Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10899

Retrieve SID for users under 'APPLICATION PACKAGE AUTHORITY'

    XMLWordPrintable

    Details

    • Template:
    • Team:
      Night's Watch
    • Story Points:
      2
    • Sprint:
      NW - 2021-03-03
    • Zendesk Ticket IDs:
      42787
    • Zendesk Ticket Count:
      1
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      A known issue with `LookupAccountNameW` was causing Puppet to fail when managing Windows users under `APPLICATION PACKAGE AUTHORITY` with fully qualified names. A account name sanitization step was added to prevent faulty queries.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Our puppetlabs-acl module lists changes with the users under APPLICATION PACKAGE AUTHORITY as a known limitation as follows:

       When referring to accounts in the APPLICATION PACKAGE AUTHORITY, use either their SID values or their unqualified names. The Windows API has well documented bugs preventing the fully qualified account names from being used.

      • S-1-15-2-1 or ALL APPLICATION PACKAGES, but not APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES. This account may only be referenced on Windows 2012R2 (kernel 6.3) or newer.
      • S-1-15-2-2 or ALL RESTRICTED APPLICATION PACKAGES, but not APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES. This account may only be referenced on Windows 2016 (kernel 10.0) or newer.

      Using above advice, the following manifest works and is idempotent :

      acl { 'C:\\My Folder':
        permissions => [
        {
            identity => 'ALL RESTRICTED APPLICATION PACKAGES', rights => ['read','write','execute']}
        ],
      }
      

      But when trying to add other permissions (new ones), the following error occurs:
      Error: Failed to apply catalog: undefined method `bytesize' for nil:NilClass
      C:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/api_types.rb:25:in `from_string_to_wide_string'
      Example:

      acl { 'C:\\My Folder':
        permissions => [
        {
            identity => 'Administrators', rights => ['read','write','execute']}
        ],
      }
      

      This limitation is brought by puppet implementation of https://github.com/puppetlabs/puppet/blob/main/lib/puppet/util/windows/principal.rb#L47 which takes the username as it is. A special filtering for usernames starting with APPLICATION PACKAGE AUTHORITY (and split it accordingly if so) would solve this issue.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              luchian.nemes Luchian Nemes
              Reporter:
              luchian.nemes Luchian Nemes
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support