Jira (PUP-9719) Cannot run Puppet Agent as Administrator if first PA run is done as System

0 views
Skip to first unread message

John O'Connor (JIRA)

unread,
Jun 24, 2019, 10:58:04 AM6/24/19
to puppe...@googlegroups.com
John O'Connor updated an issue
 
Puppet / Bug PUP-9719
Cannot run Puppet Agent as Administrator if first PA run is done as System
Change By: John O'Connor
Summary: Can't Cannot run puppet agent after installing the MSI using the SYSTEM account Puppet Agent as Administrator if first PA run is done as System
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

John O'Connor (JIRA)

unread,
Jun 24, 2019, 10:58:04 AM6/24/19
to puppe...@googlegroups.com
John O'Connor updated an issue
*Puppet Version:* 6.4.2
*Puppet Server Version:* N/A
*OS Name/Version:* Windows Server 2016 x64

When installing Puppet Agent (6.4.2/PE 2019.1.0) on Server 2016 using a Powershell script running as the SYSTEM account, Administrator users can't run Puppet. Daemon/service runs are performed as expected. Direct Puppet runs appear to occur but no report is sent to the master.
 *UPDATE* - It the first Run as SYSTEM that is the problem - so have changed ticket title.

PUP-8939 had reportedly solved this issue.

*Desired Behavior:*

*note* - you need to use {{psexec -s}} to repro this on {{vmpooler}} nodes to ensure the SYSTEM account is used:

1. Install: {{psexec -s -i "msiexec.exe" /qn /norestart /l*v C:\windows\temp\puppetinstall.log /i C:\Users\Administrator\Downloads\puppet-agent-6.4.2-x64.msi PUPPET_AGENT_STARTUP_MODE=Manual}}
2. Run PA {{psexec -s "C:\Program Files\Puppet Labs\Puppet\bin\puppet.bat" agent -t}}

 

1. Download the Agent 6.4.2 x64 MSI to a temp path (in this example, {{C:\temp\puppet\puppet-agent-x64.msi}}).
2. Install Puppet Agent on a Server 2016 node as the SYSTEM user by running {{start-process -filepath "msiexec.exe" -arg "/qn /norestart /l*v C:\windows\temp\puppetinstall.log /i c:\temp\puppet\puppet-agent-x64.msi PUPPET_AGENT_STARTUP_MODE=Manual" -Wait}}
3. Populate csr_attributes.yml and {{server}} in the agent config as necessary.
4. As an Administrator, run {{puppet agent --test}} on the newly installed agent.

*Actual Behavior:*

Catalog retrieval fails; log has been redacted:
{code}2019-05-21 17:20:36 -0400 Puppet (debug): HTTP POST https://compiler.example.net:8140/puppet/v3/catalog/examplenode.example.net returned 200 OK
2019-05-21 17:20:36 -0400 Puppet (debug): Caching connection for https://compiler.example.net:8140
2019-05-21 17:20:36 -0400 Puppet (info): Caching catalog for examplenode.example.net
2019-05-21 17:20:38 -0400 Puppet (err): ReplaceFile(C:/ProgramData/PuppetLabs/puppet/cache/client_data/catalog/examplenode.example.net.json, C:/ProgramData/PuppetLabs/puppet/cache/client_data/catalog/examplenode.example.net.json20190521-6580-blokpv):  Access is denied.
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/file.rb:89:in `replace_file'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util.rb:636:in `replace_file'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/indirector/json.rb:17:in `save'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:200:in `find'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:466:in `block in retrieve_new_catalog'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util.rb:518:in `block in thinmark'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/2.5.0/benchmark.rb:308:in `realtime'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util.rb:517:in `thinmark'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:465:in `retrieve_new_catalog'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:75:in `retrieve_catalog'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:167:in `prepare_and_retrieve_catalog'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:342:in `run_internal'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:240:in `block in run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/context.rb:65:in `override'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet.rb:264:in `override'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:217:in `run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:59:in `block (5 levels) in run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/2.5.0/timeout.rb:93:in `block in timeout'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/2.5.0/timeout.rb:103:in `timeout'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:58:in `block (4 levels) in run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent/locker.rb:21:in `lock'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:52:in `block (3 levels) in run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:130:in `with_client'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:49:in `block (2 levels) in run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:87:in `run_in_fork'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:48:in `block in run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application.rb:179:in `controlled_run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:46:in `run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:371:in `onetime'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:353:in `run_command'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `block in run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util.rb:671:in `exit_on_fail'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:139:in `run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:77:in `execute'
c:/Program Files/Puppet Labs/Puppet/puppet/bin/puppet:4:in `<main>'
2019-05-21 17:20:38 -0400 Puppet (err): Could not retrieve catalog from remote server: ReplaceFile(C:/ProgramData/PuppetLabs/puppet/cache/client_data/catalog/examplenode.example.net.json, C:/ProgramData/PuppetLabs/puppet/cache/client_data/catalog/examplenode.example.net.json20190521-6580-blokpv):  Access is denied.
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/file.rb:89:in `replace_file'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util.rb:636:in `replace_file'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/indirector/json.rb:17:in `save'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:200:in `find'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:466:in `block in retrieve_new_catalog'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util.rb:518:in `block in thinmark'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/2.5.0/benchmark.rb:308:in `realtime'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util.rb:517:in `thinmark'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:465:in `retrieve_new_catalog'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:75:in `retrieve_catalog'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:167:in `prepare_and_retrieve_catalog'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:342:in `run_internal'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:240:in `block in run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/context.rb:65:in `override'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet.rb:264:in `override'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:217:in `run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:59:in `block (5 levels) in run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/2.5.0/timeout.rb:93:in `block in timeout'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/2.5.0/timeout.rb:103:in `timeout'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:58:in `block (4 levels) in run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent/locker.rb:21:in `lock'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:52:in `block (3 levels) in run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:130:in `with_client'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:49:in `block (2 levels) in run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:87:in `run_in_fork'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:48:in `block in run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application.rb:179:in `controlled_run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:46:in `run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:371:in `onetime'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:353:in `run_command'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `block in run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util.rb:671:in `exit_on_fail'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:139:in `run'
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:77:in `execute'
c:/Program Files/Puppet Labs/Puppet/puppet/bin/puppet:4:in `<main>'
{code}
Reporting also fails:
{code}2019-05-21 17:20:38 -0400 Puppet (debug): Using cached connection for https://compiler.example.net:8140
2019-05-21 17:20:39 -0400 Puppet (debug): HTTP PUT https://compiler.example.net:8140/puppet/v3/report/examplenode.example.net returned 200 OK
2019-05-21 17:20:39 -0400 Puppet (debug): Caching connection for https://compiler.example.net:8140
2019-05-21 17:20:39 -0400 Puppet (err): Could not send report: ReplaceFile(C:/ProgramData/PuppetLabs/puppet/cache/state/last_run_report.yaml, C:/ProgramData/PuppetLabs/puppet/cache/state/last_run_report.yaml20190521-6580-1yfrb1r):  Access is denied.
c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/file.rb:89:in `replace_file'
...
{code}
ACLs from C:\ProgramData\PuppetLabs\puppet\cache\ on the agent:
{code}PS C:\Windows\system32> Get-Acl C:\ProgramData\PuppetLabs\puppet\cache\ | Select *

PSPath : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet\cache\
PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet
PSChildName : cache
PSDrive : C
PSProvider : Microsoft.PowerShell.Core\FileSystem
CentralAccessPolicyId :
CentralAccessPolicyName :
Path : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet\cache\
Owner : NT AUTHORITY\SYSTEM
Group : NT AUTHORITY\SYSTEM
Access : {System.Security.AccessControl.FileSystemAccessRule,
System.Security.AccessControl.FileSystemAccessRule,
System.Security.AccessControl.FileSystemAccessRule}
Sddl : O:SYG:SYD:AI(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;S-1-5-21-1092630797-2642148860
-572411492-162715)
AccessToString : NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
DEVAONNET\ah14740 Allow FullControl
AuditToString :
AccessRightType : System.Security.AccessControl.FileSystemRights
AccessRuleType : System.Security.AccessControl.FileSystemAccessRule
AuditRuleType : System.Security.AccessControl.FileSystemAuditRule
AreAccessRulesProtected : False
AreAuditRulesProtected : False
AreAccessRulesCanonical : True
AreAuditRulesCanonical : True
{code}

John O'Connor (JIRA)

unread,
Jun 24, 2019, 10:59:03 AM6/24/19
to puppe...@googlegroups.com
John O'Connor commented on Bug PUP-9719
 
Re: Cannot run Puppet Agent as Administrator if first PA run is done as System

The issue is the first Puppet Agent run regardless of whether System or Administrator was used to install, so again - it looks to be a Puppet Agent issue and not an MSI installer issue.

Ethan Brown (JIRA)

unread,
Jun 25, 2019, 12:46:03 PM6/25/19
to puppe...@googlegroups.com
Ethan Brown commented on Bug PUP-9719

Be careful when referring to Administrator

 

We typically don't want Administrator (the user), we want to apply Administrators (the group). Administrators has a well known SID of S-1-5-32-544 and includes the users we typically wish to grant access to - Administrator,  SYSTEM, domain admins, etc.

John O'Connor (JIRA)

unread,
Jun 25, 2019, 1:35:03 PM6/25/19
to puppe...@googlegroups.com
John O'Connor commented on Bug PUP-9719

The following is a crude script that will Fix permissions - it can be run either in the puppetrun.ps1 script or prior to using puppet agent -t as Administrator

# Script to find and fix files under C:\ProgramData\PuppetLabs that don't have
 
# Administrator Rights.
 
 
 
$Folder = "C:\ProgramData\PuppetLabs"
 
$AccessAdminRule = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators", "Full", "Allow")
 
 
 
Get-ChildItem -Path "$Folder" -Recurse | 
	where {$_.PSIsContainer -eq $False } | 
	ForEach-Object {get-acl -path $_.Fullname} | 
	where { $_.AccessToString -notMatch "Administrators"} | ForEach-Object {
 
		Write-Output "Working on $($_.Path)"
 
		Write-Output "Access to String $($_.AccesstoString)"
 
		$_.SetAccessRule($AccessAdminRule)
 
		Set-Acl -Path $_.Path -AclObject $_
 
	}

Mihai Buzgau (JIRA)

unread,
Jun 26, 2019, 9:04:08 AM6/26/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
 
Change By: Mihai Buzgau
Sprint: PR - 2019-06-25 , PR - 2019-07-10

John O'Connor (JIRA)

unread,
Jul 5, 2019, 7:17:04 AM7/5/19
to puppe...@googlegroups.com
John O'Connor updated an issue
Change By: John O'Connor
*Puppet Version:* 6.4.2
*Puppet Server Version:* N/A
*OS Name/Version:* Windows Server 2016 x64

When installing Puppet Agent (6.4.2/PE 2019.1.0) on Server 2016 using a Powershell script running as the SYSTEM account, Administrator users can't run Puppet. Daemon/service runs are performed as expected. Direct Puppet runs appear to occur but no report is sent to the master.
*UPDATE* - It the first Run as SYSTEM that is the problem - so have changed ticket title.

PUP-8939 had reportedly solved this issue.

*Desired Behavior:*

*note* - you need to use  so far, this can only be replicated using scheduled tasks as {{psexec -s }} to repro this on {{vmpooler}} nodes to ensure doesn't provide the SYSTEM account is used same permissions environment :

John O'Connor (JIRA)

unread,
Jul 5, 2019, 7:18:03 AM7/5/19
to puppe...@googlegroups.com
John O'Connor updated an issue
*Puppet Version:* 6.4.2
*Puppet Server Version:* N/A
*OS Name/Version:* Windows Server 2016 x64

When installing Puppet Agent (6.4.2/PE 2019.1.0) on Server 2016 using a Powershell script running as the SYSTEM account, Administrator users can't run Puppet. Daemon/service runs are performed as expected. Direct Puppet runs appear to occur but no report is sent to the master.
*UPDATE* - It the first Run as SYSTEM that is the problem - so have changed ticket title.

PUP-8939 had reportedly solved this issue.

*Desired Behavior:*

*note* - so far, this can only be replicated using scheduled tasks as {{psexec}} doesn't provide the same permissions environment :

1. Install: {{psexec -s -i "msiexec.exe" /qn /norestart /l*v C:\windows\temp\puppetinstall.log /i C:\Users\Administrator\Downloads\puppet-agent-6.4.2-x64.msi PUPPET_AGENT_STARTUP_MODE=Manual}} TBD
2. Run PA {{ psexec -s "C:\Program Files\Puppet Labs\Puppet\bin\puppet.bat" agent -t TBD }}

John O'Connor (JIRA)

unread,
Jul 5, 2019, 7:19:04 AM7/5/19
to puppe...@googlegroups.com
John O'Connor updated an issue
*Puppet Version:* 6.4.2
*Puppet Server Version:* N/A
*OS Name/Version:* Windows Server 2016 x64

When installing Puppet Agent (6.4.2/PE 2019.1.0) on Server 2016 using a Powershell script running as the SYSTEM account, Administrator users can't run Puppet. Daemon/service runs are performed as expected. Direct Puppet runs appear to occur but no report is sent to the master.
*UPDATE* - It the first Run as SYSTEM that is the problem - so have changed ticket title.

PUP-8939 had reportedly solved this issue.

*Desired Behavior:*

*note* - so far, this can only be replicated using scheduled tasks as {{psexec}} doesn't provide the same permissions environment :

1. Install: TBD {{schtasks /create /tn PuppetInstall /RL HIGHEST /RU SYSTEM /F /SC ONCE /ST 11:15 /TR 'cmd /c c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -sta -WindowStyle Hidden -ExecutionPolicy Bypass -NonInteractive -NoProfile -File c:\puppet.ps1 >> C:\windows\temp\puppet-ins.log 2>&1'}}
2. Run PA {{ TBD schtasks /create /tn PuppetInstall /RL HIGHEST /RU SYSTEM /F /SC ONCE /ST 11:17 /TR 'cmd /c c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -sta -WindowStyle Hidden -ExecutionPolicy Bypass -NonInteractive -NoProfile -File c:\puppetrun.ps1 >> C:\windows\temp\puppet-run.log 2>&1' }}

John O'Connor (JIRA)

unread,
Jul 5, 2019, 7:21:03 AM7/5/19
to puppe...@googlegroups.com
John O'Connor updated an issue
*Puppet Version:* 6.4.2
*Puppet Server Version:* N/A
*OS Name/Version:* Windows Server 2016 x64

When installing Puppet Agent (6.4.2/PE 2019.1.0) on Server 2016 using a Powershell script running as the SYSTEM account, Administrator users can't run Puppet. Daemon/service runs are performed as expected. Direct Puppet runs appear to occur but no report is sent to the master.
*UPDATE* - It the first Run as SYSTEM that is the problem - so have changed ticket title.

PUP-8939 had reportedly solved this issue.

*Desired Behavior:*

*note* - so far, this can only be replicated using scheduled tasks as {{psexec}} doesn't provide the same permissions environment :

1. # Install: {{schtasks /create /tn PuppetInstall /RL HIGHEST /RU SYSTEM /F /SC ONCE /ST 11:15 /TR 'cmd /c c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -sta -WindowStyle Hidden -ExecutionPolicy Bypass -NonInteractive -NoProfile -File c:\puppet.ps1 >> C:\windows\temp\puppet-ins.log 2>&1'}}
 2. # Run PA {{schtasks /create /tn PuppetInstall /RL HIGHEST /RU SYSTEM /F /SC ONCE /ST 11:17 /TR 'cmd /c c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -sta -WindowStyle Hidden -ExecutionPolicy Bypass -NonInteractive -NoProfile -File c:\puppetrun.ps1 >> C:\windows\temp\puppet-run.log 2>&1'}}

 

1. Download the Agent 6.4.2 x64 MSI to a temp path (in this example, {{C:\temp\puppet\puppet-agent-x64.msi}}).
2. Install Puppet Agent on a Server 2016 node as the SYSTEM user by running {{start-process -filepath "msiexec.exe" -arg "/qn /norestart /l*v C:\windows\temp\puppetinstall.log /i c:\temp\puppet\puppet-agent-x64.msi PUPPET_AGENT_STARTUP_MODE=Manual" -Wait}}
3. # Populate csr_attributes.yml and {{server}} in the agent config as necessary.
 4. # As an Administrator, run {{puppet agent --test}} on the newly installed agent.

John O'Connor (JIRA)

unread,
Jul 5, 2019, 7:24:03 AM7/5/19
to puppe...@googlegroups.com
John O'Connor updated an issue
*Puppet Version:* 6.4.2
*Puppet Server Version:* N/A
*OS Name/Version:* Windows Server 2016 x64

When installing Puppet Agent (6.4.2/PE 2019.1.0) on Server 2016 using a Powershell script running as the SYSTEM account, Administrator users can't run Puppet. Daemon/service runs are performed as expected. Direct Puppet runs appear to occur but no report is sent to the master.
*UPDATE* - It the first Run as SYSTEM that is the problem - so have changed ticket title.

PUP-8939 had reportedly solved this issue.

*Desired Behavior:*

*note* - so far, this can only be replicated using scheduled tasks as {{psexec}} doesn't provide the same permissions environment :
# Install: {{schtasks /create /tn PuppetInstall /RL HIGHEST /RU SYSTEM /F /SC ONCE /ST 11:15 /TR 'cmd /c c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -sta -WindowStyle Hidden -ExecutionPolicy Bypass -NonInteractive -NoProfile -File c:\puppet.ps1 >> C:\windows\temp\puppet-ins.log 2>&1'}}
# Run PA {{schtasks /create /tn PuppetInstall /RL HIGHEST /RU SYSTEM /F /SC ONCE /ST 11:17 /TR 'cmd /c c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -sta -WindowStyle Hidden -ExecutionPolicy Bypass -NonInteractive -NoProfile -File c:\puppetrun.ps1 >> C:\windows\temp\puppet-run.log 2>&1'}}
# Populate csr_attributes.yml and {{server}} in the agent config as necessary.
# As an Administrator, run {{puppet agent --test}} on the newly installed agent.

  See [https://gist.github.com/jcoconnor/79767ef986a3ec600de0cd84ec4ea600] for example {{puppet-ins.ps1}} and {{puppet-run.ps1}} scripts.

Mihai Buzgau (JIRA)

unread,
Jul 10, 2019, 4:11:10 AM7/10/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: PR - 2019-06-25, PR - 2019-07-10 , PR - 2019-07-23

Mihai Buzgau (JIRA)

unread,
Jul 24, 2019, 4:31:08 AM7/24/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: PR - 2019-06-25, PR - 2019-07-10, PR - 2019-07-23 , NW - 2019-08-07

Mihai Buzgau (JIRA)

unread,
Aug 7, 2019, 4:38:07 AM8/7/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: PR - 2019-06-25, PR - 2019-07-10, PR - 2019-07-23, NW - 2019-08-07 , NW - 2019-08-21

John O'Connor (JIRA)

unread,
Aug 9, 2019, 2:32:03 PM8/9/19
to puppe...@googlegroups.com
John O'Connor updated an issue
Change By: John O'Connor
Release Notes Summary: TBD - Will provide these
Release Notes: Bug Fix
Acceptance Criteria: TBD

John O'Connor (JIRA)

unread,
Aug 9, 2019, 2:33:02 PM8/9/19
to puppe...@googlegroups.com
John O'Connor commented on Bug PUP-9719

Mihai Buzgau (JIRA)

unread,
Aug 20, 2019, 9:46:03 AM8/20/19
to puppe...@googlegroups.com
Mihai Buzgau assigned an issue to Gheorghe Popescu
 
Change By: Mihai Buzgau
Assignee: John O'Connor Gheorghe Popescu

Mihai Buzgau (JIRA)

unread,
Aug 21, 2019, 5:17:07 AM8/21/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: PR - 2019-06-25, PR - 2019-07-10, PR - 2019-07-23, NW - 2019-08-07, NW - 2019-08-21 , NW - 2019-09-03

Mihai Buzgau (JIRA)

unread,
Sep 4, 2019, 5:17:06 AM9/4/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: PR - 2019-06-25, PR - 2019-07-10, PR - 2019-07-23, NW - 2019-08-07, NW - 2019-08-21, NW - 2019-09-03 , NW - 2019-09-18

Mihai Buzgau (JIRA)

unread,
Sep 18, 2019, 10:13:07 AM9/18/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: PR - 2019-06-25, PR - 2019-07-10, PR - 2019-07-23, NW - 2019-08-07, NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18 , NW - 2019-10-02

Mihai Buzgau (JIRA)

unread,
Oct 2, 2019, 4:40:09 AM10/2/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: PR - 2019-06-25, PR - 2019-07-10, PR - 2019-07-23, NW - 2019-08-07, NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18, NW - 2019-10-02 , NW - 2019-10-16

Mihai Buzgau (JIRA)

unread,
Oct 16, 2019, 4:24:08 AM10/16/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: PR - 2019-06-25, PR - 2019-07-10, PR - 2019-07-23, NW - 2019-08-07, NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18, NW - 2019-10-02, NW - 2019-10-16 , NW - 2019-10-30

Mihai Buzgau (JIRA)

unread,
Oct 30, 2019, 5:00:13 AM10/30/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: PR - 2019-06-25, PR - 2019-07-10, PR - 2019-07-23, NW - 2019-08-07, NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18, NW - 2019-10-02, NW - 2019-10-16, NW - 2019-10-30 , NW - 2019-11-13

Mihai Buzgau (JIRA)

unread,
Nov 14, 2019, 5:28:08 AM11/14/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: PR - 2019-06-25, PR - 2019-07-10, PR - 2019-07-23, NW - 2019-08-07, NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18, NW - 2019-10-02, NW - 2019-10-16, NW - 2019-10-30, NW - 2019-11-13 , 2019-11-27

Mihai Buzgau (JIRA)

unread,
Nov 27, 2019, 4:51:08 AM11/27/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: PR - 2019-06-25, PR - 2019-07-10, PR - 2019-07-23, NW - 2019-08-07, NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18, NW - 2019-10-02, NW - 2019-10-16, NW - 2019-10-30, NW - 2019-11-13, 2019-11-27 , 2019-12-11

Mihai Buzgau (JIRA)

unread,
Dec 11, 2019, 4:33:04 AM12/11/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: PR - 2019-06-25, PR - 2019-07-10, PR - 2019-07-23, NW - 2019-08-07, NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18, NW - 2019-10-02, NW - 2019-10-16, NW - 2019-10-30, NW - 2019-11-13, 2019-11-27, 2019-12-11 , 2019-12-24

Mihai Buzgau (JIRA)

unread,
Jan 7, 2020, 4:26:05 AM1/7/20
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: PR - 2019-06-25, PR - 2019-07-10, PR - 2019-07-23, NW - 2019-08-07, NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18, NW - 2019-10-02, NW - 2019-10-16, NW - 2019-10-30, NW - 2019-11-13, 2019-11-27, 2019-12-11, 2019-12-24 , NW - 2020-01-22

Mihai Buzgau (JIRA)

unread,
Jan 22, 2020, 4:39:08 AM1/22/20
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: PR - 2019-06-25, PR - 2019-07-10, PR - 2019-07-23, NW - 2019-08-07, NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18, NW - 2019-10-02, NW - 2019-10-16, NW - 2019-10-30, NW - 2019-11-13, 2019-11-27, 2019-12-11, 2019-12-24, NW - 2020-01-22 , NW - 2020-02-05

Josh Cooper (JIRA)

unread,
Jan 22, 2020, 6:13:05 PM1/22/20
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-9719
 
Re: Cannot run Puppet Agent as Administrator if first PA run is done as System

The root cause of this issue is a bug/unspecified behavior in Puppet::Util::Windows::Security.set_mode when replacing a file containing access control entries whose SID is neither the file owner, group nor everyone.

The legacy Puppet::Util.replace_file method relies on the ReplaceFile Windows API to atomically replace a file while preserving the security descriptor for the target file. However, if the file doesn't exist yet, puppet touches the target file, calls set_mode on it, and then calls ReplaceFileW.

When running puppet as a scheduled task, the newly touched file has the following permissions due to the default DACL for the process that launches puppet:

Owner: NT AUTHORITY\SYSTEM
 
Group: NT AUTHORITY\SYSTEM
 
  NT AUTHORITY\SYSTEM:(I)                       0x1f01ff
 
  BUILTIN\Administrators:(I)                    0x1f01ff

After creating the file, puppet calls set_mode on it. Since Administrators is neither the owner or group, the ACE is removed!

Owner: NT AUTHORITY\SYSTEM
 
Group: NT AUTHORITY\SYSTEM
 
  NT AUTHORITY\SYSTEM:                          0x1f01ff
 
  Everyone:                                     0x120080

While the puppet run succeeds, the permissions on the resulting cached catalog will cause the next foreground puppet agent -t run to fail.

The new Puppet::FileSystem.replace_file method doesn't have this problem, because it ensures LocalSystem and Administrators have full control regardless of the owner and group.

The issue is not reproducible when running puppet the first time as a service or in the foreground, because those processes will have a different default DACL, causing the touched file to have owner Administrators and group LocalSystem.

Josh Cooper (JIRA)

unread,
Jan 22, 2020, 6:58:04 PM1/22/20
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-9719

To reproduce:

require 'puppet'
 
require 'puppet/util/windows'
 
 
 
class Tester
 
  include Puppet::Util::Windows::Security
 
 
 
  def replace_file(path, mode)
 
    if Puppet::FileSystem.exist?(path)
 
      Puppet::FileSystem.unlink(path)
 
    end
 
 
 
    Puppet::FileSystem.touch(path)
 
 
 
    dacl = Puppet::Util::Windows::AccessControlList.new
 
    dacl.allow(Puppet::Util::Windows::SID::LocalSystem,
 
               Puppet::Util::Windows::File::FILE_ALL_ACCESS)
 
    dacl.allow(Puppet::Util::Windows::SID::BuiltinAdministrators,
 
               Puppet::Util::Windows::File::FILE_ALL_ACCESS)
 
 
 
    sd = Puppet::Util::Windows::SecurityDescriptor.new(
 
      Puppet::Util::Windows::SID::LocalSystem,
 
      Puppet::Util::Windows::SID::LocalSystem,
 
      dacl,
 
      true
 
    )
 
 
 
    set_security_descriptor(path, sd)
 
    dump_sd(path)
 
 
 
    set_mode(mode, path)
 
    dump_sd(path)
 
  end
 
 
 
  def dump_sd(path)
 
    sd = get_security_descriptor(path)
 
    puts "Owner: #{sd.owner}"
 
    puts "Group: #{sd.group}"
 
    puts "DACL:"
 
    puts sd.dacl.inspect
 
  end
 
end
 
 
 
tester = Tester.new
 
tester.replace_file('c:\Users\josh\newfile.txt', 0640)

Produces:

C:\Users\josh>ruby dacl.rb
 
Owner: S-1-5-18
 
Group: S-1-5-18
 
DACL:
 
  NT AUTHORITY\SYSTEM:                          0x1f01ff
 
  BUILTIN\Administrators:                       0x1f01ff
 
Owner: S-1-5-18
 
Group: S-1-5-18
 
DACL:
 
  NT AUTHORITY\SYSTEM:                          0x1f01ff
 
  Everyone:                                     0x120080

Gheorghe Popescu (JIRA)

unread,
Jan 28, 2020, 5:44:05 AM1/28/20
to puppe...@googlegroups.com
Gheorghe Popescu updated an issue
 
Change By: Gheorghe Popescu
Release Notes Summary: TBD - Will provide these If the first Puppet Agent run was done under SYSTEM account, following

Gheorghe Popescu (JIRA)

unread,
Jan 28, 2020, 5:46:05 AM1/28/20
to puppe...@googlegroups.com
Gheorghe Popescu updated an issue
Change By: Gheorghe Popescu
Release Notes Summary: If the first Puppet Agent run was done under SYSTEM account, following runs done by Administrator users were failing to send the report to master.
Changed puppet to use

Gheorghe Popescu (JIRA)

unread,
Jan 28, 2020, 5:47:04 AM1/28/20
to puppe...@googlegroups.com
Gheorghe Popescu updated an issue
Change By: Gheorghe Popescu
Release Notes Summary:
If the first Puppet Agent run was done under SYSTEM account, following runs done by Administrator users were failing to send the report to master.
Changed puppet to use `Puppet::FileSystem.replace_file` which correctly handles files permissions

Gheorghe Popescu (JIRA)

unread,
Jan 28, 2020, 5:48:04 AM1/28/20
to puppe...@googlegroups.com
Gheorghe Popescu updated an issue
Change By: Gheorghe Popescu
Release Notes Summary: If the first Puppet Agent run was done under SYSTEM account, following runs done by Administrator users were failing to send the report to master due to insufficient file permissions caused by the implementation of `Puppet::Util . replace_file`.
Changed puppet to use Puppet now uses the new `Puppet::FileSystem.replace_file` method which correctly handles files permissions on Windows.

Gheorghe Popescu (JIRA)

unread,
Jan 28, 2020, 5:49:05 AM1/28/20
to puppe...@googlegroups.com
Gheorghe Popescu updated an issue
Change By: Gheorghe Popescu
Release Notes Summary: If the first Puppet Agent run was is done under SYSTEM account, following runs done by Administrator users were failing to send the report to master due to insufficient file permissions caused by the implementation of `Puppet::Util.replace_file`.

Puppet now uses the new `Puppet::FileSystem.replace_file` method which correctly handles files permissions on Windows.

Luchian Nemes (JIRA)

unread,
Feb 13, 2020, 9:29:05 AM2/13/20
to puppe...@googlegroups.com
Luchian Nemes updated an issue
Change By: Luchian Nemes
Fix Version/s: PUP 6.13.0

Kate Medred (JIRA)

unread,
Feb 18, 2020, 12:08:07 PM2/18/20
to puppe...@googlegroups.com
Kate Medred updated an issue
Change By: Kate Medred
Labels: resolved-issue-added
Reply all
Reply to author
Forward
0 new messages