Kevin D
2013-Apr-29 17:46 UTC
[Puppet Users] Puppet Windows - Mapped Network Drive and Service Account
On Windows 2008 R2 SP1, after joining to the domain, there is an issue with
a mapped network drive when Puppet agent runs by the "LOCAL SYSTEM"
service
account.
Using dependency chaining, a near the beginning module is
"map-networkdrivez". The module execs a batch file that if Z:\ does
not
exist (not already mapped), maps Z:\ to a Windows 2008 R2 SP1 file server
with a hidden share "data$". The file server is configured for
anonymous to
allow share access (with the appropriate NTFS and Share permissions).
By default, when the puppet agent runs as the service, the associated
service account is "local system". On first run, the batch file
appropriately maps the drive and the modules have access to the resources
of the mapped network drive.
Once a module executes that joins the computer to the domain and restarts
the computer, subsequent puppet runs fail because of a failed resource
dependency on Z:\:
Could not evaluate. Could not retrieve information from environment
production source(s) file:/z:/Install-Exe.ps1
I setup a SysInternal''s Process Monitor trace during a puppet run:
Path =
"\\;LanmanRedirector\;Z:00000000000003e7\10.202.1.27\Data$\"
Result = "ACCESS DENIED".
I verified the same result using psexec to open a cmd prompt under the
"LOCAL SYSTEM" account by opening a CMD with administrative
privileges,
running "psexec -hsi cmd" and navigating to "z:"
Access is denied.
If using the local administrator account I open a cmd prompt run
"C:\Program Files(x86)\Puppet Labs\Puppet\bin\puppet agent -t" all the
modules will execute successfully.
If I change the Puppet service account from "LOCAL SYSTEM" to
"testwindows004\Administrator" all the modules will execute
successfully.
Has anyone else seen this behavior? Any thoughts on how to overcome this
issue?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Kevin D
2013-May-06 20:27 UTC
[Puppet Users] Re: Puppet Windows - Mapped Network Drive and Service Account
I found a resolution! Modify the NTFS and Share permissions: - "myDomain\Domain Computers" = read/execute After the domain join, the computer''s "local system" account has access to the mapped drive. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.