search

dsccommunity / ComputerManagementDsc

DSC resources for for configuration of a Windows computer. These DSC resources allow you to perform computer management tasks, such as renaming the computer, joining a domain and scheduling tasks as well as configuring items such as virtual memory, event logs, time zones and power settings.
https://dsccommunity.org
MIT License
303 stars 83 forks source link

SmbShare: Test-TargetResource returns $false when permission entries are not returned in the same order #423

Closed Borgquite closed 5 months ago

Borgquite commented 5 months ago

Problem description

I recently created some SmbShare resources with multiple entries in the access permissions entries in the ChangeAccess parameter

These changes applied successfully, but subsequent tests of the resource returned as 'noncompliant' even though the permissions were applied correctly

It looks like SmbShare is really picky about what order Get-SmbShareAccess returns permissions in, and running Set-TargetResource doesn't result in them being applied in the provided order either. I am not aware that permission order on file shares matters - Test-TargetResource can return 'true' for a resource even if the permission entries are returned in a different order to how they were defined in the FullAccess/ChangeAccess/ReadAccess/NoAccess parameters in DSC.

Verbose logs

VERBOSE: [HOSTNAME]: LCM:  [ Start  Resource ]  [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME]
VERBOSE: [HOSTNAME]: LCM:  [ Start  Test     ]  [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME]
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] Determining if the SMB share 'ShareName' is in the desired state.
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] Getting the current state of the SMB share 'ShareName'.
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] The SMB share with the name 'ShareName' exist. Evaluating the properties of the SMB share.
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] Comparing values in property 'ChangeAccess'. (DRC0028)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] MATCH: Value [0] (type 'System.String') for property 'ChangeAccess' does match. Current state is 'DOMAINNAME\Domain Controllers' and desired state is 'DOMAINNAME\Domain Controllers'. (DRC0025)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] NOTMATCH: Value [1] (type 'System.String') for property 'ChangeAccess' does match. Current state is 'DOMAINNAME\Domain Computers' and desired state is 'DOMAINNAME\Read-only Domain Controllers'. (DRC0024)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] NOTMATCH: Value [2] (type 'System.String') for property 'ChangeAccess' does match. Current state is 'DOMAINNAME\Read-only Domain Controllers' and desired state is 'DOMAINNAME\Domain Computers'. (DRC0024)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] Comparing values in property 'ReadAccess'. (DRC0028)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] MATCH: Value (type 'System.String[]') for property 'ReadAccess' does match. Current state is 'empty array' and desired state is 'empty array'. (DRC0020)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] Comparing values in property 'NoAccess'. (DRC0028)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] MATCH: Value (type 'System.String[]') for property 'NoAccess' does match. Current state is 'empty array' and desired state is 'empty array'. (DRC0020)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] MATCH: Value (type 'System.String') for property 'Name' does match. Current state is 'ShareName' and desired state is 'ShareName'. (DRC0020)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] Comparing values in property 'FullAccess'. (DRC0028)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] MATCH: Value [0] (type 'System.String') for property 'FullAccess' does match. Current state is 'DOMAINNAME\Domain Admins' and desired state is 'DOMAINNAME\Domain Admins'. (DRC0025)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] MATCH: Value (type 'System.String') for property 'Path' does match. Current state is 'C:\DFSTargets\ShareName' and desired state is 'C:\DFSTargets\ShareName'. (DRC0020)
VERBOSE: [HOSTNAME]: LCM:  [ End    Test     ]  [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] False in 0.2500 seconds.
VERBOSE: [HOSTNAME]: LCM:  [ End    Resource ]  [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME]

DSC configuration

SmbShare "HOSTNAME.contoso.com\ShareName"
{
     Name = "ShareName"
     Path = "C:\DFSTargets\ShareName"
     FullAccess = @("DOMAINNAME\Domain Admins")
     ChangeAccess = @("DOMAINNAME\Domain Controllers", "DOMAINNAME\Read-only Domain Controllers", "DOMAINNAME\Domain Computers")
     ReadAccess = @()
     NoAccess = @()
}

Suggested solution

Fix Test-TargetResource to make the checks for FullAccess, ChangeAccess, ReadAccess and NoAccess ignore the order of the information returned by Get-TargetResource

Operating system the target node is running

OsName               : Microsoft Windows Server 2022 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

PowerShell version and build the target node is running

Name                           Value                                                                                                                                                           
----                           -----                                                                                                                                                           
PSVersion                      5.1.20348.2227                                                                                                                                                  
PSEdition                      Desktop                                                                                                                                                         
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                         
BuildVersion                   10.0.20348.2227                                                                                                                                                 
CLRVersion                     4.0.30319.42000                                                                                                                                                 
WSManStackVersion              3.0                                                                                                                                                             
PSRemotingProtocolVersion      2.3                                                                                                                                                             
SerializationVersion           1.1.0.1

ComputerManagementDsc version

Name                  Version Path                                                                                             
----                  ------- ----                                                                                             
ComputerManagementDsc 9.0.0   C:\Program Files\WindowsPowerShell\Modules\ComputerManagementDsc\9.0.0\ComputerManagementDsc.psd1
Borgquite commented 5 months ago

Duplicate of #247 (sorry only just seen)?

johlju commented 5 months ago

Thanks to @Borgquite for fixing this. Please test and verify that it works by using the preview that will be released shortly.