Jira (PUP-9719) Can't run puppet agent after installing the MSI using the SYSTEM account

[Garrett Guillotte (JIRA)]

Garrett Guillotte created an issue

Puppet / PUP-9719 Can't run puppet agent after installing the MSI using the SYSTEM account Issue Type: Bug Affects Versions: PUP 6.4.2 Assignee: Unassigned Created: 2019/05/24 12:40 PM Priority: Major Reporter: Garrett Guillotte Puppet Version: 6.4.2 Puppet Server Version: N/A OS Name/Version: Windows Server 2016 x64 When installing Puppet Agent (6.4.2/PE 2019.1.0) on Server 2016 using a Powershell script running as the SYSTEM account, Administrator users can't run Puppet. Daemon/service runs are performed as expected. Direct Puppet runs appear to occur but no report is sent to the master. PUP-8939 had reportedly solved this issue. Desired Behavior: 1. Download the Agent 6.4.2 x64 MSI to a temp path (in this example, C:\temp\puppet\puppet-agent-x64.msi). 2. Install Puppet Agent on a Server 2016 node as the SYSTEM user by running start-process -filepath "msiexec.exe" -arg "/qn /norestart /l*v C:\windows\temp\puppetinstall.log /i c:\temp\puppet\puppet-agent-x64.msi PUPPET_AGENT_STARTUP_MODE=Manual" -Wait 3. Populate csr_attributes.yml and server in the agent config as necessary. 4. As an Administrator, run puppet agent --test on the newly installed agent. Actual Behavior: Catalog retrieval fails; log has been redacted: 2019-05-21 17:20:36 -0400 Puppet (debug): HTTP POST https://compiler.example.net:8140/puppet/v3/catalog/examplenode.example.net returned 200 OK 2019-05-21 17:20:36 -0400 Puppet (debug): Caching connection for https://compiler.example.net:8140 2019-05-21 17:20:36 -0400 Puppet (info): Caching catalog for examplenode.example.net 2019-05-21 17:20:38 -0400 Puppet (err): ReplaceFile(C:/ProgramData/PuppetLabs/puppet/cache/client_data/catalog/examplenode.example.net.json, C:/ProgramData/PuppetLabs/puppet/cache/client_data/catalog/examplenode.example.net.json20190521-6580-blokpv): Access is denied. c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/file.rb:89:in `replace_file' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util.rb:636:in `replace_file' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/indirector/json.rb:17:in `save' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:200:in `find' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:466:in `block in retrieve_new_catalog' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util.rb:518:in `block in thinmark' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/2.5.0/benchmark.rb:308:in `realtime' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util.rb:517:in `thinmark' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:465:in `retrieve_new_catalog' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:75:in `retrieve_catalog' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:167:in `prepare_and_retrieve_catalog' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:342:in `run_internal' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:240:in `block in run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/context.rb:65:in `override' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet.rb:264:in `override' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:217:in `run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:59:in `block (5 levels) in run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/2.5.0/timeout.rb:93:in `block in timeout' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/2.5.0/timeout.rb:103:in `timeout' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:58:in `block (4 levels) in run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent/locker.rb:21:in `lock' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:52:in `block (3 levels) in run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:130:in `with_client' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:49:in `block (2 levels) in run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:87:in `run_in_fork' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:48:in `block in run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application.rb:179:in `controlled_run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:46:in `run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:371:in `onetime' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:353:in `run_command' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `block in run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util.rb:671:in `exit_on_fail' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:139:in `run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:77:in `execute' c:/Program Files/Puppet Labs/Puppet/puppet/bin/puppet:4:in `<main>' 2019-05-21 17:20:38 -0400 Puppet (err): Could not retrieve catalog from remote server: ReplaceFile(C:/ProgramData/PuppetLabs/puppet/cache/client_data/catalog/examplenode.example.net.json, C:/ProgramData/PuppetLabs/puppet/cache/client_data/catalog/examplenode.example.net.json20190521-6580-blokpv): Access is denied. c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/file.rb:89:in `replace_file' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util.rb:636:in `replace_file' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/indirector/json.rb:17:in `save' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:200:in `find' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:466:in `block in retrieve_new_catalog' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util.rb:518:in `block in thinmark' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/2.5.0/benchmark.rb:308:in `realtime' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util.rb:517:in `thinmark' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:465:in `retrieve_new_catalog' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:75:in `retrieve_catalog' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:167:in `prepare_and_retrieve_catalog' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:342:in `run_internal' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:240:in `block in run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/context.rb:65:in `override' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet.rb:264:in `override' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:217:in `run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:59:in `block (5 levels) in run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/2.5.0/timeout.rb:93:in `block in timeout' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/2.5.0/timeout.rb:103:in `timeout' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:58:in `block (4 levels) in run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent/locker.rb:21:in `lock' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:52:in `block (3 levels) in run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:130:in `with_client' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:49:in `block (2 levels) in run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:87:in `run_in_fork' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:48:in `block in run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application.rb:179:in `controlled_run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent.rb:46:in `run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:371:in `onetime' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:353:in `run_command' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `block in run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util.rb:671:in `exit_on_fail' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:139:in `run' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:77:in `execute' c:/Program Files/Puppet Labs/Puppet/puppet/bin/puppet:4:in `<main>' Reporting also fails: 2019-05-21 17:20:38 -0400 Puppet (debug): Using cached connection for https://compiler.example.net:8140 2019-05-21 17:20:39 -0400 Puppet (debug): HTTP PUT https://compiler.example.net:8140/puppet/v3/report/examplenode.example.net returned 200 OK 2019-05-21 17:20:39 -0400 Puppet (debug): Caching connection for https://compiler.example.net:8140 2019-05-21 17:20:39 -0400 Puppet (err): Could not send report: ReplaceFile(C:/ProgramData/PuppetLabs/puppet/cache/state/last_run_report.yaml, C:/ProgramData/PuppetLabs/puppet/cache/state/last_run_report.yaml20190521-6580-1yfrb1r): Access is denied. c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/file.rb:89:in `replace_file' ... ACLs from C:\ProgramData\PuppetLabs\puppet\cache\ on the agent: PS C:\Windows\system32> Get-Acl C:\ProgramData\PuppetLabs\puppet\cache\ | Select *   PSPath : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet\cache\ PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet PSChildName : cache PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem CentralAccessPolicyId : CentralAccessPolicyName : Path : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet\cache\ Owner : NT AUTHORITY\SYSTEM Group : NT AUTHORITY\SYSTEM Access : {System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule} Sddl : O:SYG:SYD:AI(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;S-1-5-21-1092630797-2642148860 -572411492-162715) AccessToString : NT AUTHORITY\SYSTEM Allow FullControl BUILTIN\Administrators Allow FullControl DEVAONNET\ah14740 Allow FullControl AuditToString : AccessRightType : System.Security.AccessControl.FileSystemRights AccessRuleType : System.Security.AccessControl.FileSystemAccessRule AuditRuleType : System.Security.AccessControl.FileSystemAuditRule AreAccessRulesProtected : False AreAuditRulesProtected : False AreAccessRulesCanonical : True AreAuditRulesCanonical : True Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Mihai Buzgau (JIRA)]

Mihai Buzgau updated an issue

Puppet / PUP-9719 Can't run puppet agent after installing the MSI using the SYSTEM account

Change By: Mihai Buzgau Team: Windows

Add Comment

[Mihai Buzgau (JIRA)]

Mihai Buzgau updated an issue

Puppet / PUP-9719 Can't run puppet agent after installing the MSI using the SYSTEM account

Change By: Mihai Buzgau Team: Puppet Romania

Add Comment

[Mihai Buzgau (JIRA)]

Mihai Buzgau updated an issue

Puppet / PUP-9719 Can't run puppet agent after installing the MSI using the SYSTEM account

Change By: Mihai Buzgau Sprint: PR - Triage

Add Comment

[Mihai Buzgau (JIRA)]

Mihai Buzgau updated an issue

Puppet / PUP-9719 Can't run puppet agent after installing the MSI using the SYSTEM account

Change By: Mihai Buzgau Story Points: 3

Add Comment

[Mihai Buzgau (JIRA)]

Mihai Buzgau updated an issue

Puppet / PUP-9719 Can't run puppet agent after installing the MSI using the SYSTEM account

Change By: Mihai Buzgau Sprint: PR - Triage 2019-06-25

Add Comment

[John O'Connor (JIRA)]

John O'Connor assigned an issue to John O'Connor

Puppet / PUP-9719 Can't run puppet agent after installing the MSI using the SYSTEM account

Change By: John O'Connor Assignee: John O'Connor

Add Comment

[John O'Connor (JIRA)]

John O'Connor updated an issue

Puppet / PUP-9719 Can't run puppet agent after installing the MSI using the SYSTEM account Change By: John O'Connor

*Puppet Version:* 6.4.2 *Puppet Server Version:* N/A *OS Name/Version:* Windows Server 2016 x64

When installing Puppet Agent (6.4.2/PE 2019.1.0) on Server 2016 using a Powershell script running as the SYSTEM account, Administrator users can't run Puppet. Daemon/service runs are performed as expected. Direct Puppet runs appear to occur but no report is sent to the master. PUP-8939 had reportedly solved this issue.

*Desired Behavior:* *note* - you need to use {{psexec -s}} to repro this on {{vmpooler}} nodes to ensure the SYSTEM account is used: 1. Install: {{psexec -s -i "msiexec.exe" /qn /norestart /l*v C:\windows\temp\puppetinstall.log /i C:\Users\Administrator\Downloads\puppet-agent-6.4.2-x64.msi PUPPET_AGENT_STARTUP_MODE=Manual}} 2. Run PA {{psexec -s "C:\Program Files\Puppet Labs\Puppet\bin\puppet.bat" agent -t}}   1. Download the Agent 6.4.2 x64 MSI to a temp path (in this example, {{C:\temp\puppet\puppet-agent-x64.msi}}).

2. Install Puppet Agent on a Server 2016 node as the SYSTEM user by running {{start-process -filepath "msiexec.exe" -arg "/qn /norestart /l*v C:\windows\temp\puppetinstall.log /i c:\temp\puppet\puppet-agent-x64.msi PUPPET_AGENT_STARTUP_MODE=Manual" -Wait}} 3. Populate csr_attributes.yml and {{server}} in the agent config as necessary. 4. As an Administrator, run {{puppet agent --test}} on the newly installed agent.

*Actual Behavior:*

Catalog retrieval fails; log has been redacted:

{code}

{code} Reporting also fails: {code}

2019-05-21 17:20:38 -0400 Puppet (debug): Using cached connection for https://compiler.example.net:8140 2019-05-21 17:20:39 -0400 Puppet (debug): HTTP PUT https://compiler.example.net:8140/puppet/v3/report/examplenode.example.net returned 200 OK 2019-05-21 17:20:39 -0400 Puppet (debug): Caching connection for https://compiler.example.net:8140 2019-05-21 17:20:39 -0400 Puppet (err): Could not send report: ReplaceFile(C:/ProgramData/PuppetLabs/puppet/cache/state/last_run_report.yaml, C:/ProgramData/PuppetLabs/puppet/cache/state/last_run_report.yaml20190521-6580-1yfrb1r):  Access is denied. c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/file.rb:89:in `replace_file' ...

{code}

ACLs from C:\ProgramData\PuppetLabs\puppet\cache\ on the agent:

{code}

{code}

Add Comment

[John O'Connor (JIRA)]

John O'Connor commented on PUP-9719

Re: Can't run puppet agent after installing the MSI using the SYSTEM account Gareth McGrillan Moving this temporarily to Blocked/Needs Information until we get further reproduction information from the customer as per discussion on Slack Support channel So tried once more to reproduce using their instructions - i.e. copied and modifed `puppet.ps1/puppetrun.ps1` to run on a vmpooler machine and ran both of these using `psexec -s` I then tried `puppet agent -t` as Administrator and it worked without problem.

Add Comment

[John O'Connor (JIRA)]

John O'Connor commented on PUP-9719

Re: Can't run puppet agent after installing the MSI using the SYSTEM account

Thanks Josh Cooper - I discussed this further with Glenn Sarti and he noted that using psexec doesn't perform quite the same way as scheduled tasks which run as SYSTEM SYSTEM So I used the following two commands to execute the two scripts: schtasks /create /tn PuppetInstall /RL HIGHEST /RU SYSTEM /F /SC ONCE /ST 11:15 /TR 'cmd /c c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -sta -WindowStyle Hidden -ExecutionPolicy Bypass -NonInteractive -NoProfile -File c:\puppet.ps1 >> C:\windows\temp\puppet-ins.log 2>&1'   schtasks /create /tn PuppetInstall /RL HIGHEST /RU SYSTEM /F /SC ONCE /ST 11:17 /TR 'cmd /c c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -sta -WindowStyle Hidden -ExecutionPolicy Bypass -NonInteractive -NoProfile -File c:\puppetrun.ps1 >> C:\windows\temp\puppet-run.log 2>&1' I then ran the puppet agent -t command on the console as Administrator and got the following error output: PS C:\Users\Administrator> puppet agent -t Error: Removing corrupt state file C:/ProgramData/PuppetLabs/puppet/cache/state/state.yaml: Permission denied @ rb_sysopen - C:/ProgramData/PuppetLabs/puppet/cache/state/state.yaml Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Retrieving locales Info: Loading facts Info: Caching catalog for ec2amaz-ape0n19.eu-west-2.compute.internal Error: ReplaceFile(C:/ProgramData/PuppetLabs/puppet/cache/client_data/catalog/ec2amaz-ape0n19.eu-west-2.compute.internal.json, C:/ProgramData/PuppetLabs/puppet/cache/client_data/catalog/ec2amaz-ape0n19.eu-west-2.compute.internal.json20190621-2912-11az7mu): Access is denied. Error: Could not retrieve catalog from remote server: ReplaceFile(C:/ProgramData/PuppetLabs/puppet/cache/client_data/catalog/ec2amaz-ape0n19.eu-west-2.compute.internal.json, C:/ProgramData/PuppetLabs/puppet/cache/client_data/catalog/ec2amaz-ape0n19.eu-west-2.compute.internal.json20190621-2912-11az7mu): Access is denied. Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run Error: Could not send report: ReplaceFile(C:/ProgramData/PuppetLabs/puppet/cache/state/last_run_report.yaml, C:/ProgramData/PuppetLabs/puppet/cache/state/last_run_report.yaml20190621-2912-1cohqg4): Access is denied. PS C:\Users\Administrator> I also checked the permission of the state.yaml file and it was missing access for the Administrators group PS C:\Users\Administrator> Get-Acl C:\ProgramData\PuppetLabs\puppet\cache\state\state.yaml | Select *     PSPath : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet\cache\state\state.yaml PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet\cache\state PSChildName : state.yaml

PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem CentralAccessPolicyId : CentralAccessPolicyName :

Path : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet\cache\state\state.yaml Owner : BUILTIN\Administrators

Group : NT AUTHORITY\SYSTEM Access : {System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule}

Sddl : O:BAG:SYD:PAI(A;;0x120080;;;WD)(A;;FA;;;SY) AccessToString : Everyone Allow ReadAttributes, ReadPermissions, Synchronize

NT AUTHORITY\SYSTEM Allow FullControl

AuditToString :

AccessRightType : System.Security.AccessControl.FileSystemRights AccessRuleType : System.Security.AccessControl.FileSystemAccessRule AuditRuleType : System.Security.AccessControl.FileSystemAuditRule

AreAccessRulesProtected : True

AreAuditRulesProtected : False AreAccessRulesCanonical : True AreAuditRulesCanonical : True

Add Comment

[John O'Connor (JIRA)]

John O'Connor commented on PUP-9719

Re: Can't run puppet agent after installing the MSI using the SYSTEM account

Some further data - icacls of puppet data directory immediately following Puppet Installation: PS C:\ProgramData\PuppetLabs> icacls puppet /t puppet NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F)   puppet\etc NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F)   puppet\var NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F)   puppet\etc\csr_attributes.yaml NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F)   puppet\etc\hiera.yaml NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F)   puppet\etc\puppet.conf NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F)   Successfully processed 6 files; Failed processing 0 files

Add Comment

[John O'Connor (JIRA)]

John O'Connor commented on PUP-9719

Re: Can't run puppet agent after installing the MSI using the SYSTEM account

I have done an icacls dump of the puppet directory once the first puppet run is over - it comes to 2000+ lines so have saved this in a GIST at: https://gist.github.com/jcoconnor/6078f7898d1eb91e57155d2cdef4ab55 Excluding the directory tree C:\ProgramData\PuppetLabs\puppet\cache\lib, the pruned output is below: C:\ProgramData\PuppetLabs\puppet NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\cache NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\etc NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\var NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\cache\clientbucket NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\cache\client_data NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\cache\client_yaml NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\cache\facts.d NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\cache\lib NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\cache\locales NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\cache\preview NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\cache\state NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\cache\client_data\catalog NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\cache\client_data\catalog\umtzu5243z6go5b.delivery.puppetlabs.net.json NT AUTHORITY\SYSTEM:(F) Everyone:(Rc,S,RA)     C:\ProgramData\PuppetLabs\puppet\cache\locales\ja NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\cache\locales\ja\puppetlabs-stdlib.po NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F)

NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F)

C:\ProgramData\PuppetLabs\puppet\cache\state\classes.txt NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F)   C:\ProgramData\PuppetLabs\puppet\cache\state\graphs NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\cache\state\last_run_report.yaml NT AUTHORITY\SYSTEM:(F) Everyone:(Rc,S,RA)   C:\ProgramData\PuppetLabs\puppet\cache\state\last_run_summary.yaml NT AUTHORITY\SYSTEM:(F) Everyone:(R)   C:\ProgramData\PuppetLabs\puppet\cache\state\resources.txt NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F)   C:\ProgramData\PuppetLabs\puppet\cache\state\state.yaml NT AUTHORITY\SYSTEM:(F) Everyone:(Rc,S,RA)   C:\ProgramData\PuppetLabs\puppet\cache\state\transactionstore.yaml NT AUTHORITY\SYSTEM:(F) Everyone:(Rc,S,RA)   C:\ProgramData\PuppetLabs\puppet\etc\csr_attributes.yaml NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F)   C:\ProgramData\PuppetLabs\puppet\etc\hiera.yaml NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F)   C:\ProgramData\PuppetLabs\puppet\etc\puppet.conf NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F)   C:\ProgramData\PuppetLabs\puppet\etc\ssl NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\etc\ssl\certificate_requests NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\etc\ssl\crl.pem NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) BUILTIN\Users:(R)   C:\ProgramData\PuppetLabs\puppet\etc\ssl\private NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\etc\ssl\private_keys NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\etc\ssl\public_keys NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs\ca.pem NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) BUILTIN\Users:(R)   C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs\umtzu5243z6go5b.delivery.puppetlabs.net.pem NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) BUILTIN\Users:(R)   C:\ProgramData\PuppetLabs\puppet\etc\ssl\private_keys\umtzu5243z6go5b.delivery.puppetlabs.net.pem NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F)   C:\ProgramData\PuppetLabs\puppet\var\log NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F)   C:\ProgramData\PuppetLabs\puppet\var\run NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F)   Successfully processed 570 files; Failed processing 0 files

Add Comment

[John O'Connor (JIRA)]

John O'Connor commented on PUP-9719

Re: Can't run puppet agent after installing the MSI using the SYSTEM account

So - Summarising - the following files are missing Administrator permissions:

C:\ProgramData\PuppetLabs\puppet\cache\client_data\catalog\umtzu5243z6go5b.delivery.puppetlabs.net.json NT AUTHORITY\SYSTEM:(F) Everyone:(Rc,S,RA)

C:\ProgramData\PuppetLabs\puppet\cache\state\last_run_report.yaml NT AUTHORITY\SYSTEM:(F)

Everyone:(Rc,S,RA)   C:\ProgramData\PuppetLabs\puppet\cache\state\last_run_summary.yaml NT AUTHORITY\SYSTEM:(F) Everyone:(R)

C:\ProgramData\PuppetLabs\puppet\cache\state\state.yaml NT AUTHORITY\SYSTEM:(F)

Everyone:(Rc,S,RA)   C:\ProgramData\PuppetLabs\puppet\cache\state\transactionstore.yaml NT AUTHORITY\SYSTEM:(F) Everyone:(Rc,S,RA)

Add Comment