Jira (PUP-8395) Exec Parity for Windows
Title: Message Title Erick Banks updated an issue Puppet / PUP-8395 Exec Parity for Windows Change By: Erick Banks Sprint: Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8395) Exec Parity for Windows
Title: Message Title Erick Banks updated an issue Puppet / PUP-8395 Exec Parity for Windows Change By: Erick Banks Sprint: Windows 2019-02-20 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8395) Exec Parity for Windows
Title: Message Title Ethan Brown updated an issue Puppet / PUP-8395 Exec Parity for Windows Change By: Ethan Brown Sprint: Windows Hopper Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8395) Exec Parity for Windows
Title: Message Title Ethan Brown updated an issue Puppet / PUP-8395 Exec Parity for Windows Change By: Ethan Brown Sprint: Windows Hopper Grooming Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8395) Exec Parity for Windows
Title: Message Title Geoff Williams updated an issue Puppet / PUP-8395 Exec Parity for Windows Change By: Geoff Williams In Linux, Puppet typically runs as root (full privileges) and can leverage the exec resource's user parameter to run a command as a local user. In Windows, this parity is lacking and it's increasingly causing problems for Puppet users. It would be nice to run things as a local user.This issue is further compounded by common Microsoft System Administration use cases, where various pieces of software are installed and run as domain service accounts. For instance, the SQL Server module does it with [some gnarly Ruby in a provider to set domain credentials in 3 places | https://github.com/puppetlabs/puppetlabs-sqlserver/blob/master/lib/puppet/provider/sqlserver_features/mssql.rb#L7-L8] by passing parameters to the installer. I suggest writing a custom installation provider for software requiring a service account is not a reasonable ask for a typical user who is an experienced Windows admin and nascent Puppet practitioner.There is a large and growing amount of Microsoft enterprise software (SQL Server, SCOM, SCCM, SCVMM) that recommends or requires the use of a domain service account, and there's not currently a good way to address it. Feature parity (and perhaps going a little further to support Domain Accounts) would be a good start, especially if this exec allows users to get the automation done while we determine if other features are needed. (For instance, passing a Microsoft Domain user credential to the package resource).Finally, field experience indicates this is complicated further by Mandatory Access Controls. These may limit deny the ability of any service running as Local System LocalSystem to interact with the wider world using domain credentials . and there are no workarounds to disable them that don't break the integrity of the operating system Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db)
Jira (PUP-8395) Exec Parity for Windows
Title: Message Title
Geoff Williams commented on PUP-8395
Re: Exec Parity for Windows
Correct me if I'm wrong but in my quick look at this the ruby linked code doesn't look like it actually does anything to control the ID running the installer:
if FEATURE_RESERVED_SWITCHES.include? k
warn("Reserved switch [#{k}] found for `install_switches`, please know the provided value may be overridden by some command line arguments")
end
see: https://github.com/puppetlabs/puppetlabs-sqlserver/blob/master/lib/puppet/provider/sqlserver_features/mssql.rb#L96
This would just print a warning that some options may be ignored (or they may not...) - because it depends on the ID who owns the Puppet process. The above options then get written to a configuration file which is fed to the SQL installer and it is that, not puppet, which performs the ID change.
Writing a custom ruby provider while fun, is not a means that can be leveraged to change users if puppet is not being run as a user who is able to switch IDs according to Windows.
I did build some PowerShell to allow an ID switch as a proof-of-concept: https://gist.github.com/GeoffWilliams/e8f64a8d01f3c8611e5ef06d5989f4d5 but this will only work if executed as a suitable user.
Add Comment
Jira (PUP-8395) Exec Parity for Windows
Title: Message Title Craig Gomes updated an issue Puppet / PUP-8395 Exec Parity for Windows Change By: Craig Gomes Team: Windows Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8395) Exec Parity for Windows
Title: Message Title Paul Anderson updated an issue Puppet / PUP-8395 Exec Parity for Windows Change By: Paul Anderson In Linux, Puppet typically runs as root (full privileges) and can leverage the exec resource's user parameter to run a command as a local user. In Windows, this parity is lacking and it's increasingly causing problems for Puppet users. It would be nice to run things as a local user.This issue is further compounded by common Microsoft System Administration use cases, where various pieces of software are installed and run as domain service accounts. For instance, the SQL Server module does it with [some gnarly Ruby in a provider to set domain credentials in 3 places | https://github.com/puppetlabs/puppetlabs-sqlserver/blob/master/lib/puppet/provider/sqlserver_features/mssql.rb#L7 -L8 ] by passing parameters to the installer. I suggest writing a custom installation provider for software requiring a service account is not a reasonable ask for a typical user who is an experienced Windows admin and nascent Puppet practitioner.There is a large and growing amount of Microsoft enterprise software (SQL Server, SCOM, SCCM, SCVMM) that recommends or requires the use of a domain service account, and there's not currently a good way to address it. Feature parity (and perhaps going a little further to support Domain Accounts) would be a good start, especially if this exec allows users to get the automation done while we determine if other features are needed. (For instance, passing a Microsoft Domain user credential to the package resource).Finally, field experience indicates this is complicated further by Mandatory Access Controls. These may limit the ability of any service running as Local System to interact with the wider world using domain credentials. Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db)
Jira (PUP-8395) Exec Parity for Windows
Title: Message Title Paul Anderson created an issue Puppet / PUP-8395 Exec Parity for Windows Issue Type: New Feature Affects Versions: PUP 5.3.3 Assignee: Unassigned Components: Types and Providers Created: 2018/01/24 11:46 PM Environment: Windows Priority: Normal Reporter: Paul Anderson In Linux, Puppet typically runs as root (full privileges) and can leverage the exec resource's user parameter to run a command as a local user. In Windows, this parity is lacking and it's increasingly causing problems for Puppet users. It would be nice to run things as a local user. This issue is further compounded by common Microsoft System Administration use cases, where various pieces of software are installed and run as domain service accounts. For instance, the SQL Server module does it with some gnarly Ruby in a provider by passing parameters to the installer. I suggest writing a custom installation provider for software requiring a
