Puppet Windows - Mapped Network Drive and Service Account
1,180 views
Skip to first unread message
Kevin D
Apr 29, 2013, 1:46:09 PM4/29/13
to puppet...@googlegroups.com
On Windows 2008 R2 SP1, after joining to the domain, there is an issue with a mapped network drive when Puppet agent runs by the "LOCAL SYSTEM" service account.
Using dependency chaining, a near the beginning module is "map-networkdrivez". The module execs a batch file that if Z:\ does not exist (not already mapped), maps Z:\ to a Windows 2008 R2 SP1 file server with a hidden share "data$". The file server is configured for anonymous to allow share access (with the appropriate NTFS and Share permissions).
By default, when the puppet agent runs as the service, the associated service account is "local system". On first run, the batch file appropriately maps the drive and the modules have access to the resources of the mapped network drive.
Once a module executes that joins the computer to the domain and restarts the computer, subsequent puppet runs fail because of a failed resource dependency on Z:\:
Could not evaluate. Could not retrieve information from environment production source(s) file:/z:/Install-Exe.ps1
I setup a SysInternal's Process Monitor trace during a puppet run:
Path = "\\;LanmanRedirector\;Z:00000000000003e7\10.202.1.27\Data$\"
Result = "ACCESS DENIED".
I verified the same result using psexec to open a cmd prompt under the "LOCAL SYSTEM" account by opening a CMD with administrative privileges, running "psexec -hsi cmd" and navigating to "z:"
Access is denied.
If using the local administrator account I open a cmd prompt run "C:\Program Files(x86)\Puppet Labs\Puppet\bin\puppet agent -t" all the modules will execute successfully.
If I change the Puppet service account from "LOCAL SYSTEM" to "testwindows004\Administrator" all the modules will execute successfully.
Has anyone else seen this behavior? Any thoughts on how to overcome this issue?
Using dependency chaining, a near the beginning module is "map-networkdrivez". The module execs a batch file that if Z:\ does not exist (not already mapped), maps Z:\ to a Windows 2008 R2 SP1 file server with a hidden share "data$". The file server is configured for anonymous to allow share access (with the appropriate NTFS and Share permissions).
By default, when the puppet agent runs as the service, the associated service account is "local system". On first run, the batch file appropriately maps the drive and the modules have access to the resources of the mapped network drive.
Once a module executes that joins the computer to the domain and restarts the computer, subsequent puppet runs fail because of a failed resource dependency on Z:\:
Could not evaluate. Could not retrieve information from environment production source(s) file:/z:/Install-Exe.ps1
I setup a SysInternal's Process Monitor trace during a puppet run:
Path = "\\;LanmanRedirector\;Z:00000000000003e7\10.202.1.27\Data$\"
Result = "ACCESS DENIED".
I verified the same result using psexec to open a cmd prompt under the "LOCAL SYSTEM" account by opening a CMD with administrative privileges, running "psexec -hsi cmd" and navigating to "z:"
Access is denied.
If using the local administrator account I open a cmd prompt run "C:\Program Files(x86)\Puppet Labs\Puppet\bin\puppet agent -t" all the modules will execute successfully.
If I change the Puppet service account from "LOCAL SYSTEM" to "testwindows004\Administrator" all the modules will execute successfully.
Has anyone else seen this behavior? Any thoughts on how to overcome this issue?
Kevin D
May 6, 2013, 4:27:15 PM5/6/13
to puppet...@googlegroups.com
I found a resolution!
Modify the NTFS and Share permissions:
Modify the NTFS and Share permissions:
- "myDomain\Domain Computers" = read/execute
Reply all
Reply to author
Forward
0 new messages