Re: Installing a package from a password-protected UNC share


#1

Is the default account for the chef-client service to use the "system"
service account? switching to “network” service as you say here should work
quite well in that case.

On Fri, Feb 1, 2013 at 7:36 AM, Tensibai tensibai@iabis.net wrote:

**

You may also use Network_service account which is able to establish cifs
shares from a service.

Le 2013-01-31 17:40, Andrea Campi a écrit :

On Thu, Jan 31, 2013 at 5:23 PM, Jesse Campbell hikeit@gmail.com wrote:

what about turning off the security policy described in this article?

http://blogs.technet.com/b/askperf/archive/2012/04/18/task-scheduler-error-a-specified-logon-session-does-not-exist.aspx

the net use command is creating a stored credential, which would normally
only work when applied to a logon session.

That’s an excellent idea! Our googling hadn’t turned that one up :slight_smile:

another option would be to run the service as a real user instead of
one of the service accounts, though i don’t remember the steps to make that
happen :slight_smile:

Yeah, that’s one of options we were considering…

It still feels pretty odd that we need to do this manually; surely
somebody else has had this problem?
I.e. chef-client::service should probably take care of this.


#2

Is chef client 11 shipping now?

Earlier tonight it was installing 10.18 now it is 11.

Reading database … 74077 files and directories currently installed.)
Preparing to replace chef 10.18.2-2.ubuntu.11.04 (using …/tmp.xLtlZin5/chef__amd64.deb

chef-client -v

Chef: 11.0.0

$ sudo true && curl -L https://www.opscode.com/chef/install.sh | sudo bash


#3

You can download whatever version you want with this:

curl https://www.opscode.com/chef/install.sh | sudo bash -s – -v 10.18.2"

Thanks,
Matt Ray
Senior Technical Evangelist | Opscode Inc.
matt@opscode.com | (512) 731-2218
Twitter, IRC, GitHub: mattray


From: John Dewey [john@dewey.ws]
Sent: Sunday, February 03, 2013 9:51 PM
To: chef@lists.opscode.com
Subject: [chef] Chef Client 11?

Is chef client 11 shipping now?

Earlier tonight it was installing 10.18 now it is 11.

Reading database … 74077 files and directories currently installed.)
Preparing to replace chef 10.18.2-2.ubuntu.11.04 (using …/tmp.xLtlZin5/chef__amd64.deb

chef-client -v

Chef: 11.0.0

$ sudo true && curl -L https://www.opscode.com/chef/install.sh | sudo bash


#4

bundle install w/ gem 'chef' gets me Chef 11.0.0 as of this
morning. Berkshelf 1.1.2 is not compatible w/ chef 11 yet, which was
quite unpleasant to find out.

On Mon, Feb 4, 2013 at 3:32 PM, Matt Ray matt@opscode.com wrote:

You can download whatever version you want with this:

curl https://www.opscode.com/chef/install.sh | sudo bash -s – -v 10.18.2"

Thanks,
Matt Ray
Senior Technical Evangelist | Opscode Inc.
matt@opscode.com | (512) 731-2218
Twitter, IRC, GitHub: mattray


From: John Dewey [john@dewey.ws]
Sent: Sunday, February 03, 2013 9:51 PM
To: chef@lists.opscode.com
Subject: [chef] Chef Client 11?

Is chef client 11 shipping now?

Earlier tonight it was installing 10.18 now it is 11.

Reading database … 74077 files and directories currently installed.)
Preparing to replace chef 10.18.2-2.ubuntu.11.04 (using …/tmp.xLtlZin5/chef__amd64.deb

chef-client -v

Chef: 11.0.0

$ sudo true && curl -L https://www.opscode.com/chef/install.sh | sudo bash


#5

Bryan,

1.1.3 will be out later today and it will fix this issue.


Jamie Winsor
@resetexistence

On Monday, February 4, 2013 at 6:35 AM, Bryan Berry wrote:

bundle install w/ gem 'chef' gets me Chef 11.0.0 as of this
morning. Berkshelf 1.1.2 is not compatible w/ chef 11 yet, which was
quite unpleasant to find out.

On Mon, Feb 4, 2013 at 3:32 PM, Matt Ray <matt@opscode.com (mailto:matt@opscode.com)> wrote:

You can download whatever version you want with this:

curl https://www.opscode.com/chef/install.sh | sudo bash -s – -v 10.18.2"

Thanks,
Matt Ray
Senior Technical Evangelist | Opscode Inc.
matt@opscode.com (mailto:matt@opscode.com) | (512) 731-2218
Twitter, IRC, GitHub: mattray


From: John Dewey [john@dewey.ws (mailto:john@dewey.ws)]
Sent: Sunday, February 03, 2013 9:51 PM
To: chef@lists.opscode.com (mailto:chef@lists.opscode.com)
Subject: [chef] Chef Client 11?

Is chef client 11 shipping now?

Earlier tonight it was installing 10.18 now it is 11.

Reading database … 74077 files and directories currently installed.)
Preparing to replace chef 10.18.2-2.ubuntu.11.04 (using …/tmp.xLtlZin5/chef__amd64.deb

chef-client -v

Chef: 11.0.0

$ sudo true && curl -L https://www.opscode.com/chef/install.sh | sudo bash


#6

I just released Berkshelf 1.1.3 to ruby gems. This contains a hot fix to support both Chef 10 and Chef 11.


Jamie Winsor
@resetexistence

On Monday, February 4, 2013 at 12:57 PM, Jamie Winsor wrote:

Bryan,

1.1.3 will be out later today and it will fix this issue.


Jamie Winsor
@resetexistence
https://github.com/reset

On Monday, February 4, 2013 at 6:35 AM, Bryan Berry wrote:

bundle install w/ gem 'chef' gets me Chef 11.0.0 as of this
morning. Berkshelf 1.1.2 is not compatible w/ chef 11 yet, which was
quite unpleasant to find out.

On Mon, Feb 4, 2013 at 3:32 PM, Matt Ray <matt@opscode.com (mailto:matt@opscode.com)> wrote:

You can download whatever version you want with this:

curl https://www.opscode.com/chef/install.sh | sudo bash -s – -v 10.18.2"

Thanks,
Matt Ray
Senior Technical Evangelist | Opscode Inc.
matt@opscode.com (mailto:matt@opscode.com) | (512) 731-2218
Twitter, IRC, GitHub: mattray


From: John Dewey [john@dewey.ws (mailto:john@dewey.ws)]
Sent: Sunday, February 03, 2013 9:51 PM
To: chef@lists.opscode.com (mailto:chef@lists.opscode.com)
Subject: [chef] Chef Client 11?

Is chef client 11 shipping now?

Earlier tonight it was installing 10.18 now it is 11.

Reading database … 74077 files and directories currently installed.)
Preparing to replace chef 10.18.2-2.ubuntu.11.04 (using …/tmp.xLtlZin5/chef__amd64.deb

chef-client -v

Chef: 11.0.0

$ sudo true && curl -L https://www.opscode.com/chef/install.sh | sudo bash


#7

All of that only works within a domain, because it relies on computers in the domain being able to trust each other and/or trust a central (Kerberos) server. Without a domain environment, there really is nothing the server could trust, other than an actual user name and password. In fact, solving this particular issue was the main motivation for creating domains in the first place.

You may have one other option, although it’s far too complicated for my taste: you can set up a Kerberos server. Windows can use that for authentication even without a domain.

It sounds like none of this would be an option. Here is another way to do that “the chef way”.

You could manually copy the files you need to the file directory in your cookbook. Instead of fetching the file from the UNC server, it would come from Chef itself. Drawback is that you have an updating nightmare.

The other option would be to use a script resource to copy the file over and provide the password.

The third option is to use a wrapper script that authenticates to the UNC share, maybe even mounts it with a drive letter, and then calls chef-client.

-----Original message-----
From:Jesse Campbell hikeit@gmail.com
Sent:Sun 02-03-2013 09:45 am
Subject:[chef] Re: Installing a package from a password-protected UNC share
To:chef chef@lists.opscode.com;

Is the default account for the chef-client service to use the “system” service account? switching to “network” service as you say here should work quite well in that case.

On Fri, Feb 1, 2013 at 7:36 AM, Tensibai tensibai@iabis.net wrote:

You may also use Network_service account which is able to establish cifs shares from a service.

Le 2013-01-31 17:40, Andrea Campi a écrit :

On Thu, Jan 31, 2013 at 5:23 PM, Jesse Campbell hikeit@gmail.com wrote:

what about turning off the security policy described in this article?
http://blogs.technet.com/b/askperf/archive/2012/04/18/task-scheduler-error-a-specified-logon-session-does-not-exist.aspx

the net use command is creating a stored credential, which would normally only work when applied to a logon session.

That’s an excellent idea! Our googling hadn’t turned that one up :slight_smile:

another option would be to run the service as a real user instead of one of the service accounts, though i don’t remember the steps to make that happen :slight_smile:

Yeah, that’s one of options we were considering…

It still feels pretty odd that we need to do this manually; surely somebody else has had this problem?

I.e. chef-client::service should probably take care of this.


#8

On Sun, Feb 3, 2013 at 11:09 PM, Kevin Keane Subscription <
subscription@kkeane.com> wrote:

**

All of that only works within a domain, because it relies on computers in
the domain being able to trust each other and/or trust a central (Kerberos)
server. Without a domain environment, there really is nothing the server
could trust, other than an actual user name and password. In fact, solving
this particular issue was the main motivation for creating domains in the
first place.

You may have missed the beginning of the thread: I am specifically asking
how to access with an explicit login and password.

There is no domain and no Kerberos server: this is an ISP setup where all
VMs are owned by different customers who may or may not have their own
domain.
I only need to fetch some files, with password protection thrown on for
some “security through obscurity” (no, I don’t think it’s a good idea, but
these are the specs and I can’t change them).

smbclient from Samba can do that easily by including the credentials in the
UNC URL, but there seems to be no Windows way to do that.

You may have one other option, although it’s far too complicated for my
taste: you can set up a Kerberos server. Windows can use that for
authentication even without a domain.

It sounds like none of this would be an option. Here is another way to do
that “the chef way”.

You could manually copy the files you need to the file directory in your
cookbook. Instead of fetching the file from the UNC server, it would come
from Chef itself. Drawback is that you have an updating nightmare.

Multi-megabyte files in Chef are bad. :slight_smile:

The other option would be to use a script resource to copy the file over
and provide the password.

The third option is to use a wrapper script that authenticates to the UNC
share, maybe even mounts it with a drive letter, and then calls chef-client.

These are good options, and other suggestions that were offered sounds good
too. Unfortunately they are non-trivial.

Just for some closure, for the benefit of future searches:

We are seeking permission to mirror those files from SMB to a separate
nginx server that will serve them over plain HTTP with basic auth.
That fits our basic requirements with minimal changes to the workflow.

Thanks for all that helped!
Andrea