Kevin D
2013-Apr-29 17:46 UTC
[Puppet Users] Puppet Windows - Mapped Network Drive and Service Account
On Windows 2008 R2 SP1, after joining to the domain, there is an issue with a mapped network drive when Puppet agent runs by the "LOCAL SYSTEM" service account. Using dependency chaining, a near the beginning module is "map-networkdrivez". The module execs a batch file that if Z:\ does not exist (not already mapped), maps Z:\ to a Windows 2008 R2 SP1 file server with a hidden share "data$". The file server is configured for anonymous to allow share access (with the appropriate NTFS and Share permissions). By default, when the puppet agent runs as the service, the associated service account is "local system". On first run, the batch file appropriately maps the drive and the modules have access to the resources of the mapped network drive. Once a module executes that joins the computer to the domain and restarts the computer, subsequent puppet runs fail because of a failed resource dependency on Z:\: Could not evaluate. Could not retrieve information from environment production source(s) file:/z:/Install-Exe.ps1 I setup a SysInternal''s Process Monitor trace during a puppet run: Path = "\\;LanmanRedirector\;Z:00000000000003e7\10.202.1.27\Data$\" Result = "ACCESS DENIED". I verified the same result using psexec to open a cmd prompt under the "LOCAL SYSTEM" account by opening a CMD with administrative privileges, running "psexec -hsi cmd" and navigating to "z:" Access is denied. If using the local administrator account I open a cmd prompt run "C:\Program Files(x86)\Puppet Labs\Puppet\bin\puppet agent -t" all the modules will execute successfully. If I change the Puppet service account from "LOCAL SYSTEM" to "testwindows004\Administrator" all the modules will execute successfully. Has anyone else seen this behavior? Any thoughts on how to overcome this issue? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Kevin D
2013-May-06 20:27 UTC
[Puppet Users] Re: Puppet Windows - Mapped Network Drive and Service Account
I found a resolution! Modify the NTFS and Share permissions: - "myDomain\Domain Computers" = read/execute After the domain join, the computer''s "local system" account has access to the mapped drive. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.