Modifying Windows Service Logon As


#1

Hello Chefs,

We are currently evaluating Chef as a management tool for our Windows
platform. We are playing around with some of the built in resources, and it
did not take long to realize that crucial features are missing.

One of the items that is important to us is manipulating Windows services,
specifically, the “Log On As” parameter. We need to be able to run Windows
services under various (local and AD-authenticated) accounts.

We would prefer to have an abstracted way of doing this (i.e. not defining
custom CMD/Powershell for each recipe that manipulates a service), for
example by having logonas_user/logonas_password attributes for the service
resource.

What documentation topics should we look at? Ideally, we’d like to somehow
extend the existing Service resource (provider?). Should we look at
developing a custom resource?

I am still somewhat intimidated some of the terminology, so I’d appreciate
some pointers to the documentation or maybe examples of others doing
similar work.

Thanks for your tips,

  • Kamil

#2

I added a resource to the Windows cookbook to create/delete services. I’m
not sure about the “Log On As” parameter but this should get you started:

On Fri, Jan 3, 2014 at 11:46 AM, Kamil Markowicz kamil@markowicz.netwrote:

Hello Chefs,

We are currently evaluating Chef as a management tool for our Windows
platform. We are playing around with some of the built in resources, and it
did not take long to realize that crucial features are missing.

One of the items that is important to us is manipulating Windows services,
specifically, the “Log On As” parameter. We need to be able to run Windows
services under various (local and AD-authenticated) accounts.

We would prefer to have an abstracted way of doing this (i.e. not defining
custom CMD/Powershell for each recipe that manipulates a service), for
example by having logonas_user/logonas_password attributes for the service
resource.

What documentation topics should we look at? Ideally, we’d like to somehow
extend the existing Service resource (provider?). Should we look at
developing a custom resource?

I am still somewhat intimidated some of the terminology, so I’d appreciate
some pointers to the documentation or maybe examples of others doing
similar work.

Thanks for your tips,

  • Kamil

#3

The logonas_user is relatively easy to account for via the registry
provider
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services<service_name>\ObjectName).
The logonas_password is a whole other story and is something we have yet to
figure out a solution to on our end as well.

The challenge we’ve hit is its easy to “create” the service with the proper
password, however managing that in the event of a password change is
problematic. It would be great if the provider you’ve started could make it
into the community cookbook with support for managing the password. I just
noticed that there is some password logic that I don’t fully understand at
https://github.com/opscode/chef/blob/master/lib/chef/util/windows/net_user.rb#L125.
I’m curious if that same logic could used for the service account password?

On Mon, Jan 6, 2014 at 6:07 PM, James Kessler <
james.kessler@tradingtechnologies.com> wrote:

I added a resource to the Windows cookbook to create/delete services. I’m
not sure about the “Log On As” parameter but this should get you started:
https://github.com/jkess/windows/blob/service/providers/service.rb


#4

You could add a logon_user, logon_password to the resource and then in the provider add:

service = {
:service_name => @new_resource.name,

:binary_path_name => @new_resource.binary_path_name,
:display_name => @new_resource.display_name,
:description => @new_resource.description,
:start_type => start_type
}

service[:service_start_name] = new_resource.logon_user if new_resource.logon_user

service[:password] = new_resource.password if new_resource.password

::Win32::Service.create(service)

You’d probably want to add a config action, or in create compare the config so that people can modify attributes about the service, like logon user, after it’s already created.

Kevin

From: James Kessler <james.kessler@tradingtechnologies.commailto:james.kessler@tradingtechnologies.com>
Reply-To: "chef@lists.opscode.commailto:chef@lists.opscode.com" <chef@lists.opscode.commailto:chef@lists.opscode.com>
Date: Monday, January 6, 2014 3:07 PM
To: "chef@lists.opscode.commailto:chef@lists.opscode.com" <chef@lists.opscode.commailto:chef@lists.opscode.com>
Subject: [chef] Re: Modifying Windows Service Logon As

I added a resource to the Windows cookbook to create/delete services. I’m not sure about the “Log On As” parameter but this should get you started:

On Fri, Jan 3, 2014 at 11:46 AM, Kamil Markowicz <kamil@markowicz.netmailto:kamil@markowicz.net> wrote:
Hello Chefs,

We are currently evaluating Chef as a management tool for our Windows platform. We are playing around with some of the built in resources, and it did not take long to realize that crucial features are missing.

One of the items that is important to us is manipulating Windows services, specifically, the “Log On As” parameter. We need to be able to run Windows services under various (local and AD-authenticated) accounts.

We would prefer to have an abstracted way of doing this (i.e. not defining custom CMD/Powershell for each recipe that manipulates a service), for example by having logonas_user/logonas_password attributes for the service resource.

What documentation topics should we look at? Ideally, we’d like to somehow extend the existing Service resource (provider?). Should we look at developing a custom resource?

I am still somewhat intimidated some of the terminology, so I’d appreciate some pointers to the documentation or maybe examples of others doing similar work.

Thanks for your tips,

  • Kamil

#5

We just use chef-vault (I know shameless plug) to manage the password.

From: David Petzel <davidpetzel@gmail.commailto:davidpetzel@gmail.com>
Reply-To: "chef@lists.opscode.commailto:chef@lists.opscode.com" <chef@lists.opscode.commailto:chef@lists.opscode.com>
Date: Monday, January 6, 2014 7:25 PM
To: "chef@lists.opscode.commailto:chef@lists.opscode.com" <chef@lists.opscode.commailto:chef@lists.opscode.com>
Subject: [chef] Re: Re: Modifying Windows Service Logon As

The logonas_user is relatively easy to account for via the registry provider (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services<service_name>\ObjectName). The logonas_password is a whole other story and is something we have yet to figure out a solution to on our end as well.

The challenge we’ve hit is its easy to “create” the service with the proper password, however managing that in the event of a password change is problematic. It would be great if the provider you’ve started could make it into the community cookbook with support for managing the password. I just noticed that there is some password logic that I don’t fully understand at https://github.com/opscode/chef/blob/master/lib/chef/util/windows/net_user.rb#L125. I’m curious if that same logic could used for the service account password?

On Mon, Jan 6, 2014 at 6:07 PM, James Kessler <james.kessler@tradingtechnologies.commailto:james.kessler@tradingtechnologies.com> wrote:
I added a resource to the Windows cookbook to create/delete services. I’m not sure about the “Log On As” parameter but this should get you started:
https://github.com/jkess/windows/blob/service/providers/service.rb