Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9479

"Failed to initialize ACL: The parameter is incorrect" errors when changing windows permissions.

    Details

    • Template:
      PUP Bug Template
    • Team:
      Night's Watch
    • Story Points:
      3
    • Sprint:
      PR - 2019-03-06, PR - 2019-03-20
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Pertinent information:
      -I've personally confirmed that this affects the following OS versions:
      Windows Server 2008 SP1
      Windows Server 2008 SP2
      Windows Windows Server 2008 R2 SP1
      Windows Server 2012
      Windows Server 2012 R2

      -Puppet version: 4.9.4
      -Scope: This behavior has affected hundred of windows hosts throughout our environment. 

      -Summary: After pushing an update to change the group of a powershell script from "Administrator" to "Administrators", a large number of managed hosts started to fail with "Failed to initialize ACL: The parameter is incorrect." errors. I'm speculating that this might be related to an sid conflict, as all of our hosts are joined to a domain and there is an administrators group with an sid that matches what appears for local groups. 

       Code before issue appeared: 

      file { 'c:/os_config/scripts/configureWinRM.ps1':
       ensure => 'file',
       owner => 'Administrator',
       group => 'Administrator',
       content => template('fakepathforexample/configureWinRM.erb'),

      Code after issue appeared: 

      file { 'c:/os_config/scripts/configureWinRM.ps1':
       ensure => 'file',
       owner => 'Administrator',
       group => 'Administrators',
       content => template('fakepathforexample/configureWinRM.erb'),
       }

        SID comparison: 

      PS C:\Users\phansen_alt> Get-ADGroup -Identity Administrators 
      DistinguishedName : CN=Administrators,CN=Builtin,DC=REDACTED,DC=com
      GroupCategory     : Security
      GroupScope        : DomainLocal
      Name              : Administrators
      ObjectClass       : group
      ObjectGUID        : d2afeac8-ee3f-4bae-8458-27f4a05e6e85
      SamAccountName    : Administrators
      SID               : S-1-5-32-544
       
      PS C:\Users\phansen_alt> (Get-Localgroup -Name Administrators).sid
      BinaryLength AccountDomainSid Value
      ------------ ---------------- -----
                16                  S-1-5-32-544
      

      Error message:  

      Error: Failed to set owner to 'S-1-5-21-3450263623-690944591-812587964-500': Failed to initialize ACL:  The parameter is incorrect. 
      Error: /Stage[main]/REDACTED::Winrm/File[c:/os_config/scripts/configureWinRM.ps1]/owner: change from BUILTIN\Administrators to <REDACTEDHOSTNAMEHERE>\Administrator failed: Failed to set owner to 'S-1-5-21-3450263623-690944591-812587964-500': Failed to initialize ACL:  The parameter is incorrect. 
      Error: Failed to set group to 'S-1-5-32-544': Failed to initialize ACL:  The parameter is incorrect. 
      Error: /Stage[main]/REDACTED::Winrm/File[c:/os_config/scripts/configureWinRM.ps1]/group: change from NT AUTHORITY\SYSTEM to BUILTIN\Administrators failed: Failed to set group to 'S-1-5-32-544': Failed to initialize ACL:  The parameter is incorrect.
      

       Things to note:
      -Initial deployments of this file work without issue, the error only appears when the permissions are being changed
      -Modifying the permissions with powershell or the gui works without issue
      -I've developed a powershell exec workaround for this, and I've successfully tested it on 2008 sp1 - 2012 R2 (powershell 2-5).

      Workaround code: 

          #Adding this exec as a workaround to the inconsistent permission application if this behavior is corrected at a later date this can be removed.
          exec { 'WinRM Permission fix':
            path     => $::path,
            command  => 'C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe -ExecutionPolicy Bypass -noprofile -Command {$acl = (Get-acl \\\\$(hostname)\\c$\\os_config\\scripts\\configureWinRM.ps1);  $object = New-Object System.Security.Principal.Ntaccount("$(hostname)\\Administrator"); $acl.SetOwner($object); Set-Acl -Path \\\\$(hostname)\\c$\\os_config\\scripts\\configureWinRM.ps1 -AclObject $acl}',
            unless    =>  'if( ((Get-acl \\\\$(hostname)\\c$\\os_config\\scripts\\configureWinRM.ps1).owner | out-String) -eq  ("$(hostname)\\Administrator" | out-string) ) { exit 0 } else { exit 1 }',
            provider => powershell,
          }
      

       

        Attachments

          Activity

            People

            • Assignee:
              gheorghe.popescu Gheorghe Popescu
              Reporter:
              zype76 Paul H
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Zendesk Support