Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SmbShare: Test-TargetResource returns $false when permission entries are not returned in the same order #423

Closed
Borgquite opened this issue Apr 18, 2024 · 2 comments · Fixed by #424
Closed

SmbShare: Test-TargetResource returns $false when permission entries are not returned in the same order #423

Borgquite opened this issue Apr 18, 2024 · 2 comments · Fixed by #424
Labels
bug The issue is a bug.

Comments

@Borgquite
Copy link
Contributor

Borgquite commented Apr 18, 2024
edited
Loading

Problem description

I recently created some SmbShare resources with multiple entries in the access permissions entries in the ChangeAccess parameter

These changes applied successfully, but subsequent tests of the resource returned as 'noncompliant' even though the permissions were applied correctly

It looks like SmbShare is really picky about what order Get-SmbShareAccess returns permissions in, and running Set-TargetResource doesn't result in them being applied in the provided order either. I am not aware that permission order on file shares matters - Test-TargetResource can return 'true' for a resource even if the permission entries are returned in a different order to how they were defined in the FullAccess/ChangeAccess/ReadAccess/NoAccess parameters in DSC.

Verbose logs

VERBOSE: [HOSTNAME]: LCM:  [ Start  Resource ]  [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME]
VERBOSE: [HOSTNAME]: LCM:  [ Start  Test     ]  [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME]
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] Determining if the SMB share 'ShareName' is in the desired state.
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] Getting the current state of the SMB share 'ShareName'.
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] The SMB share with the name 'ShareName' exist. Evaluating the properties of the SMB share.
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] Comparing values in property 'ChangeAccess'. (DRC0028)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] MATCH: Value [0] (type 'System.String') for property 'ChangeAccess' does match. Current state is 'DOMAINNAME\Domain Controllers' and desired state is 'DOMAINNAME\Domain Controllers'. (DRC0025)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] NOTMATCH: Value [1] (type 'System.String') for property 'ChangeAccess' does match. Current state is 'DOMAINNAME\Domain Computers' and desired state is 'DOMAINNAME\Read-only Domain Controllers'. (DRC0024)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] NOTMATCH: Value [2] (type 'System.String') for property 'ChangeAccess' does match. Current state is 'DOMAINNAME\Read-only Domain Controllers' and desired state is 'DOMAINNAME\Domain Computers'. (DRC0024)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] Comparing values in property 'ReadAccess'. (DRC0028)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] MATCH: Value (type 'System.String[]') for property 'ReadAccess' does match. Current state is 'empty array' and desired state is 'empty array'. (DRC0020)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] Comparing values in property 'NoAccess'. (DRC0028)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] MATCH: Value (type 'System.String[]') for property 'NoAccess' does match. Current state is 'empty array' and desired state is 'empty array'. (DRC0020)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] MATCH: Value (type 'System.String') for property 'Name' does match. Current state is 'ShareName' and desired state is 'ShareName'. (DRC0020)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] Comparing values in property 'FullAccess'. (DRC0028)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] MATCH: Value [0] (type 'System.String') for property 'FullAccess' does match. Current state is 'DOMAINNAME\Domain Admins' and desired state is 'DOMAINNAME\Domain Admins'. (DRC0025)
VERBOSE: [HOSTNAME]:                            [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] MATCH: Value (type 'System.String') for property 'Path' does match. Current state is 'C:\DFSTargets\ShareName' and desired state is 'C:\DFSTargets\ShareName'. (DRC0020)
VERBOSE: [HOSTNAME]: LCM:  [ End    Test     ]  [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME] False in 0.2500 seconds.
VERBOSE: [HOSTNAME]: LCM:  [ End    Resource ]  [[SmbShare]HOSTNAME.contoso.com\ShareName::[DFSDeploymentShare]HOSTNAME]

DSC configuration

SmbShare "HOSTNAME.contoso.com\ShareName"
{
     Name = "ShareName"
     Path = "C:\DFSTargets\ShareName"
     FullAccess = @("DOMAINNAME\Domain Admins")
     ChangeAccess = @("DOMAINNAME\Domain Controllers", "DOMAINNAME\Read-only Domain Controllers", "DOMAINNAME\Domain Computers")
     ReadAccess = @()
     NoAccess = @()
}

Suggested solution

Fix Test-TargetResource to make the checks for FullAccess, ChangeAccess, ReadAccess and NoAccess ignore the order of the information returned by Get-TargetResource

Operating system the target node is running

OsName               : Microsoft Windows Server 2022 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

PowerShell version and build the target node is running

Name                           Value                                                                                                                                                           
----                           -----                                                                                                                                                           
PSVersion                      5.1.20348.2227                                                                                                                                                  
PSEdition                      Desktop                                                                                                                                                         
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                         
BuildVersion                   10.0.20348.2227                                                                                                                                                 
CLRVersion                     4.0.30319.42000                                                                                                                                                 
WSManStackVersion              3.0                                                                                                                                                             
PSRemotingProtocolVersion      2.3                                                                                                                                                             
SerializationVersion           1.1.0.1

ComputerManagementDsc version

Name                  Version Path                                                                                             
----                  ------- ----                                                                                             
ComputerManagementDsc 9.0.0   C:\Program Files\WindowsPowerShell\Modules\ComputerManagementDsc\9.0.0\ComputerManagementDsc.psd1
@Borgquite
Copy link
Contributor Author

Duplicate of #247 (sorry only just seen)?

@Borgquite Borgquite mentioned this issue Apr 24, 2024
Merged
9 tasks
@johlju
Copy link
Member

johlju commented Apr 24, 2024

Thanks to @Borgquite for fixing this. Please test and verify that it works by using the preview that will be released shortly.

@johlju johlju added the bug The issue is a bug. label Apr 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug The issue is a bug.
Projects
None yet
Milestone
No milestone
2 participants
@johlju @Borgquite