ansible-collections · jborean93 · Mar 30, 2022 · Mar 13, 2022 · Mar 13, 2022 · Mar 13, 2022
diff --git a/changelogs/fragments/365-win_domain_user-add-support-for-spns-kerberos.yml b/changelogs/fragments/365-win_domain_user-add-support-for-spns-kerberos.yml
@@ -0,0 +1,4 @@
+minor_changes:
+- win_domain_user - Add support for managing service prinicpal names via the ``spn`` param
+  and principals allowed to delegate via the ``delegates`` param
+  (https://github.com/ansible-collections/community.windows/pull/365)
diff --git a/plugins/modules/win_domain_user.ps1 b/plugins/modules/win_domain_user.ps1
diff --git a/plugins/modules/win_domain_user.py b/plugins/modules/win_domain_user.py
@@ -42,7 +42,7 @@
       - Note that there is not a way to lock an account as an administrator.
       - Accounts are locked due to user actions; as an admin, you may only unlock a locked account.
       - If you wish to administratively disable an account, set I(enabled) to C(no).
-    choices: [ no ]
+    type: bool
   description:
     description:
       - Description of the user
@@ -55,6 +55,7 @@
         I(groups_action=replace).
       - Note that users cannot be removed from their principal group (for example, "Domain Users").
     type: list
+    elements: str
   groups_action:
     description:
       - If C(add), the user is added to each group in I(groups) where not already a member.
@@ -64,6 +65,24 @@
     type: str
     choices: [ add, remove, replace ]
     default: replace
+  spn:
+    description:
+      - Specifies the service principal name(s) for the account. This parameter sets the
+        ServicePrincipalNames property of the account. The LDAP display name (ldapDisplayName)
+        for this property is servicePrincipalName.
+    type: list
+    elements: str
+    aliases: [ spns ]
+    version_added: 1.10.0
+  spn_action:
+    description:
+      - If C(add), the SPNs are added to the user.
+      - If C(remove), the SPNs are removed from the user.
+      - If C(replace), the defined set of SPN's overwrite the current set of SPNs.
+    type: str
+    choices: [ add, remove, replace ]
+    default: replace
+    version_added: 1.10.0
   password:
     description:
       - Optionally set the user's password to this (plain text) value.
@@ -103,6 +122,7 @@
     description:
       - Configures the user's last name (surname).
     type: str
+    aliases: [ lastname ]
   company:
     description:
       - Configures the user's company name.
@@ -157,13 +177,23 @@
         be updated - you must delete (e.g., C(state=absent)) the user and
         then re-add the user with the appropriate path.
     type: str
+  delegates:
+    description:
+      - Specifies an array of principal objects. This parameter sets the
+        msDS-AllowedToActOnBehalfOfOtherIdentity attribute of a computer account
+        object.
+      - Must be specified as a distinguished name C(CN=shenetworks,CN=Users,DC=ansible,DC=test)
+    type: list
+    elements: str
+    aliases: [ principals_allowed_to_delegate ]
+    version_added: 1.10.0
   attributes:
     description:
       - A dict of custom LDAP attributes to set on the user.
       - This can be used to set custom attributes that are not exposed as module
         parameters, e.g. C(telephoneNumber).
       - See the examples on how to format this parameter.
-    type: str
+    type: dict
   domain_username:
     description:
     - The username to use when interacting with AD.
@@ -199,6 +229,7 @@
 - module: community.windows.win_user_profile
 author:
     - Nick Chandler (@nwchandler)
+    - Joe Zollo (@zollo)
 '''
 
 EXAMPLES = r'''
@@ -244,6 +275,35 @@
   community.windows.win_domain_user:
     name: bob
     state: absent
+
+- name: Ensure user has spn's defined
+  community.windows.win_domain_user:
+    name: liz.kenyon
+    spn:
+      - MSSQLSvc/us99db-svr95:1433
+      - MSSQLSvc/us99db-svr95.vmware.com:1433
+
+- name: Ensure user has spn added
+  community.windows.win_domain_user:
+    name: liz.kenyon
+    spn_action: add
+    spn:
+      - MSSQLSvc/us99db-svr95:2433
+
+- name: Ensure user is created with delegates and spn's defined
+  community.windows.win_domain_user:
+    name: shmemmmy
+    password: The3rubberducki33!
+    state: present
+    groups:
+      - Domain Admins
+      - Enterprise Admins
+    delegates:
+      - CN=shenetworks,CN=Users,DC=ansible,DC=test
+      - CN=mk.ai,CN=Users,DC=ansible,DC=test
+      - CN=jessiedotjs,CN=Users,DC=ansible,DC=test
+    spn:
+      - MSSQLSvc/us99db-svr95:2433
 '''
 
 RETURN = r'''
@@ -272,6 +332,15 @@
     returned: always
     type: str
     sample: US
+delegates:
+    description: Principals allowed to delegate
+    returned: always
+    type: list
+    elements: str
+    sample:
+      - CN=svc.tech.unicorn,CN=Users,DC=ansible,DC=test
+      - CN=geoff,CN=Users,DC=ansible,DC=test
+    version_added: 1.10.0
 description:
     description: A description of the account
     returned: always
@@ -332,6 +401,14 @@
     returned: always
     type: str
     sample: S-1-5-21-2752426336-228313920-2202711348-1175
+spn:
+    description: The service principal names
+    returned: always
+    type: list
+    sample:
+      - HTTPSvc/ws1intel-svc1
+      - HTTPSvc/ws1intel-svc1.vmware.com
+    version_added: 1.10.0
 state:
     description: The state of the user account
     returned: always

diff --git a/tests/integration/targets/win_domain_user/tasks/check_mode_test.yml b/tests/integration/targets/win_domain_user/tasks/check_mode_test.yml
@@ -1,8 +1,7 @@
 ---
-
-- name: Create Jane(check_mode)
+- name: Create Justi (check_mode)
   community.windows.win_domain_user:
-    name: Jane
+    name: Justi
     password: J@n3P4ssw0rd#
     state: present
     update_password: on_create
@@ -16,8 +15,13 @@
   check_mode: true
 
 - name: Sanity check on Check Mode
-  win_shell: |
-    Get-AdUser -Identity Jane
+  ansible.windows.win_powershell:
+    script: |
+      try {
+        Get-AdUser -Identity Justi
+        $Ansible.Failed = $true
+      } catch {
+        $Ansible.Failed = $false
+      }
   register: sanity_check
-  failed_when: "'NotFound' not in sanity_check.stderr"
   changed_when: false
diff --git a/tests/integration/targets/win_domain_user/tasks/main.yml b/tests/integration/targets/win_domain_user/tasks/main.yml
@@ -1,6 +1,18 @@
 ---
-- name: Run Tests
-  import_tasks: tests.yml
+- name: Remove Users
+  win_domain_user:
+    name: "{{ item }}"
+    state: absent
+  loop:
+    - justi
+    - hana
+    - katie
+
+- name: Run Test Suite 1
+  import_tasks: test1.yml
+
+- name: Run Test Suite 2
+  import_tasks: test2.yml
 
 - name: Run Check Mode Tests
-  import_tasks: check_mode_test.yml
+  import_tasks: check_mode_test.yml
diff --git a/tests/integration/targets/win_domain_user/tasks/test1.yml b/tests/integration/targets/win_domain_user/tasks/test1.yml
@@ -0,0 +1,76 @@
+---
+- name: Justi | Create User
+  win_domain_user:
+    name: Justi
+    upn: [email protected]
+    password: c0dinGwithKI@
+    state: present
+    update_password: on_create
+    password_never_expires: false
+    enabled: true
+    spn:
+      - MSSQLSvc/US99DBSVR1
+      - MSSQLSvc/US99DBSVR1.vmware.com
+      - MSSQLSvc/US99DBSVR1.vmware.com:1433
+  register: new_user_test
+  failed_when: new_user_test is not success
+
+- name: Justi | Create User (idempotence check)
+  win_domain_user:
+    name: Justi
+    upn: [email protected]
+    password: c0dinGwithKI@
+    state: present
+    update_password: on_create
+    password_never_expires: false
+    enabled: true
+    spn:
+      - MSSQLSvc/US99DBSVR1
+      - MSSQLSvc/US99DBSVR1.vmware.com
+      - MSSQLSvc/US99DBSVR1.vmware.com:1433
+  register: new_user_test_idempotent
+  failed_when: new_user_test_idempotent is changed
+
+- name: Justi | Update Password
+  win_domain_user:
+    name: Justi
+    password: al3x@ndriastEch!
+    state: present
+    update_password: always
+    password_never_expires: false
+    enabled: true
+  register: password_changed
+  failed_when: not password_changed.changed
+
+- name: Justi | Replace SPNs
+  win_domain_user:
+    name: Justi
+    state: present
+    spn:
+      - MSSQLSvc/
+      - MSSQLSvc/US99DBSVR1.vmware.com
+  register: spn_changed
+  failed_when: not spn_changed.changed
+
+- name: Justi | Add SPN
+  win_domain_user:
+    name: Justi
+    state: present
+    spn_action: add
+    spn:
+      - MSSQLSvc/US99DBSVR1.vmware.com:2433
+  register: add_spn_changed
+  failed_when: add_spn_changed is not changed
+
+- name: Assertions
+  assert:
+    that:
+      - new_user_test.changed
+      - new_user_test.created
+      - not new_user_test.password_never_expires
+      - not new_user_test_idempotent.changed
+      - new_user_test_idempotent.distinguished_name == "CN=Justi,CN=Users,DC=ansible,DC=test"
+      - password_changed.changed
+      - password_changed.password_updated
+      - spn_changed.changed
+      - add_spn_changed.changed