Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10899

Retrieve SID for users under 'APPLICATION PACKAGE AUTHORITY'

    XMLWordPrintable

Details

    • Night's Watch
    • 2
    • NW - 2021-03-03
    • 42787
    • 1
    • Bug Fix
    • A known issue with `LookupAccountNameW` was causing Puppet to fail when managing Windows users under `APPLICATION PACKAGE AUTHORITY` with fully qualified names. A account name sanitization step was added to prevent faulty queries.
    • Needs Assessment

    Description

      Our puppetlabs-acl module lists changes with the users under APPLICATION PACKAGE AUTHORITY as a known limitation as follows:

       When referring to accounts in the APPLICATION PACKAGE AUTHORITY, use either their SID values or their unqualified names. The Windows API has well documented bugs preventing the fully qualified account names from being used.

      • S-1-15-2-1 or ALL APPLICATION PACKAGES, but not APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES. This account may only be referenced on Windows 2012R2 (kernel 6.3) or newer.
      • S-1-15-2-2 or ALL RESTRICTED APPLICATION PACKAGES, but not APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES. This account may only be referenced on Windows 2016 (kernel 10.0) or newer.

      Using above advice, the following manifest works and is idempotent :

      acl { 'C:\\My Folder':
      		 
        permissions => [
      		 
        {
      		 
            identity => 'ALL RESTRICTED APPLICATION PACKAGES', rights => ['read','write','execute']}
      		 
        ],
      		 
      }

      But when trying to add other permissions (new ones), the following error occurs:
      Error: Failed to apply catalog: undefined method `bytesize' for nil:NilClass
      C:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/api_types.rb:25:in `from_string_to_wide_string'
      Example:

      acl { 'C:\\My Folder':
      		 
        permissions => [
      		 
        {
      		 
            identity => 'Administrators', rights => ['read','write','execute']}
      		 
        ],
      		 
      }

      This limitation is brought by puppet implementation of https://github.com/puppetlabs/puppet/blob/main/lib/puppet/util/windows/principal.rb#L47 which takes the username as it is. A special filtering for usernames starting with APPLICATION PACKAGE AUTHORITY (and split it accordingly if so) would solve this issue.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MODULES-9215 ACL: Cannot update ACL if there is an existing unmanaged ACE for ALL RESTRICTED APPLICATION PACKAGES

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Open
          mentioned in

          Page Loading...

          Page Loading...

          Page Loading...

          Activity

            People

              luchian.nemes Luchian Nemes
              luchian.nemes Luchian Nemes
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support