed=false
  ansible_loop_var: item
  distinguished_name: null
  invocation:
    module_args:
      attributes:
        add: {}
        remove: {}
        set: {}
      delegates: null
      description: null
      display_name: null
      dns_hostname: null
      domain_password: null
      domain_server: null
      domain_username: null
      enabled: null
      identity: null
      kerberos_encryption_types: null
      location: null
      managed_by: null
      name: Host1
      path: null
      protect_from_deletion: null
      sam_account_name: null
      spn: null
      state: present
      trusted_for_delegation: null
      upn: null
  item:
    name: Host1
  msg: 'New-ADComputer failed: The specified account already exists'
  object_guid: null
@jborean93
Copy link
Collaborator

jborean93 commented Jun 28, 2023

I cannot replicate this error and we even have integration tests covering this scenario. Do you have a custom path for new computers? The way the module checks if the computer already exists is by combinding the name provided with the default computer path. The following code will produce the DN of the computer object that is checked before it exists.

$GUID_COMPUTERS_CONTAINER_W = 'AA312825768811D1ADED00C04FD8D5CD'
$defaultNamingContext = (Get-ADRootDSE -Properties defaultNamingContext).defaultNamingContext
$defaultPath = Get-ADObject -Identity $defaultNamingContext -Properties wellKnownObjects |
    Select-Object -ExpandProperty wellKnownObjects |
    Where-Object { $_.StartsWith("B:32:$($GUID_COMPUTERS_CONTAINER_W):") } |
    ForEach-Object Substring 38

"CN=Host1,$defaultPath"

If you run that does the computer account exist. If you were to run New-ADComputer manually does it create the computer object in the $defaultPath specified above for you?

Interestingly New-ADComputer seems to be trying to create the object CN=Host1,DC=example,DC=local unless that's just something you've set as an example.

@BenLangers
Copy link

If it can help, I have the exact same issue (including the mention of New-ADComputer trying to create a new account. Switched back to community.windows.win_domain_computer with same config except for 'ou' instead of 'path'. Tried microsoft.ad.group with or without identity specified but get the same error when the computer account already exists in AD (either in the actual OU or elsewhere in AD). If there is anything I can look up or supply, let me know?

@jborean93
Copy link
Collaborator

At a guess I think it's going to be related to #44 (comment). Essentially the purpose of name used in the microsoft.ad.* modules are not for an accounts sAMAccountName but rather it refers to the cn of the AD object itself. The identity option can be used by the caller to help the module find the account and do operations like a rename or move but due to the current behaviour of path as mentioned in that comment it's less than idal.

If there is anything I can look up or supply, let me know?

I would see what the value is for $defaultPath for you, whether it's the expected default or a custom path set. I would also use New-ADComputer with a dummy account to see where it created the AD computer object and if it's in the $defaultPath from the above path. Finally I would try Get-ADComputer -LDAPFilter '(sAMAccountName=...)' and see if you already have an existing computer account under that name and what path it is under.

@cobbr
Copy link
Author

cobbr commented Jul 10, 2023

I think I oversimplified my example. In my case, I was doing something strange and incorrect with dns_hostname. Correcting that solved the issue for me. Feel free to close this issue unless @BenLangers wants to take it over.

@BenLangers
Copy link

I have tried with 'identity' instead of 'name' after I saw that remark elsewhere, but this fails exactly the same. Had to switch back to the old modules to be able to stay on schedule in my project but will try and test as requested and update.

@BenLangers
Copy link

Been able to revisit this. Swapped the deprecated modules out again. The microsoft.ad.computer module works without error if I only use path and name, and leave identity out of it completely. All green again, looking good.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants