[BUG] 3007.1 Windows Minion file.directory causes No mapping between account names and security IDs was done when off domain

[darkpixel]

Description I think this is related to an old bug--either the file.directory code wasn't updated as file.managed or reg.present was in bug #51868 , or maybe something got missed in merging.

To reproduce: Join a Windows machine (i.e. a laptop) to a domain. Move the machine off the network (i.e. work from home for a day) or make it so it can no longer talk to the domain controller. Apply a state using file.directory:

my_folder:
  file.directory:
    - name: 'c:\my_folder'

Get a traceback:

          ID: my_folder
    Function: file.directory
        Name: c:\my_folder
      Result: False
     Comment: An exception occurred in this state: Traceback (most recent call last):
                File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\utils\win_dacl.py", line 1238, in get_name
                  name = win32security.LookupAccountSid(None, sid_obj)[0]
              pywintypes.error: (1332, 'LookupAccountSid', 'No mapping between account names and security IDs was done.')

              During handling of the above exception, another exception occurred:

              Traceback (most recent call last):
                File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\state.py", line 2428, in call
                  ret = self.states[cdata["full"]](
                File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\loader\lazy.py", line 160, in __call__
                  ret = self.loader.run(run_func, *args, **kwargs)
                File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\loader\lazy.py", line 1269, in run
                  return self._last_context.run(self._run_as, _func_or_method, *args, **kwargs)
                File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\loader\lazy.py", line 1284, in _run_as
                  return _func_or_method(*args, **kwargs)
                File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\loader\lazy.py", line 1317, in wrapper
                  return f(*args, **kwargs)
                File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\states\file.py", line 4112, in directory
                  tresult, tcomment, tchanges = _check_directory_win(
                File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\states\file.py", line 849, in _check_directory_win
                  changes = salt.utils.win_dacl.check_perms(
                File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\utils\win_dacl.py", line 2432, in check_perms
                  current_owner = get_owner(obj_name=obj_name, obj_type=obj_type)
                File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\utils\win_dacl.py", line 1348, in get_owner
                  return get_name(owner_sid)
                File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\utils\win_dacl.py", line 1263, in get_name
                  raise CommandExecutionError(message, exc)
. Additional info follows:ons.CommandExecutionError: Error resolving "PySID:S-1-5-21-2137417848-1058129246-2041171366-1002": No mapping between account names and security IDs was done.
     Started: 13:17:25.880015
    Duration: 1.793 ms
     Changes:   

Windows Minion is 3007.1, and I believe this was probably occurring with older versions, I just wasn't calling file.directory on Windows in older versions.

[darkpixel]

It looks like it's hitting the issue when trying to calculate changes to the file object here: https://github.com/saltstack/salt/blob/master/salt/states/file.py#L849

[darkpixel]

I'm wondering if https://github.com/saltstack/salt/blob/master/salt/states/file.py#L846 is an inverted if.

The only places _check_directory_win are called from (in the file.py state) are file.directory, file.append, and file.prepend.

I guess I'll have to check if file.append and file.prepend are turning correctly or if they are spitting out changes:

{name: {"directory": "new"}}

[darkpixel]

I see what's going on. It's not inverted. If the directory doesn't exist, it just lets you know it's a new directory. If it already exists, it calculates the changes between the existing directory and the state and that's where it fails to find ownership information because the domain is unavailable.

Probably need to wrap it in a try/except for cases when the domain is unavailable.