[PUP-9479] "Failed to initialize ACL: The parameter is incorrect" errors when changing windows permissions. Created: 2019/02/06  Updated: 2019/03/13  Resolved: 2019/03/13

Status: Resolved
Project: Puppet
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Normal
Reporter: Paul H Assignee: Gheorghe Popescu
Resolution: Cannot Reproduce Votes: 0
Labels: needs_repro, permissions, type_and_provider, windows
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File puppetrun.txt    
Template: PUP Bug Template
Team: Night's Watch
Story Points: 3
Sprint: PR - 2019-03-06, PR - 2019-03-20
Method Found: Needs Assessment
QA Risk Assessment: Needs Assessment

 Description   

Pertinent information:
-I've personally confirmed that this affects the following OS versions:
Windows Server 2008 SP1
Windows Server 2008 SP2
Windows Windows Server 2008 R2 SP1
Windows Server 2012
Windows Server 2012 R2

-Puppet version: 4.9.4
-Scope: This behavior has affected hundred of windows hosts throughout our environment. 

-Summary: After pushing an update to change the group of a powershell script from "Administrator" to "Administrators", a large number of managed hosts started to fail with "Failed to initialize ACL: The parameter is incorrect." errors. I'm speculating that this might be related to an sid conflict, as all of our hosts are joined to a domain and there is an administrators group with an sid that matches what appears for local groups. 

 Code before issue appeared: 

file { 'c:/os_config/scripts/configureWinRM.ps1':
 ensure => 'file',
 owner => 'Administrator',
 group => 'Administrator',
 content => template('fakepathforexample/configureWinRM.erb'),

Code after issue appeared: 

file { 'c:/os_config/scripts/configureWinRM.ps1':
 ensure => 'file',
 owner => 'Administrator',
 group => 'Administrators',
 content => template('fakepathforexample/configureWinRM.erb'),
 }

  SID comparison: 

PS C:\Users\phansen_alt> Get-ADGroup -Identity Administrators 
DistinguishedName : CN=Administrators,CN=Builtin,DC=REDACTED,DC=com
GroupCategory     : Security
GroupScope        : DomainLocal
Name              : Administrators
ObjectClass       : group
ObjectGUID        : d2afeac8-ee3f-4bae-8458-27f4a05e6e85
SamAccountName    : Administrators
SID               : S-1-5-32-544
 
PS C:\Users\phansen_alt> (Get-Localgroup -Name Administrators).sid
BinaryLength AccountDomainSid Value
------------ ---------------- -----
          16                  S-1-5-32-544

Error message:  

Error: Failed to set owner to 'S-1-5-21-3450263623-690944591-812587964-500': Failed to initialize ACL:  The parameter is incorrect. 
Error: /Stage[main]/REDACTED::Winrm/File[c:/os_config/scripts/configureWinRM.ps1]/owner: change from BUILTIN\Administrators to <REDACTEDHOSTNAMEHERE>\Administrator failed: Failed to set owner to 'S-1-5-21-3450263623-690944591-812587964-500': Failed to initialize ACL:  The parameter is incorrect. 
Error: Failed to set group to 'S-1-5-32-544': Failed to initialize ACL:  The parameter is incorrect. 
Error: /Stage[main]/REDACTED::Winrm/File[c:/os_config/scripts/configureWinRM.ps1]/group: change from NT AUTHORITY\SYSTEM to BUILTIN\Administrators failed: Failed to set group to 'S-1-5-32-544': Failed to initialize ACL:  The parameter is incorrect.

 Things to note:
-Initial deployments of this file work without issue, the error only appears when the permissions are being changed
-Modifying the permissions with powershell or the gui works without issue
-I've developed a powershell exec workaround for this, and I've successfully tested it on 2008 sp1 - 2012 R2 (powershell 2-5).

Workaround code: 

    #Adding this exec as a workaround to the inconsistent permission application if this behavior is corrected at a later date this can be removed.
    exec { 'WinRM Permission fix':
      path     => $::path,
      command  => 'C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe -ExecutionPolicy Bypass -noprofile -Command {$acl = (Get-acl \\\\$(hostname)\\c$\\os_config\\scripts\\configureWinRM.ps1);  $object = New-Object System.Security.Principal.Ntaccount("$(hostname)\\Administrator"); $acl.SetOwner($object); Set-Acl -Path \\\\$(hostname)\\c$\\os_config\\scripts\\configureWinRM.ps1 -AclObject $acl}',
      unless    =>  'if( ((Get-acl \\\\$(hostname)\\c$\\os_config\\scripts\\configureWinRM.ps1).owner | out-String) -eq  ("$(hostname)\\Administrator" | out-string) ) { exit 0 } else { exit 1 }',
      provider => powershell,
    }

 



 Comments   
Comment by Paul H [ 2019/02/06 ]

Please see the attached file (puppetrun.txt) for a puppet run with debug on. 

Comment by Gheorghe Popescu [ 2019/03/05 ]

Paul H Cannot reproduce the issues

We tried to reproduce this issue(on puppet 4.9.4) with Domain Controller(default configuration) and above steps but have failed to encounter the error.
Steps:

  • install puppet 4.9.4
  • setup the Domain Controller(default config)
  • apply the first manifest from ` Code before issue appeared` - success
  • apply the second manifest from `Code after issue appeared` - success

Can you share more details? Or highlight if there are any issues in our approach?

Comment by Mihai Buzgau [ 2019/03/13 ]

Paul H please reopen this ticket if you encounter the issue

Generated at Wed Nov 20 22:12:04 PST 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.