On Mon, Jul 29, 2013 at 12:38 AM, nan <[email protected]> wrote:
> While login to windows with local administrator and install xendesktop > with AD administrator account, it's successful, below is what i have done: > > $adPassword= convertto-securestring "password" -asplaintext -force > $adCredObject = new-object -typename > System.Management.Automation.PSCredential -argumentlist > "ad.mydomain.com\user",$adPassword > $CurrentProcess = Start-Process -FilePath ".\xendesktop\x64\XenDesktop > Setup\XenDesktopServerSetup.exe" -Credential $adCredObject -Wait -PassThru > -ArgumentList "/COMPONENTS > CONTROLLER,DESKTOPSTUDIO,DESKTOPDIRECTOR,LICENSESERVER,STOREFRONT /NOREBOOT > /CONFIGURE_FIREWALL" > > But while use puppet automation script(it run with windows system user) to > execute install xendesktop with AD administrator account, it's failed, > below is what i have done to run 'exec' in puppet(same code as above): > > $adPassword= convertto-securestring "password" -asplaintext -force > $adCredObject = new-object -typename > System.Management.Automation.PSCredential -argumentlist > "ad.mydomain.com\user",$adPassword > $CurrentProcess = Start-Process -FilePath ".\xendesktop\x64\XenDesktop > Setup\XenDesktopServerSetup.exe" -Credential $adCredObject -Wait -PassThru > -ArgumentList "/COMPONENTS > CONTROLLER,DESKTOPSTUDIO,DESKTOPDIRECTOR,LICENSESERVER,STOREFRONT /NOREBOOT > /CONFIGURE_FIREWALL" > > So the only difference is the succeed one run the above script with local > administerator and failed one run with windows system user.The failure > message display in the event log is like(): > > An account failed to log on. > > Subject: > Security ID: SYSTEM > Account Name: MyMachineName > Account Domain: MyDomainName > Logon ID: 0x3e7 > > Logon Type: 3 > > Account For Which Logon Failed: > Security ID: NULL SID > Account Name: Administrator > Account Domain: MyMachineName > > Failure Information: > Failure Reason: Unknown user name or bad password. > Status: 0xc000006d > Sub Status: 0xc000006a > > Process Information: > Caller Process ID: 0xd90 > Caller Process Name: C:\Program Files (x86)\Puppet > Labs\Puppet\sys\ruby\bin\ruby.exe > > Network Information: > Workstation Name: MyMachineName > Source Network Address: - > Source Port: - > > Detailed Authentication Information: > Logon Process: Advapi > Authentication Package: Negotiate > Transited Services: - > Package Name (NTLM only): - > Key Length: 0 > > This event is generated when a logon request fails. It is generated on the > computer where access was attempted. > > The Subject fields indicate the account on the local system which requested > the logon. This is most commonly a service such as the Server service, or a > local process such as Winlogon.exe or Services.exe. > > The Logon Type field indicates the kind of logon that was requested. The most > common types are 2 (interactive) and 3 (network). > > The Process Information fields indicate which account and process on the > system requested the logon. > > The Network Information fields indicate where a remote logon request > originated. Workstation name is not always available and may be left blank in > some cases. > > The authentication information fields provide detailed information about this > specific logon request. > - Transited services indicate which intermediate services have > participated in this logon request. > - Package name indicates which sub-protocol was used among the NTLM > protocols. > - Key length indicates the length of the generated session key. This will > be 0 if no session key was requested. > > I have tried to use runasspc also to execute this installation, and add > the system user to local administrator group but I got same result. Any > help would be appreciated. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/puppet-users. > For more options, visit https://groups.google.com/groups/opt_out. > > > Since it works from an interactive logon session, but not when puppet runs as LocalSystem, the issue is most likely something in the installation process is attempting to access a network resource, e.g. NETLOGON, and failing due to the way the LocalSystem account authenticates to network resources[1][2]. The common way to resolve this is to create a service domain account, e.g. puppet, add the service account to the local administrators group, and configure the puppet service to run as that domain service account. Josh [1] http://serverfault.com/questions/135867/howt-to-grant-network-access-to-localsystem-account [2] http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
