Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AdcsAuthorityInformationAccess: always makes a change #138

Open
awalker125 opened this issue Mar 17, 2023 · 0 comments · May be fixed by #141
Open

AdcsAuthorityInformationAccess: always makes a change #138

awalker125 opened this issue Mar 17, 2023 · 0 comments · May be fixed by #141

Comments

@awalker125
Copy link

Details of the scenario you tried and the problem that is occurring

I used this module with ansible and while it works it always marks it as changed. I think there are two reasons for this.

  1. AllowRestartService is evaluated in the comparison but is always returned as false https://github.com/dsccommunity/ActiveDirectoryCSDsc/blob/main/source/DSCResources/DSC_AdcsAuthorityInformationAccess/DSC_AdcsAuthorityInformationAccess.psm1#LL38C9-L38C28. So if you set it to true to allow it to restart it will always show as changed.
  2. If you only have a single OcspUri you get a change because the get seems to return a string but the desired is an array.

This is pretty low priority IMHO. Just raising for awareness.

Verbose logs showing the problem

    "verbose_set": [
        "Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ResourceSet,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.",
        "An LCM method call arrived from computer CA with user sid S-1-5-21-3556150029-942104223-2446729614-1008.",
        "[CA]: LCM:  [ Start  Set      ]  [[AdcsAuthorityInformationAccess]DirectResourceAccess]",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Setting Active Directory Authority Information Access.",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Getting Active Directory Authority Information Access.",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Getting Active Directory Authority Information Access URI list for 'AddToCertificateAia'.",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Retrieving local certification authority configuration.",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Preparing the \"ca.example.local\\example-ca\" certification authority configuration.",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Retrieving the authority information access extension entries for the certification authority.",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Getting Active Directory Authority Information Access URI list for 'AddToCertificateOcsp'.",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Retrieving local certification authority configuration.",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Preparing the \"ca.example.local\\example-ca\" certification authority configuration.",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Retrieving the authority information access extension entries for the certification authority.",
        "[CA]: LCM:  [ End    Set      ]  [[AdcsAuthorityInformationAccess]DirectResourceAccess]  in 0.0470 seconds.",
        "[CA]: LCM:  [ End    Set      ]    in  0.1100 seconds.",
        "Operation 'Invoke CimMethod' complete.",
        "Time taken for configuration job to complete is 0.203 seconds"
    ],
    "verbose_test": [
        "Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ResourceTest,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.",
        "An LCM method call arrived from computer CA with user sid S-1-5-21-3556150029-942104223-2446729614-1008.",
        "[CA]: LCM:  [ Start  Test     ]  [[AdcsAuthorityInformationAccess]DirectResourceAccess]",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Testing Active Directory Authority Information Access.",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Getting Active Directory Authority Information Access.",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Getting Active Directory Authority Information Access URI list for 'AddToCertificateAia'.",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Retrieving local certification authority configuration.",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Preparing the \"ca.example.local\\example-ca\" certification authority configuration.",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Retrieving the authority information access extension entries for the certification authority.",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Getting Active Directory Authority Information Access URI list for 'AddToCertificateOcsp'.",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Retrieving local certification authority configuration.",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Preparing the \"ca.example.local\\example-ca\" certification authority configuration.",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Retrieving the authority information access extension entries for the certification authority.",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] MATCH: Value (type 'System.Boolean') for property 'AllowRestartService' does match. Current state is 'False' and desired state is 'False'. (DRC0020)",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] NOTMATCH: Type mismatch for property 'OcspUri' Current state type is 'System.String' and desired type is 'System.String[]'. (DRC0019)",
        "[CA]:                            [[AdcsAuthorityInformationAccess]DirectResourceAccess] Test-DscParameter result is 'False'. (DRC0026)",
        "[CA]: LCM:  [ End    Test     ]  [[AdcsAuthorityInformationAccess]DirectResourceAccess] False in 0.1780 seconds.",
        "[CA]: LCM:  [ End    Set      ]    in  0.2260 seconds.",
        "Operation 'Invoke CimMethod' complete.",
        "Time taken for configuration job to complete is 0.305 seconds"
    ]

Suggested solution to the issue

  1. maybe remove AllowRestartService from the compare. If I'm reading it right then its only used to control if the module should restart after updates.
  2. maybe always return an array even if only a single entry.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

- name: Create the AIA record
  win_dsc:
    resource_name: AdcsAuthorityInformationAccess
    IsSingleInstance: "Yes"
    AllowRestartService: true
    OcspUri: 
      - "http://example.com/ocsp"

The operating system the target node is running

OsName               : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version and build of PowerShell the target node is running

PS C:\Windows\system32> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.17763.3770
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.3770
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

PS C:\Windows\system32> get-installedmodule

Version    Name                                Repository           Description
-------    ----                                ----------           -----------
5.0.0      ActiveDirectoryCSDsc                PSGallery            DSC resources for installing, uninstalling and c...
dan-hughes pushed a commit to dan-hughes/ActiveDirectoryCSDsc that referenced this issue Apr 2, 2024
Fix AdcsAuthorityInformationAccess: always makes a change dsccommunit…
81a8407 
…y#138
@dan-hughes dan-hughes mentioned this issue Apr 2, 2024
Closed
9 tasks
dan-hughes pushed a commit to dan-hughes/ActiveDirectoryCSDsc that referenced this issue Apr 2, 2024
Fix AdcsAuthorityInformationAccess: always makes a change dsccommunit…
03d7c2e 
…y#138
@dan-hughes dan-hughes mentioned this issue Apr 18, 2024
Open
dan-hughes pushed a commit to dan-hughes/ActiveDirectoryCSDsc that referenced this issue Apr 18, 2024
Fix AdcsAuthorityInformationAccess: always makes a change dsccommunit…
e9a8e98 
…y#138
@dan-hughes dan-hughes linked a pull request Apr 18, 2024 that will close this issue
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@awalker125