2009/7/27 Luis Lavena <luislav...@gmail.com>: > Ok, that means we are going to go over the runas console debug mode. > > I'm going to remove the dust my instructions on this: > > http://rubyforge.org/pipermail/mongrel-users/2008-October/005587.html > > And pointing to the "guide to debug mongrel_service" > > http://rubyforge.org/pipermail/mongrel-users/2008-October/005588.html > > Which links here: > > http://rubyforge.org/pipermail/mongrel-users/2007-February/003004.html > > Please let me know if these instructions are not easy to follow, but > everything is there to debug the issue. >
Luis, thanks for your help the instructions are fine, but I'm still not getting to the root of the issue. I understand this is extremely difficult for you to diagnose. I've wrestled with these least privilege accounts in the past so I'm aware of the kind of issues that cause apps to fail. Typically I run service accounts with deny local logon and exclude membership from Users - you'll be surprised the amount of privs that are granted (especially ACLs) on User group membership. Anyway in this case this is a straight user so this shouldn't be the cause of the issue. So I temporarily added my service account to the 'remote desktop users' group so I could logon remotely as that user (I've also done this from my admin account using runas /user:xxx - but I'm checking all avenues here). Started a console and copied the service executable string for my mongrel_rails service to the console (adjusted to run as a console app) and run as: mongrel_service console single -e development -p 58025 -a 0.0.0.0 -l "log/mongrel.log" \ -P "log/mongrel.pid" -c "<path to my app>" -t 0 -r "public" -n 1024 This works fine - I can connect via port 58025 from my remote browser and the app works fine. Service string in the registry is: "c:/ruby/bin/mongrel_service.exe" single -e development -p 58025 -a 0.0.0.0 -l "log/mongrel.log" -P "log/mongrel.pid" -c "<path to my app>" -t 0 -r "public" -n 1024 However as soon as I attempt to start from the service manager mongrel_service starts and then immediately terminates. No log messages. So I ran up Procmon and tried starting the service to see if I can see any obvious file ACL failures. Again nothing obvious, I can see mongrel_service starting, I can see a set of activity, some registry reads, I don't see any attempt to open the mongrel log file in ruby\bin as I do when it works as a member of the admin group. I then see the process exit (no obvious errors before this) and the service account's profile unloads. I thought there might be permission issues on registry keys, but most keys in the registry (and service tree) have permissions set for the Users group, so if my account is a member of this it shouldn't need anything else. There doesn't seem to be any issues in the event log, the security event log shows success audits for authentication - the account logging in with auth type 5. I tried granting impersonate rights to the service account - I really doubt this is needed, but some ASP.NET accounts have this - probably more for windows integrated authentication then service based access. But this still failed. Clearly I'm missing something and mongrel_service is encountering some lack of permission since as I said adding the service account to the administrators group the app works fine. Is our server tied down - yes could be pretty tightly, ipsec rules etc. It does have Kaspersky. I may have to grab the code for mongrel_service and attempt to instrument it to see how far it gets. Unless there's any further debugging steps I can try? Thanks Darren _______________________________________________ Mongrel-users mailing list Mongrel-users@rubyforge.org http://rubyforge.org/mailman/listinfo/mongrel-users
