Error: Cannot start Windows Service. Access denied
210 views
Skip to first unread message
Alex M
Jan 28, 2016, 2:48:14 PM1/28/16
to Puppet Users
Hi,
i have Puppet v3.7.2 and same agent on Windows Server 2012 R2.
Now i'm training to maintain Windows Services. For that i created new manifest:
# cat /etc/puppet/modules/disablesmb/manifests/init.pp
class disablesmb {
service { 'Audiosrv':
ensure => running,
enable => true,
}
but when i run agent on Windows i get an error:
C:\>puppet agent --test
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for test1.domain.company.com
Info: Applying configuration version '1453991644'
Error: Cannot start Audiosrv, error was: Execution of 'C:/Windows/system32/net.exe start Audiosrv' returned 2: System error 5 has occurred.
Access is denied.
Wrapped exception:
Execution of 'C:/Windows/system32/net.exe start Audiosrv' returned 2: System error 5 has occurred.
Access is denied.
Error: /Stage[main]/Disablesmb/Service[Audiosrv]/ensure: change from stopped to running failed: Cannot start Audiosrv, error was: Execution of 'C:/Win
dows/system32/net.exe start Audiosrv' returned 2: System error 5 has occurred.
Access is denied.
Notice: Finished catalog run in 0.14 seconds
if i run it manually a get same error:
C:\>net.exe start Audiosrv
System error 5 has occurred.
Access is denied.
what is wrong?
Josh Cooper
Jan 28, 2016, 4:32:28 PM1/28/16
to puppet...@googlegroups.com
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/855b3a53-1dd0-4f80-b456-a96299f67c05%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Josh
--
Josh Cooper
Developer, Puppet LabsAlex M
Jan 28, 2016, 4:46:57 PM1/28/16
to Puppet Users
but when run as Administrator i receive an error:
четверг, 28 января 2016 г., 17:32:28 UTC+1 пользователь Josh Cooper написал:
C:\>puppet agent -t
Info: Caching certificate for test1.domain.company.com
Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key.
Certificate fingerprint: ------------------------------------------------------------------------------------------------
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
On the master:
puppet cert clean test1.domain.company.com
On the agent:
1a. On most platforms: find C:/ProgramData/PuppetLabs/puppet/etc/ssl -name test1.domain.company.com.pem -delete
1b. On Windows: del "C:/ProgramData/PuppetLabs/puppet/etc/ssl/test1.domain.company.com.pem" /f
2. puppet agent -t
Exiting; failed to retrieve certificate and waitforcert is disabled
when i did all requirements, then i receive an error:
C:\>puppet agent -t
Exiting; no certificate found and waitforcert is disabled
In smart-proxies i have no any certificates
четверг, 28 января 2016 г., 17:32:28 UTC+1 пользователь Josh Cooper написал:
Alex M
Jan 29, 2016, 9:47:32 AM1/29/16
to Puppet Users
where i can read logs about certificate requests?
четверг, 28 января 2016 г., 17:46:57 UTC+1 пользователь Alex M написал:
четверг, 28 января 2016 г., 17:46:57 UTC+1 пользователь Alex M написал:
Alex M
Jan 29, 2016, 10:25:36 AM1/29/16
to Puppet Users
so, i fixed it. by reinstalling Windows... but it isn't a good solution.
пятница, 29 января 2016 г., 10:47:32 UTC+1 пользователь Alex M написал:
пятница, 29 января 2016 г., 10:47:32 UTC+1 пользователь Alex M написал:
jcbollinger
Jan 29, 2016, 2:52:05 PM1/29/16
to Puppet Users
On Friday, January 29, 2016 at 4:25:36 AM UTC-6, Alex M wrote:
so, i fixed it. by reinstalling Windows... but it isn't a good solution.
No, that's not a good solution at all. Fortunately, it's also not a necessary one.
The agent and master each identify themselves to the other via an SSL certificate signed by a trusted authority (which authority by default is operated by the master). On the master / CA side, the CA refuses to sign a certificate for a given name if an another valid certificate for that name is already outstanding. This is an essential aspect of Puppet's security infrastructure, for otherwise there would be a substantial risk of one machine impersonating another, whether purposefully or accidentally. If the CA has an outstanding certificate bearing the specified name, then that cert must expire or be revoked before the CA will issue a new one for the same name. The error message you reported indicates that the hangup was there.
On the agent side, the agent does not share variable data (configuration, cached catalogs, plugins, certificates) between users, in part because that would open numerous avenues for credential theft, privilege escalation, etc.. Since certificates in particular are not (automatically) shared even within the same machine, and since the CA will not permit multiple certs for the same name to be valid simultaneously, you cannot freely switch the identity under which the agent runs. If a certificate has already been issued to a given machine, with the agent running under a given identity, and you want the agent to run instead with a different identity, then you have three main options:
Note, by the way, that reinstalling the OS on the agent side is not even guaranteed to solve a certificate problem like the one you reported. If the new OS installation is configured so that it requests the same certificate name that the old one did, then you'll still have exactly the same problem. In fact, if you set up an entirely different machine that requests a certificate for a name that already has an outstanding, valid certificate, then you will also see the same error.
I seem to recall PuppetLabs having a fairly good overview of all this among its documentation pages, but now I'm having trouble finding such a thing. There are still some docs about the certificate management tool, and docs about some non-default CA configurations and about a few non-routine actions, but the closest I can find to a certificate management overview is a somewhat dated document targeted a bit differently, at agent/master HTTPS interactions.
John
The agent and master each identify themselves to the other via an SSL certificate signed by a trusted authority (which authority by default is operated by the master). On the master / CA side, the CA refuses to sign a certificate for a given name if an another valid certificate for that name is already outstanding. This is an essential aspect of Puppet's security infrastructure, for otherwise there would be a substantial risk of one machine impersonating another, whether purposefully or accidentally. If the CA has an outstanding certificate bearing the specified name, then that cert must expire or be revoked before the CA will issue a new one for the same name. The error message you reported indicates that the hangup was there.
On the agent side, the agent does not share variable data (configuration, cached catalogs, plugins, certificates) between users, in part because that would open numerous avenues for credential theft, privilege escalation, etc.. Since certificates in particular are not (automatically) shared even within the same machine, and since the CA will not permit multiple certs for the same name to be valid simultaneously, you cannot freely switch the identity under which the agent runs. If a certificate has already been issued to a given machine, with the agent running under a given identity, and you want the agent to run instead with a different identity, then you have three main options:
- Revoke the machine's existing certificate at the CA, and allow the agent, running under the new identity, to request a new one.
- Copy the old cert or otherwise make it accessible under the new identity.
- Request a certificate with a different name. If you do this, then for all intents and purposes, Puppet considers the agent to represent a different machine when the agent presents one certificate than when it present the other.
Note, by the way, that reinstalling the OS on the agent side is not even guaranteed to solve a certificate problem like the one you reported. If the new OS installation is configured so that it requests the same certificate name that the old one did, then you'll still have exactly the same problem. In fact, if you set up an entirely different machine that requests a certificate for a name that already has an outstanding, valid certificate, then you will also see the same error.
I seem to recall PuppetLabs having a fairly good overview of all this among its documentation pages, but now I'm having trouble finding such a thing. There are still some docs about the certificate management tool, and docs about some non-default CA configurations and about a few non-routine actions, but the closest I can find to a certificate management overview is a somewhat dated document targeted a bit differently, at agent/master HTTPS interactions.
John
Reply all
Reply to author
Forward
0 new messages