Run cookbook as domain user


#1

In windows, cookbook runs as administrator by default, how do I run as a domain user?


#2

Chef is really designed to run as either administrator or, on *nix systems, as root. On Windows, it should also have elevation. This is because the whole purpose is to make deep system changes that domain users ordinarily are not allowed to make.

But sometimes, all you are using chef for is manage per-user settings, or things that a domain user is allowed to do. In those cases, you can change the service account that chef runs under. The simplest way may be to run chef-client as a launch script, or as a scheduled task that runs only when the user is logged in.

Kevin Keane
Whom the IT Pros Call
The NetTech
http://www.4nettech.com
Our values: Privacy, Liberty, Justice
See https://www.4nettech.com/corp/the-nettech-values.html


#3

If you want to run the Chef-Client as a domain user I would recommend using “knife winrm” command.

Example of the syntax:
knife winrm "myserver.myorganization.net" "chef-client" -m -x "domain\Administrator" -P "super_secret_password"

This can be executed from your local chef workstation.

You could also use PowerShell Remoting to connect to the remote server as a domain user and execute chef-client


Display run-time logs in jenkins
#4

If I want to run a specific resource as a domain user how can I do?
for example:- execute resource fails when used as domain user using ‘user’ option, how can I do this?


#5

Any more details on what you’re trying to achieve or the error you’re getting ? It’s hard to give an advice without more details.


#6

I’m looking for installing some software as a domain user in windows, for which I used execute resource and the resource failed to execute,so any alternatives?


#7

How does it fail ? Please help us to help you by giving some logs… We have no divination skills to guess what error you get and which software you’re trying to install and why it has to be installed in a user context and not at machine level.


#8

Executing “knife winrm” will run all resources as a particular user. If the error you are getting is permissions related then it is the user that you are executing the chef-client as.

As Tensibai said if you can provide the resources that you are trying to execute as a different user. Also if you can provide the log details of the run ideally with the “chef-client --log_level debug”

Additionally have a look at this pull request i think it will help you.

Lastly also mentioned was that you can use powershell_out and pass different user details powershell_out(command_to_run, { "user": username, "password": password})


#9

If you preface the user name with the domain: domain\user in the knife winrm command, it should run under that domain account. If you need to run only certain resources under a different identity, you may need to create a scheduled task resource to run under the identity you need which performs the operations necessary under the desired user.


#10

Thanks everyone for your reply