Add AD member to group in multidomain env fails

[markatdxb]

SUMMARY

Process fails when trying to add the user from Domain A to AD group in Domain B
community.windows.win_domain_group_membership module has an option under the members attribute: If the member object is part of another domain in a multi-domain forest, you must add the domain and “\” in front of the name.
this concept doesnt work in microsoft.ad.group module.
i have also tested to use DN name but no luck.

ISSUE TYPE

• Bug Report

COMPONENT NAME

microsoft.ad.group

ANSIBLE VERSION

ansible [core 2.15.2]
  config file = /home/user/myprojects/priv/ad/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/.local/lib/python3.9/site-packages/ansible
  ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/user/.local/bin/ansible
  python version = 3.9.13 (main, Nov 16 2022, 15:31:39) [GCC 8.5.0 20210514 (Red Hat 8.5.0-15)] (/usr/bin/python)
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

microsoft.ad 1.1.0

CONFIGURATION

OS / ENVIRONMENT

STEPS TO REPRODUCE

- name: Add user to AD group
      microsoft.ad.group:
        domain_server: "{{ domain_b }}"
        identity: "{{ vdi_ad_group }}"
        name: "{{ vdi_ad_group }}"
        members: "{{ vdi_owner_names }}"
      become: true
     vars:
       vdi_owner_names:
           - domain_a\user
        vdi_ad_group: test_group # group is in domain_b

EXPECTED RESULTS

add user from domain A into group in domain B

ACTUAL RESULTS

message saying that it cant find the object

Failed to find the following ad objects for group members: domain_a\user

[jborean93]

I think this might be a side effect of the work done to pre-validate the member names at here and here. Both of these checks are run with @adParams which contains the Server = '{{ domain_b }}' value here so it's going to ask the wrong domain to lookup that user.

We might need some extra logic there to state if the value is in the DN format or use a custom -Server parameter if the Netbios format is specified like the win_domain_group_membership behaviour.

[markatdxb]

Similar issue might be at ad.computer module with managed by assignment ?

[cobbr]

Seeing something similar for Foreign Security Principals. This happens when adding a user from Forest A to a group in Forest B (where a trust relationship exists between Forest A and Forest B).

I think the solution @jborean93 proposed for the intra-Forest issue (using custom -Server parameter) will work for this scenario as well.

[jborean93]

It took a while to get to but I've revamped the code to now include generic lookup behaviour for distinguishedName backed attributes. The PR #117 will allow members and managed_by to lookup the DN on a custom server using the following syntax:

- name: Add user to AD group
  microsoft.ad.group:
    identity: test_group
    name: test_group
    domain_server: domain_b
    members:
      add:
      # Will lookup on default DC
      - user1
      # Will lookup on domain_b
      - name: user2
        server: domain_b
      managed_by:
        name: admin-user
        server: domain_b

It also allows you to specify custom credentials for more than just the default server using the new domain_credentials option.