| Puppet Version: 2019.8.4
Puppet Server Version:
OS Name/Version: We are trying to add an account to the "UserRightAssignment - Log on as service rights" of a Windows agent using the DSC Modules:
dsc-securitypolicydsc
puppetlabs-pwshlib
and, at the same time, set a service with the account that just got the "log on as service rights". The manifest code used is:
class windows_towers {
dsc_userrightsassignment { "add-jordi-to-logon-as-service": dsc_ensure => 'present', dsc_policy => 'Log_on_as_a_service', dsc_identity => ['NT SERVICE\\ALL SERVICES','cloudbase-init','jordi'], }
service { 'PlexUpdateService': ensure => 'stopped', logonaccount => 'PE-201984-WIN2K\\jordi', logonpassword => 'puppetpuppet', enable => 'false', require => Dsc_userrightsassignment['add-jordi-to-logon-as-service'], } }
Desired Behavior: Update the windows service with the new credentials that just got ** "log on as service rights" - Basically, the code above should work first time round. Actual Behavior:
PS C:\Users\Administrator\tester> puppet agent -t
[DEPRECATION] Struct layout is already defined for class Windows::ServiceStructs::SERVICE_STATUS_PROCESS. Redefinition as in C:/Ruby25-x64/lib/ruby/gems/2.5.0/gems/win32-service-0.8.8/lib/win32/windows/structs.rb:67:in `<class:SERVICE_STATUS_PROCESS>' will be disallowed in ffi-2.0.
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Error: Failed to apply catalog: Parameter logonaccount failed on Service[PlexUpdateService]: "PE-201984-WIN2K\jordi" is missing the 'Log On As A Service' right. (file: /etc/puppetlabs/code/environments/production/site/windows_towers/manifests/init.pp, line: 16)
The error is indicating that the account selected doesn't have "log on as service rights" but, in fact, the account has not been added to the "log on as service rights" User Rights assignment and it is failing at compilation.
Alternatively, if you comment out the service part of the code, the user gets added to the "log on as service rights" and, at this stage, the code will work as expected.
class windows_towers {
dsc_userrightsassignment { "add-jordi-to-logon-as-service": dsc_ensure => 'present', dsc_policy => 'Log_on_as_a_service', dsc_identity => ['NT SERVICE\\ALL SERVICES','cloudbase-init','jordi'], }
- service { 'PlexUpdateService': # ensure => 'stopped', # logonaccount => 'PE-201984-WIN2K\\jordi', #logonpassword => 'puppetpuppet', # enable => 'false', # require => Dsc_userrightsassignment['add-jordi-to-logon-as-service'], #}
}
PS C:\Users\Administrator\tester> puppet agent -t
[DEPRECATION] Struct layout is already defined for class Windows::ServiceStructs::SERVICE_STATUS_PROCESS. Redefinition as in C:/Ruby25-x64/lib/ruby/gems/2.5.0/gems/win32-service-0.8.8/lib/win32/windows/structs.rb:67:in `<class:SERVICE_STATUS_PROCESS>' will be disallowed in ffi-2.0.
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for pe-201984-win2k.platform9.puppet.net
Info: Applying configuration version '1617025583'
Notice: /Stage[main]/Windows_towers/Dsc_userrightsassignment[add-jordi-to-logon-as-service]/dsc_identity: dsc_identity changed ['PE-201984-WIN2K\cloudbase-init', 'NT SERVICE\ALL SERVICES'] to ['NT SERVICE\ALL SERVICES', 'cloudbase-init', 'jordi']
Notice: dsc_userrightsassignment[\{:name=>"add-jordi-to-logon-as-service", :dsc_policy=>"Log_on_as_a_service"}]: Updating: Finished in 2.36 seconds
Notice: Applied catalog in 3.77 seconds
I have worked with Michael Lombardi on https://tickets.puppetlabs.com/browse/MODULES-10969 created on the back of https://puppetlabs.zendesk.com/agent/tickets/43304 that has determined that the error experienced is generated by https://github.com/puppetlabs/puppet/blob/main/lib/puppet/type/service.rb#L152 and stops catalog compilation
Michael has also suggested that the current validation be turned into a warning or placed in the provider and called during set method |
