Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10999

Unable to update UserRightAssignment - Log on as service rights

    XMLWordPrintable

    Details

    • Template:
      PUP Bug Template
    • Team:
      Night's Watch
    • Story Points:
      3
    • Sprint:
      NW - 2021-04-14, NW - 2021-04-28, NW - 2021-05-19
    • Method Found:
      Needs Assessment
    • Zendesk Ticket IDs:
      43304
    • Zendesk Ticket Count:
      1
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      Validation and munging of `logonaccount` and `logonpassword` parameters, for the `service` resource on Windows, were previously failing too early. This fix moves them at a later time in the catalog compilation order list to avoid premature errors and to respect resource dependencies in manifests.
      Show
      Validation and munging of `logonaccount` and `logonpassword` parameters, for the `service` resource on Windows, were previously failing too early. This fix moves them at a later time in the catalog compilation order list to avoid premature errors and to respect resource dependencies in manifests.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet Version: 2019.8.4
      Puppet Server Version:
      OS Name/Version:

      We are trying to add an account to the "UserRightAssignment - Log on as service rights" of a Windows agent using the DSC Modules:

      dsc-securitypolicydsc
      puppetlabs-pwshlib

      and, at the same time, set a service with the account that just got the "log on as service rights". The manifest code used is:

       

      class windows_towers {
          dsc_userrightsassignmen

      { "add-jordi-to-logon-as-service":          dsc_ensure => 'present',          dsc_policy => 'Log_on_as_a_service',          dsc_identity => ['NT SERVICE\\ALL SERVICES','cloudbase-init','jordi'],     }

          service

      { 'PlexUpdateService':          ensure => 'stopped',          logonaccount => 'PE-201984-WIN2K\\jordi',          logonpassword => 'puppetpuppet',          enable => 'false',          require => Dsc_userrightsassignment['add-jordi-to-logon-as-service'], }

      }
       

      Desired Behavior:

      Update the windows service with the new credentials that just got ** "log on as service rights" - Basically, the code above should work first time round.

      Actual Behavior:

       
      PS C:\Users\Administrator\tester> puppet agent -t
      [DEPRECATION] Struct layout is already defined for class Windows::ServiceStructs::SERVICE_STATUS_PROCESS. Redefinition as in C:/Ruby25-x64/lib/ruby/gems/2.5.0/gems/win32-service-0.8.8/lib/win32/windows/structs.rb:67:in `<class:SERVICE_STATUS_PROCESS>' will be disallowed in ffi-2.0.
      Info: Using configured environment 'production'
      Info: Retrieving pluginfacts
      Info: Retrieving plugin
      Info: Retrieving locales
      Info: Loading facts
      Error: Failed to apply catalog: Parameter logonaccount failed on Service[PlexUpdateService]: "PE-201984-WIN2K\jordi" is missing the 'Log On As A Service' right. (file: /etc/puppetlabs/code/environments/production/site/windows_towers/manifests/init.pp, line: 16)

      The error is indicating that the account selected doesn't have "log on as service rights" but, in fact, the account has not been added to the "log on as service rights" User Rights assignment and it is failing at compilation.

      Alternatively, if you comment out the service part of the code, the user gets added to the "log on as service rights" and, at this stage, the code will work as expected.
      class windows_towers {
         dsc_userrightsassignment

      { "add-jordi-to-logon-as-service":        dsc_ensure => 'present',        dsc_policy => 'Log_on_as_a_service',        dsc_identity => ['NT SERVICE\\ALL SERVICES','cloudbase-init','jordi'],    }

         #service

      { 'PlexUpdateService':        # ensure => 'stopped',        # logonaccount => 'PE-201984-WIN2K\\jordi',        #logonpassword => 'puppetpuppet',        # enable => 'false',        # require => Dsc_userrightsassignment['add-jordi-to-logon-as-service'],    #}

      }
      PS C:\Users\Administrator\tester> puppet agent -t
      [DEPRECATION] Struct layout is already defined for class Windows::ServiceStructs::SERVICE_STATUS_PROCESS. Redefinition as in C:/Ruby25-x64/lib/ruby/gems/2.5.0/gems/win32-service-0.8.8/lib/win32/windows/structs.rb:67:in `<class:SERVICE_STATUS_PROCESS>' will be disallowed in ffi-2.0.
      Info: Using configured environment 'production'
      Info: Retrieving pluginfacts
      Info: Retrieving plugin
      Info: Retrieving locales
      Info: Loading facts
      Info: Caching catalog for pe-201984-win2k.platform9.puppet.net
      Info: Applying configuration version '1617025583'
      Notice: /Stage[main]/Windows_towers/Dsc_userrightsassignment[add-jordi-to-logon-as-service]/dsc_identity: dsc_identity changed ['PE-201984-WIN2K\cloudbase-init', 'NT SERVICE\ALL SERVICES'] to ['NT SERVICE\ALL SERVICES', 'cloudbase-init', 'jordi']
      Notice: dsc_userrightsassignment\\\\{:name=>"add-jordi-to-logon-as-service", :dsc_policy=>"Log_on_as_a_service"}: Updating: Finished in 2.36 seconds
      Notice: Applied catalog in 3.77 seconds

      I have worked with Michael Lombardi on https://tickets.puppetlabs.com/browse/MODULES-10969 created on the back of https://puppetlabs.zendesk.com/agent/tickets/43304 that has determined that the error experienced is generated by https://github.com/puppetlabs/puppet/blob/main/lib/puppet/type/service.rb#L152 and stops catalog compilation

      Michael has also suggested that the current validation be turned into a warning or placed in the provider and called during set method

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              luchian.nemes Luchian Nemes
              Reporter:
              jordi.garcia Jordi Garcia
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support