I'm using Jenkins to run ansible playbook on windows host. I'm trying to do a very simple command like robocopy between NAS share and local directory on the windows. Problem is that all the time I'm receiving ACCESS DENIED(5). This is not true because user (domain\sysansible) on which I'm running ansible already have full rights. There is no problem when I start the same command on windows or any machine. I have noticed that when Jenkins is running the ansible playbook it is being recognized not as a domain\sysansible but as a member of local admin group windows_host\administrator which doesn't have right to NAS share (and they cannot have because only domain accounts are approved).
My inventory file looks as follow:
[application_host]
lizard ansible_host=windows_host.domain.companynet.net ansible_connection=winrm ansible_winrm_transport=kerberos ansible_user=sysansible@company.com ansible_password=***** ansible_port=5986 ansible_winrm_server_cert_validation=ignore
My ansible task is quite simple. It works when I have exchanged source to a local directory instead of \\nas-share\applications\app-home. I have also use somekind of variation of robocopy parameters but also they failed.
- name: Sync the contents of home directory to backup site, including subdirectories
win_command: robocopy \\nas-share\applications\app-home d:\application\backup\home-folder /E /w:5 /r:2 /log:D:\Applications\log.txt /XD \\nas-share\applications\app-home\artifacts
register: info_robocopy
tags:
- robo
The problem for me is why I'm being recognized as a local admin account group? How to be recognized on windows as domain\sysansible?
you are using basic authentification, it does not allow you to delegate credentials to next host you want to copy files to.
(see https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html)
Try to use CredSSP connections to your hosts or establish Kerberos connection with following (example) variable in inventory:
ansible_user = user@yourdomain
ansible_password = Passwordthere
ansible_port =5985
ansible_connection = winrm
ansible_winrm_transport = kerberos
ansible_winrm_message_encryption = auto
ansible_winrm_kerberos_delegation = yes