Jira (PUP-10899) Retrieve SID for users under 'APPLICATION PACKAGE AUTHORITY'

45 views
Skip to first unread message

Luchian Nemes (Jira)

unread,
Feb 11, 2021, 10:33:02 AM2/11/21
to puppe...@googlegroups.com
Luchian Nemes created an issue
 
Puppet / Task PUP-10899
Retrieve SID for users under 'APPLICATION PACKAGE AUTHORITY'
Issue Type: Task Task
Assignee: Luchian Nemes
Created: 2021/02/11 7:32 AM
Priority: Normal Normal
Reporter: Luchian Nemes

Our puppetlabs-acl module lists changes with the users under APPLICATION PACKAGE AUTHORITY as a known limitation as follows:

 When referring to accounts in the APPLICATION PACKAGE AUTHORITY, use either their SID values or their unqualified names. The Windows API has well documented bugs preventing the fully qualified account names from being used.

  • S-1-15-2-1 or ALL APPLICATION PACKAGES, but not APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES. This account may only be referenced on Windows 2012R2 (kernel 6.3) or newer.
  • S-1-15-2-2 or ALL RESTRICTED APPLICATION PACKAGES, but not APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES. This account may only be referenced on Windows 2016 (kernel 10.0) or newer.

Using above advice, the following manifest works and is idempotent :

acl \{ 'C:\\My Folder':
 
  permissions => [
 
  \{
 
      identity => 'ALL RESTRICTED APPLICATION PACKAGES', rights => ['read','write','execute']}
 
  ],
 
\}

But when trying to add other permissions (new ones), the following error occurs:
*Error: Failed to apply catalog: undefined method `bytesize' for nil:NilClass
C:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/api_types.rb:25:in `from_string_to_wide_string'*
Example:

acl \{ 'C:\\My Folder':
 
  permissions => [
 
  \{
 
      identity => 'Administrators', rights => ['read','write','execute']}
 
  ],
 
\}

This limitation is brought by puppet implementation of https://github.com/puppetlabs/puppet/blob/main/lib/puppet/util/windows/principal.rb#L47 which takes the username as it is. A special filtering for usernames starting with *APPLICATION PACKAGE AUTHORITY
*would solve this issue.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Luchian Nemes (Jira)

unread,
Feb 11, 2021, 10:34:03 AM2/11/21
to puppe...@googlegroups.com
Luchian Nemes updated an issue
Change By: Luchian Nemes
Our [puppetlabs-acl|https://github.com/luchihoratiu/puppetlabs-acl] module lists changes with the users under *APPLICATION PACKAGE AUTHORITY* as a known limitation as follows:
{panel}
 When referring to accounts in the {{APPLICATION PACKAGE AUTHORITY}}, use either their SID values or their unqualified names. The Windows API has well documented bugs preventing the fully qualified account names from being used.
* {{S-1-15-2-1}} or {{ALL APPLICATION PACKAGES}}, but _not_ {{APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES}}. This account may only be referenced on Windows 2012R2 (kernel 6.3) or newer.
* {{S-1-15-2-2}} or {{ALL RESTRICTED APPLICATION PACKAGES}}, but _not_ {{APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES}}. This account may only be referenced on Windows 2016 (kernel 10.0) or newer.{panel}


Using above advice, the following manifest works and is idempotent :
{code:puppet}
acl \ { 'C:\\My Folder':
  permissions => [
  \ {
      identity => 'ALL RESTRICTED APPLICATION PACKAGES', rights => ['read','write','execute']}
  ],
 \
}
{code}


But when trying to add other permissions (new ones), the following error occurs:
*Error: Failed to apply catalog: undefined method `bytesize' for nil:NilClass
C:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/api_types.rb:25:in `from_string_to_wide_string'*
Example:
{code:puppet}
acl \ { 'C:\\My Folder':
  permissions => [
  \ {
      identity => 'Administrators', rights => ['read','write','execute']}
  ],
 \
}
{code}

This limitation is brought by [puppet|https://github.com/puppetlabs/puppet] implementation of https://github.com/puppetlabs/puppet/blob/main/lib/puppet/util/windows/principal.rb#L47 which takes the username as it is. A special filtering for usernames starting with *APPLICATION PACKAGE AUTHORITY\\ *would solve this issue.

Luchian Nemes (Jira)

unread,
Feb 11, 2021, 10:35:04 AM2/11/21
to puppe...@googlegroups.com
This limitation is brought by [puppet|https://github.com/puppetlabs/puppet] implementation of [ https://github.com/puppetlabs/puppet/blob/main/lib/puppet/util/windows/principal.rb#L47 ] which takes the username as it is. A special filtering for usernames starting with *APPLICATION PACKAGE AUTHORITY \\ *   would solve this issue.

Luchian Nemes (Jira)

unread,
Feb 11, 2021, 10:35:04 AM2/11/21
to puppe...@googlegroups.com
Luchian Nemes updated an issue
Our [puppetlabs-acl|https://github.com/luchihoratiu/puppetlabs-acl] module lists changes with the users under *APPLICATION PACKAGE AUTHORITY* as a known limitation as follows:
{panel}
 When referring to accounts in the {{APPLICATION PACKAGE AUTHORITY}}, use either their SID values or their unqualified names. The Windows API has well documented bugs preventing the fully qualified account names from being used.
* {{S-1-15-2-1}} or {{ALL APPLICATION PACKAGES}}, but _not_ {{APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES}}. This account may only be referenced on Windows 2012R2 (kernel 6.3) or newer.
* {{S-1-15-2-2}} or {{ALL RESTRICTED APPLICATION PACKAGES}}, but _not_ {{APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES}}. This account may only be referenced on Windows 2016 (kernel 10.0) or newer.{panel}
Using above advice, the following manifest works and is idempotent :
{code:puppet}acl { 'C:\\My Folder':
  permissions => [
  {
      identity => 'ALL RESTRICTED APPLICATION PACKAGES', rights => ['read','write','execute']}
  ],
}
{code}
But when trying to add other permissions (new ones), the following error occurs:
*Error: Failed to apply catalog: undefined method `bytesize' for nil:NilClass *
* C:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/api_types.rb:25:in `from_string_to_wide_string'*

Example:
{code:puppet}acl { 'C:\\My Folder':
  permissions => [
  {
      identity => 'Administrators', rights => ['read','write','execute']}
  ],
}
{code}
This limitation is brought by [puppet|https://github.com/puppetlabs/puppet] implementation of [https://github.com/puppetlabs/puppet/blob/main/lib/puppet/util/windows/principal.rb#L47] which takes the username as it is. A special filtering for usernames starting with *APPLICATION PACKAGE AUTHORITY* would solve this issue.

Luchian Nemes (Jira)

unread,
Feb 11, 2021, 10:43:04 AM2/11/21
to puppe...@googlegroups.com
Luchian Nemes assigned an issue to Unassigned
Change By: Luchian Nemes
Assignee: Luchian Nemes

zendesk.jira (Jira)

unread,
Feb 12, 2021, 1:21:03 AM2/12/21
to puppe...@googlegroups.com
zendesk.jira updated an issue
Change By: zendesk.jira
Zendesk Ticket Count: 1
Zendesk Ticket IDs: 42787

zendesk.jira (Jira)

unread,
Feb 12, 2021, 1:21:04 AM2/12/21
to puppe...@googlegroups.com
zendesk.jira updated an issue
Change By: zendesk.jira
Labels: jira_escalated

Luchian Nemes (Jira)

unread,
Feb 12, 2021, 4:24:03 AM2/12/21
to puppe...@googlegroups.com
Luchian Nemes updated an issue
Change By: Luchian Nemes
Our [puppetlabs-acl|https://github.com/luchihoratiu/puppetlabs-acl] module lists changes with the users under *APPLICATION PACKAGE AUTHORITY* as a known limitation as follows:
{panel}
 When referring to accounts in the {{APPLICATION PACKAGE AUTHORITY}}, use either their SID values or their unqualified names. The Windows API has well documented bugs preventing the fully qualified account names from being used.
* {{S-1-15-2-1}} or {{ALL APPLICATION PACKAGES}}, but _not_ {{APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES}}. This account may only be referenced on Windows 2012R2 (kernel 6.3) or newer.
* {{S-1-15-2-2}} or {{ALL RESTRICTED APPLICATION PACKAGES}}, but _not_ {{APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES}}. This account may only be referenced on Windows 2016 (kernel 10.0) or newer.{panel}
Using above advice, the following manifest works and is idempotent :
{code:puppet}acl { 'C:\\My Folder':
  permissions => [
  {
      identity => 'ALL RESTRICTED APPLICATION PACKAGES', rights => ['read','write','execute']}
  ],
}
{code}
But when trying to add other permissions (new ones), the following error occurs:
*Error: Failed to apply catalog: undefined method `bytesize' for nil:NilClass*
*C:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/api_types.rb:25:in `from_string_to_wide_string'*

Example:
{code:puppet}acl { 'C:\\My Folder':
  permissions => [
  {
      identity => 'Administrators', rights => ['read','write','execute']}
  ],
}
{code}
This limitation is brought by [puppet|https://github.com/puppetlabs/puppet] implementation of [https://github.com/puppetlabs/puppet/blob/main/lib/puppet/util/windows/principal.rb#L47] which takes the username as it is. A special filtering for usernames starting with *APPLICATION PACKAGE AUTHORITY \\ * (and split it accordingly if so)  would solve this issue.

Luchian Nemes (Jira)

unread,
Feb 12, 2021, 4:25:04 AM2/12/21
to puppe...@googlegroups.com

Luchian Nemes (Jira)

unread,
Feb 12, 2021, 4:28:03 AM2/12/21
to puppe...@googlegroups.com

Luchian Nemes (Jira)

unread,
Feb 12, 2021, 4:28:04 AM2/12/21
to puppe...@googlegroups.com

Luchian Nemes (Jira)

unread,
Feb 12, 2021, 4:28:04 AM2/12/21
to puppe...@googlegroups.com

Mihai Buzgau (Jira)

unread,
Feb 15, 2021, 1:48:04 AM2/15/21
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
 
Puppet / Improvement PUP-10899
Change By: Mihai Buzgau
Issue Type: Task Improvement

Mihai Buzgau (Jira)

unread,
Feb 17, 2021, 6:43:03 AM2/17/21
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: NW - 2021-03-03

Gheorghe Popescu (Jira)

unread,
Feb 17, 2021, 6:43:03 AM2/17/21
to puppe...@googlegroups.com
Gheorghe Popescu updated an issue
Change By: Gheorghe Popescu
Story Points: 3 2

Luchian Nemes (Jira)

unread,
Feb 19, 2021, 5:08:03 AM2/19/21
to puppe...@googlegroups.com
Luchian Nemes assigned an issue to Luchian Nemes
Change By: Luchian Nemes
Assignee: Luchian Nemes

Luchian Nemes (Jira)

unread,
Feb 22, 2021, 9:16:02 AM2/22/21
to puppe...@googlegroups.com

Luchian Nemes (Jira)

unread,
Feb 23, 2021, 4:56:03 AM2/23/21
to puppe...@googlegroups.com

Josh Cooper (Jira)

unread,
Mar 1, 2021, 2:52:02 PM3/1/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
 
Change By: Josh Cooper
Fix Version/s: PUP 6.22.0

Josh Cooper (Jira)

unread,
Mar 1, 2021, 2:52:02 PM3/1/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 7.5.0

Josh Cooper (Jira)

unread,
Mar 2, 2021, 7:18:56 PM3/2/21
to puppe...@googlegroups.com

Luchian Nemes (Jira)

unread,
Mar 3, 2021, 2:06:01 AM3/3/21
to puppe...@googlegroups.com
Luchian Nemes updated an issue
 
Change By: Luchian Nemes
Release Notes: Bug Fix
Release Notes Summary: A known issue with `LookupAccountNameW` was causing Puppet to fail when managing users under `APPLICATION PACKAGE AUTHORITY` with fully qualified names. A account name sanitization step was added to prevent faulty queries.

Luchian Nemes (Jira)

unread,
Mar 3, 2021, 2:10:01 AM3/3/21
to puppe...@googlegroups.com
Luchian Nemes updated an issue
Change By: Luchian Nemes
Release Notes Summary: A known issue with `LookupAccountNameW` was causing Puppet to fail when managing Windows users under `APPLICATION PACKAGE AUTHORITY` with fully qualified names. A account name sanitization step was added to prevent faulty queries.

Claire Cadman (Jira)

unread,
Mar 10, 2021, 10:33:26 AM3/10/21
to puppe...@googlegroups.com
Claire Cadman updated an issue
Change By: Claire Cadman
Labels: doc_reviewed jira_escalated
Reply all
Reply to author
Forward
0 new messages