-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
win_user sid support (fix #153) #154
Conversation
First implementation: intent was to be fully backwards compatible with the previous behavior - but some may consider it a bit ugly
What you can actually do is change the elements of the
$_.objectSid for all cases. No need to add any special code to win_user to convert the input yourself if it's already available.
|
Thank you, I looked into this today and started working on it but I have a question: ansible.windows/plugins/modules/win_user.ps1 Line 310 in 937687a
onward also be done based on either binary or string-form SIDs or should I convert back to a group name beforehand and continue to do all of that logic based on strings/Names like it is now? |
I think it will be easiest to do the diff calculation with the string-form SIDs as you can continue to use the LINQ filtering logic when they are strings compared to an actual SecurityIdentifier or byte array values of the SID. One thing we do want to be careful of is for the diff and return output to still be the human readable names and not the SID. That should be simple enough to convert though |
I've just opened #191 which takes a slightly different route to support human readable names in the diff and error messages. |
Closing due to this and other features being implemented with #191. |
SUMMARY
As explained in #153 I wanted to enable
win_user
to take group SIDs in thegroups
list.The two new functions in this PR are fairly self-explanatory I think so I'm going to focus my explaining on the meat of the change, this code block:
Design decisions here were:
$_.Name
first and return immediately if a match is found so that behavior does not change for existing code$_.Name
does not find a match is the second part of the-or
operator evaluated$true
when any of the Names inside the$_.Name
array of the ADSI-object (yes,.Name
is an array) match. That behavior was kept for the SID comparison. Pseudo-code:Fixes #153
ISSUE TYPE
COMPONENT NAME
ansible.windows.win_user
ADDITIONAL INFORMATION
Before change, trying to create a user and add them to the 'Users' group on a german system:
Before change, trying to create a user and add them to the 'Users' group on a german system by using the SID:
After the change, using SIDs like a sane person:
The PR is open for discussion and suggested changes are welcome. I am personally not entirely happy with the ugly comparison login in line 112 but wanted to provide a solution to go along with my issue that we can improve on.