windows_user_privilege unable to manage privilege when there is an unresolved SID

[collinmcneese]

Description

When attempting to use the windows_user_privilege, :set and :clear actions will fail with an exception if there is one or more unresolvable SID entries in the privilege which is being modified.

Cause / Background

When operating in a multi-user environment, accounts which have been added to privileges are often removed as part of normal operations. When this happens, accounts which were assigned to a privilege remain attached to the privilege as an unresolvable SID entry.

The windows_user_privilege resource attempts to enumerate/translate the SID entry of every object as part of the remove action which is called during :set and :clear and when this is attempted against a SID which cannot be resolved the following exception is raised:

================================================================================
Error executing action `set` on resource 'windows_user_privilege[SeNetworkLogonRight]'
================================================================================

Chef::Exceptions::Win32APIError
-------------------------------
No mapping between account names and security IDs was done.
---- Begin Win32 API output ----
System Error Code: 1332
System Error Message: No mapping between account names and security IDs was done.
---- End Win32 API output ----

Chef Version

16, 17

Platform Version

Windows Server 2012R2+

Replication Case

Replicating this case is fairly easy to do -- the following resources run in sequence in a recipe will replicate in an instance how this problem appears from other sources or causes in the wild:

# Add a user to the system
user 'testuser'

# Update a privilege to include the new user account
windows_user_privilege 'SeNetworkLogonRight' do
  privilege 'SeNetworkLogonRight'
  users ['BUILTIN\\Administrators', 'NT AUTHORITY\\Authenticated Users', 'testuser']
  action :set
end

# Remove the added test user
user 'testuser' do
  action :remove
end

# Attempt to manage the same privilege and an exception will be raised when the resource attempts to remove `testuser` from the listing
windows_user_privilege 'SeNetworkLogonRight' do
  privilege 'SeNetworkLogonRight'
  users ['BUILTIN\\Administrators', 'NT AUTHORITY\\Authenticated Users']
  action :set
end

If you example the current listing of members on the system after the above has been run, an unresolved SID will be present with the SeNetworkLogonRight privilege

 Privilege                                 PrivilegeName                                                      Principal                                      
---------                                 -------------                                                      ---------                                      
SeNetworkLogonRight                       Access this computer from the network                              NT AUTHORITY\Authenticated Users               
SeNetworkLogonRight                       Access this computer from the network                              *S-1-5-21-2312810669-3765546686-1080071345-1000
SeNetworkLogonRight                       Access this computer from the network                              BUILTIN\Administrators 

It is impossible to use the windows_user_privilege now for this resource until the unresolved SID has been removed from the privilege by some other means

Client Output

Chef Infra Client, version 17.6.18
Patents: https://www.chef.io/patents
Infra Phase starting
Creating a new client identity for default-windows using the validator key.
Using Policyfile 'kitchen_ec2' at revision '1f699315e735c7cf45a8b4c8a8f8b7b8c362da6eeb07d7e643a7b730fccd2135'
Resolving cookbooks for run list: ["kitchen_ec2::default@0.1.0 (74e5b49)"]
Synchronizing cookbooks:
  - kitchen_ec2 (0.1.0)
  - logrotate (3.0.4)
Installing cookbook gem dependencies:
Compiling cookbooks...
Loading Chef InSpec profile files:
Loading Chef InSpec input files:
Loading Chef InSpec waiver files:
Converging 5 resources
Recipe: kitchen_ec2::default
  * windows_user[testuser] action create
    - create user testuser
  * windows_user_privilege[SeNetworkLogonRight] action set
    - removing user 'BUILTIN\Backup Operators' from privilege SeNetworkLogonRight
    - removing user 'BUILTIN\Users' from privilege SeNetworkLogonRight
    - removing user 'Everyone' from privilege SeNetworkLogonRight
    - adding user 'NT AUTHORITY\Authenticated Users' to privilege SeNetworkLogonRight
    - adding user 'EC2AMAZ-JLP2H7V\testuser' to privilege SeNetworkLogonRight
  * windows_user[testuser] action remove
    - remove user testuser
  * windows_user_privilege[SeNetworkLogonRight] action set

    ================================================================================
    Error executing action `set` on resource 'windows_user_privilege[SeNetworkLogonRight]'
    ================================================================================

    Chef::Exceptions::Win32APIError
    -------------------------------
    No mapping between account names and security IDs was done.
    ---- Begin Win32 API output ----
    System Error Code: 1332
    System Error Message: No mapping between account names and security IDs was done.
    ---- End Win32 API output ----

    Resource Declaration:
    ---------------------
    # In C:/Users/ADMINI~1/AppData/Local/Temp/kitchen/cache/cookbooks/kitchen_ec2/recipes/default.rb

    21: windows_user_privilege 'SeNetworkLogonRight' do
    22:   privilege 'SeNetworkLogonRight'
    23:   users ['BUILTIN\\Administrators', 'NT AUTHORITY\\Authenticated Users']
    24:   action :set
    25: end
    26: 

    Compiled Resource:
    ------------------
    # Declared in C:/Users/ADMINI~1/AppData/Local/Temp/kitchen/cache/cookbooks/kitchen_ec2/recipes/default.rb:21:in `from_file'

    windows_user_privilege("SeNetworkLogonRight") do
      action [:set]
      default_guard_interpreter :default
      declared_type :windows_user_privilege
      cookbook_name "kitchen_ec2"
      recipe_name "default"
      privilege ["SeNetworkLogonRight"]
      users ["BUILTIN\\Administrators", "NT AUTHORITY\\Authenticated Users"]
      principal "SeNetworkLogonRight"
    end

    System Info:
    ------------
    chef_version=17.6.18
    platform=windows
    platform_version=10.0.20348
    ruby=ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x64-mingw32]
    program_name=C:/opscode/chef/bin/chef-client
    executable=C:/opscode/chef/bin/chef-client

Running handlers:
[2021-10-26T13:17:03+00:00] ERROR: Running exception handlers
Running handlers complete
[2021-10-26T13:17:03+00:00] ERROR: Exception handlers complete
Infra Phase failed. 3 resources updated in 45 seconds
[2021-10-26T13:17:03+00:00] FATAL: Stacktrace dumped to C:/Users/ADMINI~1/AppData/Local/Temp/kitchen/cache/chef-stacktrace.out
[2021-10-26T13:17:03+00:00] FATAL: ---------------------------------------------------------------------------------------
[2021-10-26T13:17:03+00:00] FATAL: PLEASE PROVIDE THE CONTENTS OF THE stacktrace.out FILE (above) IF YOU FILE A BUG REPORT
[2021-10-26T13:17:03+00:00] FATAL: ---------------------------------------------------------------------------------------
[2021-10-26T13:17:03+00:00] FATAL: Chef::Exceptions::Win32APIError: windows_user_privilege[SeNetworkLogonRight] (kitchen_ec2::default line 21) had an error: Chef::Exceptions::Win32APIError: No mapping between account names and security IDs was done.
---- Begin Win32 API output ----
System Error Code: 1332
System Error Message: No mapping between account names and security IDs was done.
---- End Win32 API output ----

Stacktrace

Generated at 2021-10-26 13:17:03 +0000
Chef::Exceptions::Win32APIError: windows_user_privilege[SeNetworkLogonRight] (kitchen_ec2::default line 21) had an error: Chef::Exceptions::Win32APIError: No mapping between account names and security IDs was done.
---- Begin Win32 API output ----
System Error Code: 1332
System Error Message: No mapping between account names and security IDs was done.
---- End Win32 API output ----

C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/win32/error.rb:81:in `raise!'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/win32/security.rb:469:in `lookup_account_sid'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/win32/security.rb:238:in `block (2 levels) in get_account_with_user_rights'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/win32/security.rb:236:in `times'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/win32/security.rb:236:in `block in get_account_with_user_rights'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/win32/security.rb:668:in `with_lsa_policy'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/win32/security.rb:228:in `get_account_with_user_rights'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/resource/windows_user_privilege.rb:172:in `block (2 levels) in <class:WindowsUserPrivilege>'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/resource/windows_user_privilege.rb:171:in `each'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/resource/windows_user_privilege.rb:171:in `block in <class:WindowsUserPrivilege>'
(eval):2:in `block in action_set'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/provider.rb:301:in `instance_eval'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/provider.rb:301:in `compile_and_converge_action'
(eval):2:in `action_set'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/provider.rb:242:in `run_action'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/resource.rb:600:in `block in run_action'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/resource.rb:627:in `with_umask'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/resource.rb:599:in `run_action'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/runner.rb:74:in `run_action'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/runner.rb:108:in `block in run_all_actions'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/runner.rb:108:in `each'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/runner.rb:108:in `run_all_actions'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/runner.rb:132:in `block in converge'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/resource_collection/resource_list.rb:96:in `block in execute_each_resource'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/resource_collection/stepable_iterator.rb:114:in `call_iterator_block'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/resource_collection/stepable_iterator.rb:85:in `step'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/resource_collection/stepable_iterator.rb:103:in `iterate'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/resource_collection/stepable_iterator.rb:54:in `each_with_index'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/resource_collection/resource_list.rb:94:in `execute_each_resource'
C:/opscode/chef/embedded/lib/ruby/3.0.0/forwardable.rb:238:in `execute_each_resource'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/runner.rb:130:in `converge'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/client.rb:686:in `block in converge'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/client.rb:681:in `catch'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/client.rb:681:in `converge'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/client.rb:705:in `converge_and_save'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/client.rb:285:in `run'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/application.rb:305:in `run_with_graceful_exit_option'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/application.rb:281:in `block in run_chef_client'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/local_mode.rb:42:in `with_server_connectivity'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/application.rb:264:in `run_chef_client'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/application/base.rb:352:in `run_application'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18-universal-mingw32/lib/chef/application.rb:67:in `run'
C:/opscode/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-bin-17.6.18/bin/chef-client:25:in `<top (required)>'
C:/opscode/chef/bin/chef-client:170:in `load'
C:/opscode/chef/bin/chef-client:170:in `<main>'

[tpowell-progress]

Just had this issue called to my attention. I have a test setup and looking at what is actually responsible for trying to clear the privilege from the non-existent user.

[tpowell-progress]

This is being fixed by removing all user privileges prior to the user removal action. Target 18.6