win_group_membership "Some or all identity references could not be translated."

Question

win_group_membership "Some or all identity references could not be translated."

dauphinpasdroit opened this issue 2 years ago · 6 comments

SUMMARY

Error "Some or all identity references could not be translated." when trying to add domain user to local group on windows server

ISSUE TYPE

Bug Report

COMPONENT NAME

win_group_membership

ANSIBLE VERSION

ansible 2.9.27

COLLECTION VERSION

community.windows:1.13.0

CONFIGURATION

ALLOW_WORLD_READABLE_TMPFILES(/etc/ansible/ansible.cfg) = True
DEFAULT_CALLBACK_WHITELIST(/etc/ansible/ansible.cfg) = ['profile_tasks']
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
RETRY_FILES_ENABLED(/etc/ansible/ansible.cfg) = False

OS / ENVIRONMENT

3.15.7
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.15.7
PRETTY_NAME="Alpine Linux v3.15"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"

STEPS TO REPRODUCE

     - name: Add domain user to a local group
       ansible.windows.win_group_membership:
         name: Administrators
         members:
           - user1@domain
           - user2@domain
           - user3@domain
         state: present

EXPECTED RESULTS

Add the domain user account into the local group Administrators of a windows server

ACTUAL RESULTS

fatal: [hostname]: FAILED! => {"changed": false, "msg": "account_name user1@domain is not a valid account, cannot get SID: Exception calling \"Translate\" with \"1\" argument(s): \"Some or all identity references could not be translated.\""}

Answer 1 · 2023-05-04T19:32:53.000Z

The code cannot translate the user user1@domain to a SID which is needed to add the user to the group. It simply does

([System.Security.Principal.NTAccount]'user2@domain').Translate([System.Security.Principal.SecurityIdentifier])

This in turn uses some internal Win32 APIs to translate the name to a SID. Unfortunately there's not much else the module can do, if it cannot translate the name to a SID then it cannot work. Are you sure you have the correct UPN, is it missing a .com or something.

Answer 2 · 2023-05-08T11:29:03.000Z

The UPN looks correct to me. It doesn't end with a .com but with a .group do you think it could be the root cause of the issue ?

Answer 3 · 2023-05-08T18:40:11.000Z

The UPN needs to be the full UPN and not just the netbios name. So if it’s domain.com, domain.group or anything that’s what you put after the @.

Answer 4 · 2023-05-29T03:42:35.000Z

@alphaxr6 did the above solve your problem?

Answer 5 · 2023-05-31T06:34:53.000Z

Nope, still the same issue unfortunately

Answer 6 · 2023-05-31T19:13:05.000Z

So what happens when you run

- win_shell: |
    $user = 'whatever you use for the group member name'
    ([System.Security.Principal.NTAccount]$user).Translate([System.Security.Principal.SecurityIdentifier])

This is exactly what the win_group_membership code does and relies on the Windows internals to do the translation. If it fails try it with become and see if that helps.