Jira (PUP-9719) Can't run puppet agent after installing the MSI using the SYSTEM account
Title: Message Title John O'Connor commented on PUP-9719 Re: Can't run puppet agent after installing the MSI using the SYSTEM account So - Summarising - the following files are missing Administrator permissions: C:\ProgramData\PuppetLabs\puppet\cache\client_data\catalog\umtzu5243z6go5b.delivery.puppetlabs.net.json NT AUTHORITY\SYSTEM:(F) Everyone:(Rc,S,RA) C:\ProgramData\PuppetLabs\puppet\cache\state\last_run_report.yaml NT AUTHORITY\SYSTEM:(F) Everyone:(Rc,S,RA) C:\ProgramData\PuppetLabs\puppet\cache\state\last_run_summary.yaml NT AUTHORITY\SYSTEM:(F) Everyone:(R) C:\ProgramData\PuppetLabs\puppet\cache\state\state.yaml NT AUTHORITY\SYSTEM:(F) Everyone:(Rc,S,RA)
Jira (PUP-9719) Can't run puppet agent after installing the MSI using the SYSTEM account
Title: Message Title John O'Connor commented on PUP-9719 Re: Can't run puppet agent after installing the MSI using the SYSTEM account I have done an icacls dump of the puppet directory once the first puppet run is over - it comes to 2000+ lines so have saved this in a GIST at: https://gist.github.com/jcoconnor/6078f7898d1eb91e57155d2cdef4ab55 Excluding the directory tree C:\ProgramData\PuppetLabs\puppet\cache\lib, the pruned output is below: C:\ProgramData\PuppetLabs\puppet NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) C:\ProgramData\PuppetLabs\puppet\cache NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) C:\ProgramData\PuppetLabs\puppet\etc NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F) C:\ProgramData\PuppetLabs\puppet\var NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F)
Jira (PUP-9719) Can't run puppet agent after installing the MSI using the SYSTEM account
Title: Message Title John O'Connor commented on PUP-9719 Re: Can't run puppet agent after installing the MSI using the SYSTEM account Some further data - icacls of puppet data directory immediately following Puppet Installation: PS C:\ProgramData\PuppetLabs> icacls puppet /t puppet NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) puppet\etc NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F) puppet\var NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F) puppet\etc\csr_attributes.yaml NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F)
Jira (PUP-9719) Can't run puppet agent after installing the MSI using the SYSTEM account
Title: Message Title John O'Connor commented on PUP-9719 Re: Can't run puppet agent after installing the MSI using the SYSTEM account Thanks Josh Cooper - I discussed this further with Glenn Sarti and he noted that using psexec doesn't perform quite the same way as scheduled tasks which run as SYSTEM SYSTEM So I used the following two commands to execute the two scripts: schtasks /create /tn PuppetInstall /RL HIGHEST /RU SYSTEM /F /SC ONCE /ST 11:15 /TR 'cmd /c c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -sta -WindowStyle Hidden -ExecutionPolicy Bypass -NonInteractive -NoProfile -File c:\puppet.ps1 >> C:\windows\temp\puppet-ins.log 2>&1' schtasks /create /tn PuppetInstall /RL HIGHEST /RU SYSTEM /F /SC ONCE /ST 11:17 /TR 'cmd /c c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -sta -WindowStyle Hidden -ExecutionPolicy Bypass -NonInteractive -NoProfile -File c:\puppetrun.ps1 >> C:\windows\temp\puppet-run.log 2>&1' I then ran the puppet agent -t command on the console as Administrator and got the following error output: PS C:\Users\Administrator> puppet agent -t Error: Removing corrupt state file C:/ProgramData/PuppetLabs/puppet/cache/state/state.yaml: Permission denied @ rb_sysopen - C:/ProgramData/PuppetLabs/puppet/cache/state/state.yaml Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin
Jira (PUP-9719) Can't run puppet agent after installing the MSI using the SYSTEM account
Title: Message Title John O'Connor commented on PUP-9719 Re: Can't run puppet agent after installing the MSI using the SYSTEM account Gareth McGrillan Moving this temporarily to Blocked/Needs Information until we get further reproduction information from the customer as per discussion on Slack Support channel So tried once more to reproduce using their instructions - i.e. copied and modifed `puppet.ps1/puppetrun.ps1` to run on a vmpooler machine and ran both of these using `psexec -s` I then tried `puppet agent -t` as Administrator and it worked without problem. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.310162.1558726819000.52870.1560950700239%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9719) Can't run puppet agent after installing the MSI using the SYSTEM account
Title: Message Title
John O'Connor updated an issue
Puppet / PUP-9719
Can't run puppet agent after installing the MSI using the SYSTEM account
Change By:
John O'Connor
*Puppet Version:* 6.4.2*Puppet Server Version:* N/A*OS Name/Version:* Windows Server 2016 x64When installing Puppet Agent (6.4.2/PE 2019.1.0) on Server 2016 using a Powershell script running as the SYSTEM account, Administrator users can't run Puppet. Daemon/service runs are performed as expected. Direct Puppet runs appear to occur but no report is sent to the master.PUP-8939 had reportedly solved this issue.*Desired Behavior:* *note* - you need to use {{psexec -s}} to repro this on {{vmpooler}} nodes to ensure the SYSTEM account is used: 1. Install: {{psexec -s -i "msiexec.exe" /qn /norestart /l*v C:\windows\temp\puppetinstall.log /i C:\Users\Administrator\Downloads\puppet-agent-6.4.2-x64.msi PUPPET_AGENT_STARTUP_MODE=Manual}}2. Run PA {{psexec -s "C:\Program Files\Puppet Labs\Puppet\bin\puppet.bat" agent -t}} 1. Download the Agent 6.4.2 x64 MSI to a temp path (in this example, {{C:\temp\puppet\puppet-agent-x64.msi}}).2. Install Puppet Agent on a Server 2016 node as the SYSTEM user by running {{start-process -filepath "msiexec.exe" -arg "/qn /norestart /l*v C:\windows\temp\puppetinstall.log /i c:\temp\puppet\puppet-agent-x64.msi PUPPET_AGENT_STARTUP_MODE=Manual" -Wait}}3. Populate csr_attributes.yml and {{server}} in the agent config as necessary.4. As an Administrator, run {{puppet agent --test}} on the newly installed agent.*Actual Behavior:*Catalog retrieval fails; log has been redacted: {code} 2019-05-21 17:20:36 -0400 Puppet (debug): HTTP POST https://compiler.example.net:8140/puppet/v3/catalog/examplenode.example.net returned 200 OK2019-05-21 17:20:36 -0400 Puppet (debug): Caching connection for https://compiler.example.net:81402019-05-21 17:20:36 -0400 Puppet (info): Caching catalog for examplenode.example.net2019-05-21 17:20:38 -0400 Puppet (err): ReplaceFile(C:/ProgramData/PuppetLabs/puppet/cache/client_data/catalog/examplenode.example.net.json, C:/ProgramData/PuppetLabs/puppet/cache/client_data/catalog/examplenode.example.net.json20190521-6580-blokpv): Access is denied. c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/file.rb:89:in `replace_file'c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util.rb:636:in `replace_file'c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/indirector/json.rb:17:in `save'c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:200:in `find'c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/configurer.rb:466:in `block in retrieve_new_catalog'c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util.rb:518:in `block in thinmark'c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/2.5.0/benchmark.rb:308:in `realtime'c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util.rb:517:in `thinmark'c:/Program
Jira (PUP-9719) Can't run puppet agent after installing the MSI using the SYSTEM account
Title: Message Title John O'Connor assigned an issue to John O'Connor Puppet / PUP-9719 Can't run puppet agent after installing the MSI using the SYSTEM account Change By: John O'Connor Assignee: John O'Connor Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.310162.1558726819000.52750.1560934440956%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9719) Can't run puppet agent after installing the MSI using the SYSTEM account
Title: Message Title Mihai Buzgau updated an issue Puppet / PUP-9719 Can't run puppet agent after installing the MSI using the SYSTEM account Change By: Mihai Buzgau Sprint: PR - Triage 2019-06-25 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.310162.1558726819000.43573.1560328740324%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9719) Can't run puppet agent after installing the MSI using the SYSTEM account
Title: Message Title Mihai Buzgau updated an issue Puppet / PUP-9719 Can't run puppet agent after installing the MSI using the SYSTEM account Change By: Mihai Buzgau Story Points: 3 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.310162.1558726819000.43571.1560328380198%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9719) Can't run puppet agent after installing the MSI using the SYSTEM account
Title: Message Title Mihai Buzgau updated an issue Puppet / PUP-9719 Can't run puppet agent after installing the MSI using the SYSTEM account Change By: Mihai Buzgau Sprint: PR - Triage Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.310162.1558726819000.36683.1559815320378%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9719) Can't run puppet agent after installing the MSI using the SYSTEM account
Title: Message Title Mihai Buzgau updated an issue Puppet / PUP-9719 Can't run puppet agent after installing the MSI using the SYSTEM account Change By: Mihai Buzgau Team: Puppet Romania Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.310162.1558726819000.36681.1559815320309%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9719) Can't run puppet agent after installing the MSI using the SYSTEM account
Title: Message Title Mihai Buzgau updated an issue Puppet / PUP-9719 Can't run puppet agent after installing the MSI using the SYSTEM account Change By: Mihai Buzgau Team: Windows Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.310162.1558726819000.36679.1559815200464%40Atlassian.JIRA. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9719) Can't run puppet agent after installing the MSI using the SYSTEM account
Title: Message Title Garrett Guillotte created an issue Puppet / PUP-9719 Can't run puppet agent after installing the MSI using the SYSTEM account Issue Type: Bug Affects Versions: PUP 6.4.2 Assignee: Unassigned Created: 2019/05/24 12:40 PM Priority: Major Reporter: Garrett Guillotte Puppet Version: 6.4.2 Puppet Server Version: N/A OS Name/Version: Windows Server 2016 x64 When installing Puppet Agent (6.4.2/PE 2019.1.0) on Server 2016 using a Powershell script running as the SYSTEM account, Administrator users can't run Puppet. Daemon/service runs are performed as expected. Direct Puppet runs appear to occur but no report is sent to the master. PUP-8939 had reportedly solved this issue. Desired Behavior: 1. Download the Agent 6.4.2 x64 MSI to a temp path (in this example, C:\temp\puppet\puppet-agent-x64.msi). 2. Install Puppet Agent on a Server 2016 node as the SYSTEM user by running start-process -filepath "msiexec.exe" -arg "/qn /norestart /l*v C:\windows\temp\puppetinstall.log /i c:\temp\puppet\puppet-agent-x64.msi PUPPET_AGENT_STARTUP_MODE=Manual" -Wait 3. Populate csr_attributes.yml and server in the agent config as necessary. 4. As an Administrator, run puppet agent --test on the newly installed agent. Actual Behavior: Catalog retrieval fails; log has been redacted: 2019-05-21 17:20:36 -0400 Puppet (debug): HTTP POST https://compiler.example.net:8140/puppet/v3/catalog/examplenode.example.net returned 200 OK 2019-05-21 17:20:36
