[Puppet Users] Puppet Windows - Mapped Network Drive and Service Account

[Kevin D]

On Windows 2008 R2 SP1, after joining to the domain, there is an issue with 
a mapped network drive when Puppet agent runs by the "LOCAL SYSTEM" service 
account.

Using dependency chaining, a near the beginning module is 
"map-networkdrivez". The module execs a batch file that if Z:\ does not 
exist (not already mapped), maps Z:\ to a Windows 2008 R2 SP1 file server 
with a hidden share "data$". The file server is configured for anonymous to 
allow share access (with the appropriate NTFS and Share permissions).

By default, when the puppet agent runs as the service, the associated 
service account is "local system". On first run, the batch file 
appropriately maps the drive and the modules have access to the resources 
of the mapped network drive.

Once a module executes that joins the computer to the domain and restarts 
the computer, subsequent puppet runs fail because of a failed resource 
dependency on Z:\:

     Could not evaluate. Could not retrieve information from environment 
production source(s) file:/z:/Install-Exe.ps1

I setup a SysInternal's Process Monitor trace during a puppet run:

    Path   = "\\;LanmanRedirector\;Z:00000000000003e7\10.202.1.27\Data$\"
    Result = "ACCESS DENIED".

I verified the same result using psexec to open a cmd prompt under the 
"LOCAL SYSTEM" account by opening a CMD with administrative privileges, 
running "psexec -hsi cmd" and navigating to "z:"

    Access is denied.

If using the local administrator account I open a cmd prompt  run 
"C:\Program Files(x86)\Puppet Labs\Puppet\bin\puppet agent -t" all the 
modules will execute successfully.
If I change the Puppet service account from "LOCAL SYSTEM" to 
"testwindows004\Administrator" all the modules will execute successfully.

Has anyone else seen this behavior? Any thoughts on how to overcome this 
issue?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.



@ECHO OFF

NET USE * /DELETE /YES

IF NOT EXIST Z:\ (
        ECHO "Z:\ Does not exist.  Will connect to Z:\"
        NET USE Z: \\10.202.1.27\Data$ /PERSISTENT:NO
) ELSE (
        ECHO "Z:\ exists."
)

ECHO "Pause 10 seconds"
Ping 1.1.1.1 -n 10 > NUL

ECHO "NET USE"
NET USE

ECHO "Map Network Drive script complete."

init.pp
Description: Binary data