Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

microsoft.ad.computer fails to move existing computer when it already exists using name, path parameters #53

Closed
albvar opened this issue Jul 22, 2023 · 2 comments · Fixed by #59

Comments

@albvar
Copy link

albvar commented Jul 22, 2023

SUMMARY

I'm encountering an issue when using the microsoft.ad.computer module in Ansible to move computer objects to a desired OU. The same task works without issue when using the community.windows.win_domain_computer module.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

microsoft.ad.computer

ANSIBLE VERSION
ansible [core 2.14.2]
  config file = /usr/local/Ansible/Windows/ansible.cfg
  configured module search path = ['/home/svc-account/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.11/site-packages/ansible
  ansible collection location = /home/svc-account/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.11.2 (main, Jun  6 2023, 07:39:01) [GCC 8.5.0 20210514 (Red Hat 8.5.0-18)] (/usr/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
Collection   Version
------------ -------
microsoft.ad 1.2.0
CONFIGURATION
CONFIG_FILE() = /usr/local/Ansible/Windows/ansible.cfg
DEFAULT_HOST_LIST(/usr/local/Ansible/Windows/ansible.cfg) = ['/usr/local/Ansible/Windows/hosts']
DEFAULT_TIMEOUT(/usr/local/Ansible/Windows/ansible.cfg) = 30
DEFAULT_VAULT_PASSWORD_FILE(/usr/local/Ansible/Windows/ansible.cfg) = /home/svc-account/.vpf
HOST_KEY_CHECKING(/usr/local/Ansible/Windows/ansible.cfg) = False
OS / ENVIRONMENT

Windows Server 2019+ environment

STEPS TO REPRODUCE
- name: Move computer objects to desired OU "{{ ou }}"
  microsoft.ad.computer:
    domain_server: "{{ domain_server }}"
    domain_username: "{{ domain_server }}\\{{ domain_admin_username }}"
    domain_password: "{{ domain_admin_password }}"
    name: "{{ item | strip_fqdn }}"
    path: "{{ ou }}"
    enabled: yes
    state: present
  loop: "{{ groups[domain + '_provision_servers'] }}"
  register: move_ou
EXPECTED RESULTS

Expecting pre-existing computer object(s) to move OU's to what is defined in path on name: short computer name

ACTUAL RESULTS
  • Computer MYSERVER pre-exists in CN=MYSERVER,OU=Test,OU=Managed Servers,DC=mydomain,DC=lab,DC=local

  • Tries to issue New-ADComputer when it should be Move-ADObject, why is the module not aware that the object exists?

  • I am passing in the Name of the object so MYSERVER

  • I briefly looked at the source and it seems like it performs a Get-* operation and determines whether it needs to use New-AdComputer vs Move-ADComputer

  • Does name need to be the Distinguished Name or does the module abstract that for me?

{
  "changed": false,
  "invocation": {
    "module_args": {
      "domain_server": "mydomain.lab.local",
      "protect_from_deletion": null,
      "sam_account_name": "MYSERVER$",
      "identity": null,
      "upn": null,
      "path": "OU=Web,OU=Managed Servers,DC=mydomain,DC=lab,DC=local",
      "dns_hostname": "MYSERVER.mydomain.lab.local",
      "trusted_for_delegation": null,
      "state": "present",
      "description": null,
      "kerberos_encryption_types": null,
      "domain_username": "mydomain.lab.local\\[email protected]",
      "enabled": true,
      "delegates": null,
      "spn": null,
      "managed_by": null,
      "location": null,
      "domain_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
      "attributes": {
        "add": {},
        "set": {},
        "remove": {}
      },
      "display_name": null,
      "name": "MYSERVER"
    }
  },
  "distinguished_name": null,
  "object_guid": null,
  "failed": true,
  "msg": "New-ADComputer failed: The specified account already exists",
  "exception": "The specified account already exists\r\nAt line:963 char:29\r\n+                 $adObject = \u0026 $newCommand @newParams @adParams\r\n+                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : ResourceExists: (CN=MYSERVER,...lab,DC=local:String) [New-ADComputer], ADIdentityAlreadyExistsException\r\n    + FullyQualifiedErrorId : ActiveDirectoryServer:1316,Microsoft.ActiveDirectory.Management.Commands.NewADComputer\r\n\r\nScriptStackTrace:\r\nat Invoke-AnsibleADObject, \u003cNo file\u003e: line 963\r\nat \u003cScriptBlock\u003e, \u003cNo file\u003e: line 204"
}
@jborean93
Copy link
Collaborator

One of the changes from the win_domain_* modules in community.windows is the way that name, identity, and path all interact together. The win_domain_* modules had a mixture of different behaviours based on how it was implemented in the module where some supported renames while others did not.

The new behaviour for all the modules in this collection is that name exclusively refers to the name of the LDAP object in the path specified. It does not lookup the AD object by sAMAccountName (even though they typically are the same). So to move/rename an object you need to specify the identity option so the module knows what to computer account to perform the operation on.

- microsoft.ad.computer:
    name: ComputerName  # This corresponds to the cn LDAP attribute
    path: "{{ ou }}"
    identity: ... # This can be the sAMAccountName, upn, sid, guid

By providing the identity the module knows to perform the operation on that AD object rather than trying to create a new computer account under that path.

I'll keep this issue open as I don't see this in an example for that module which it should probably contain

@albvar
Copy link
Author

albvar commented Jul 24, 2023

@jborean93 - figured as much, the documentation on ansible docs. doesn't seem to reference every object type. Thanks for the explanation!
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants