Skip to content

(PUP-10967) Debug logs clean up when resolving account SID on Windows #8652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 23, 2021
Merged

(PUP-10967) Debug logs clean up when resolving account SID on Windows #8652

merged 1 commit into from
Jun 23, 2021

Conversation

luchihoratiu
Copy link
Contributor

@luchihoratiu luchihoratiu commented Jun 22, 2021
edited
Loading

This commit simply restricts the Could not retrieve raw SID bytes from debug log to when an actual SID is passed to ConvertStringSidToSidW. The order in which the Puppet::Util::Windows::SID.name_to_principal method checks and tries to convert the input (be it an account name, domain qualified account name or SID) to a Puppet::Util::Windows::SID::Principal object made it print error messages to debug when it was actually succeeding in the end. Since every Puppet Agent run needs information about at least the currently logged on user, this was creating unnecessary noise in the debug logs.

Before fix:

bundle exec puppet resource user 'Luchi' --debug
...
Debug: Facter: fact "operatingsystem" has resolved to: windows
...
Debug: Could not retrieve raw SID bytes from 'Luchi': Failed to convert string SID: Luchi:  The security ID structure is invalid.
Debug: Could not retrieve raw SID bytes from 'SYSTEM': Failed to convert string SID: SYSTEM:  The security ID structure is invalid.
Debug: Could not retrieve raw SID bytes from 'Luchi': Failed to convert string SID: Luchi:  The security ID structure is invalid.
Debug: Could not retrieve raw SID bytes from 'Luchi': Failed to convert string SID: Luchi:  The security ID structure is invalid.
user { 'Luchi':
  ensure   => 'present',
  provider => 'windows_adsi',
  uid      => 'S-1-5-21-654025930-916225823-201077790-1003',
}bundle exec irb
irb(main):001:0> require 'puppet'
=> true

irb(main):002:0> Puppet[:log_level] = 'debug'
=> "debug"

irb(main):003:0> Puppet::Util::Log.newdestination(:console)
=> #<Puppet::Util::Log::DestConsole:0x000001b2c3fd2a88>

irb(main):004:0> Puppet::Util::Windows::SID.name_to_principal('S-1-5-21-654025930-916225823-201077790-1003')
=> #<Puppet::Util::Windows::SID::Principal:0x000001b2c57cbd88 @account="Luchi", @sid_bytes=[1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 202, 164, 251, 38, 31, 127, 156, 54, 30, 52, 252, 11, 235, 3, 0, 0], @sid="S-1-5-21-654025930-916225823-201077790-1003", @domain="STURDY-ACIDITY", @account_type=:SidTypeUser, @domain_account="STURDY-ACIDITY\\Luchi">

irb(main):005:0> Puppet::Util::Windows::SID.name_to_principal('Luchi')
Debug: Could not retrieve raw SID bytes from 'Luchi': Failed to convert string SID: Luchi:  The security ID structure is invalid.
=> #<Puppet::Util::Windows::SID::Principal:0x000001e85ae98b50 @account="Luchi", @sid_bytes=[1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 202, 164, 251, 38, 31, 127, 156, 54, 30, 52, 252, 11, 235, 3, 0, 0], @sid="S-1-5-21-654025930-916225823-201077790-1003", @domain="STURDY-ACIDITY", @account_type=:SidTypeUser, @domain_account="STURDY-ACIDITY\\Luchi">

irb(main):006:0> Puppet::Util::Windows::SID.name_to_principal('S-1-5-21-INVALID-SID')
Debug: Could not retrieve raw SID bytes from 'S-1-5-21-INVALID-SID': Failed to convert string SID: S-1-5-21-INVALID-SID:  The security ID structure is invalid.
Debug: Failed to call LookupAccountNameW with account: S-1-5-21-INVALID-SID:  No mapping between account names and security IDs was done.
=> nil

With fix:

bundle exec puppet resource user 'Luchi' --debug
...
Debug: Facter: fact "operatingsystem" has resolved to: windows
user { 'Luchi':
  ensure   => 'present',
  provider => 'windows_adsi',
  uid      => 'S-1-5-21-654025930-916225823-201077790-1003',
}bundle exec irb
irb(main):001:0> require 'puppet'
=> true

irb(main):002:0> Puppet[:log_level] = 'debug'
=> "debug"

irb(main):003:0> Puppet::Util::Log.newdestination(:console)
=> #<Puppet::Util::Log::DestConsole:0x000001a753baaaa8>

irb(main):004:0> Puppet::Util::Windows::SID.name_to_principal('S-1-5-21-654025930-916225823-201077790-1003')
=> #<Puppet::Util::Windows::SID::Principal:0x000001a753642f70 @account="Luchi", @sid_bytes=[1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 202, 164, 251, 38, 31, 127, 156, 54, 30, 52, 252, 11, 235, 3, 0, 0], @sid="S-1-5-21-654025930-916225823-201077790-1003", @domain="STURDY-ACIDITY", @account_type=:SidTypeUser, @domain_account="STURDY-ACIDITY\\Luchi">

irb(main):005:0> Puppet::Util::Windows::SID.name_to_principal('Luchi')
=> #<Puppet::Util::Windows::SID::Principal:0x000001a7527f33c0 @account="Luchi", @sid_bytes=[1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 202, 164, 251, 38, 31, 127, 156, 54, 30, 52, 252, 11, 235, 3, 0, 0], @sid="S-1-5-21-654025930-916225823-201077790-1003", @domain="STURDY-ACIDITY", @account_type=:SidTypeUser, @domain_account="STURDY-ACIDITY\\Luchi">

irb(main):006:0> Puppet::Util::Windows::SID.name_to_principal('S-1-5-21-INVALID-SID')
Debug: Failed to call LookupAccountNameW with account: S-1-5-21-INVALID-SID:  No mapping between account names and security IDs was done.
=> nil

Useful info:
https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes--1300-1699-
https://docs.microsoft.com/en-us/windows/win32/api/sddl/nf-sddl-convertstringsidtosidw#return-value

@luchihoratiu luchihoratiu requested review from a team June 22, 2021 15:38
@luchihoratiu luchihoratiu force-pushed the PUP-10967 branch 2 times, most recently from 4f685f0 to 38846bb Compare June 22, 2021 16:05
joshcooper
joshcooper reviewed Jun 22, 2021
View reviewed changes
joshcooper
joshcooper reviewed Jun 22, 2021
View reviewed changes
@luchihoratiu luchihoratiu force-pushed the PUP-10967 branch 2 times, most recently from d2aae5f to 0eda5e0 Compare June 23, 2021 07:01
GabrielNagy
GabrielNagy reviewed Jun 23, 2021
View reviewed changes
GabrielNagy
GabrielNagy reviewed Jun 23, 2021
View reviewed changes
@luchihoratiu
(PUP-10967) Debug logs clean up when resolving account SID on Windows
658b3f0 
This commit restricts the `Could not retrieve raw SID bytes from` debug
log to when an actual SID is passed to `ConvertStringSidToSidW`. The
order in which the `Puppet::Util::Windows::SID.name_to_principal` method
checks and tries to convert the input (be it an account name, domain
qualified account name or SID) to a
`Puppet::Util::Windows::SID::Principal` object made it print error
messages to debug when it was actually succeeding in the end. Since
every Puppet Agent run needs information about at least the currently
logged on user, this was creating unnecessary noise in the debug logs.
@joshcooper joshcooper merged commit 31515a6 into puppetlabs:6.x Jun 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshcooper joshcooper joshcooper approved these changes

@GabrielNagy GabrielNagy GabrielNagy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@luchihoratiu @joshcooper @GabrielNagy