Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ArcGIS Server Directories root: "Access Denied" - but only with Cinc #333

Open
thk70 opened this issue Nov 9, 2022 · 3 comments
Open

ArcGIS Server Directories root: "Access Denied" - but only with Cinc #333

thk70 opened this issue Nov 9, 2022 · 3 comments

Comments

@thk70
Copy link

thk70 commented Nov 9, 2022

The Directories root (and config store/logs) are residing on a fileshare. If I install with Cinc it errors with "error 5 - access denied" but if I install by hand using "Configure ArcGIS Server Account" utility it works fine.
The AD service account running ArcGIS Server (and my own interactive logged-in account) has Full permissions on the fileshare.

AGS server and fileserver Windows 2022 (VM)
AGS 10.9.1
Cinc client 16.16.13
Esri cookbooks 4.0

From log:

directory[E:\arcgisserver\arcgisserver-hosting] action create (arcgis-enterprise::server line 90)

================================================================================
�[31mError executing action `create` on resource 'directory[E:\arcgisserver\arcgisserver-hosting\]'�[0m
================================================================================

Chef::Exceptions::Win32APIError
-------------------------------
Access is denied.
---- Begin Win32 API output ----
System Error Code: 5
System Error Message: Access is denied.
---- End Win32 API output ----

Resource Declaration:
---------------------
# In E:/chef_cache/cookbooks/arcgis-enterprise/recipes/server.rb

 90: directory node['arcgis']['server']['directories_root'] do
 91:   owner node['arcgis']['run_as_user']
 92:   if node['platform'] != 'windows'
 93:     mode '0700'
 94:   end
 95:   recursive true

Compiled Resource:
------------------
# Declared in E:/chef_cache/cookbooks/arcgis-enterprise/recipes/server.rb:90:in `from_file'

directory("E:\arcgisserver\arcgisserver-hosting\") do
  action [:create]
  default_guard_interpreter :default
  declared_type :directory
  cookbook_name "arcgis-enterprise"
  recipe_name "server"
  recursive true
  owner "D007\\S_GIS_DEV_APP_ARCGIS"
  group nil
  mode nil
  not_if { #code block }
end

System Info:
------------
chef_version=16.16.13
platform=windows
platform_version=10.0.20348
ruby=ruby 2.7.4p191 (2021-07-07 revision a21a3b7d23) [x64-mingw32]
program_name=C:/cinc-project/cinc/bin/cinc-client
executable=C:/cinc-project/cinc/bin/cinc-client

The same error happens if I rerun Cinc - after successfully install ArcGIS Server manually in the same destination folders.
Any Thoughts?
@thk70
Copy link
Author

thk70 commented Nov 9, 2022

I probably should mention I'm running the Cinc script as Administrator (Run as Administrator) (Elevated).
My account is member of "Administrators" group - The AGS server account is not member of any local groups of cause.

@cameronkroeker
Copy link
Contributor

Hi @thk70,

Could you attach your json file (scrub out sensitive information such as passwords and machine names, etc)? If config-store and directories are a file share then you will want to pass in the file share UNC path not a local path. For example:

arcgis-cookbook/templates/arcgis-server/11.0/windows/arcgis-server.json

Line 19 in 237b0e3

"directories_root": "\\\\FILESERVER\\arcgisserver",

arcgis-cookbook/templates/arcgis-server/11.0/windows/arcgis-server.json

Line 22 in 237b0e3

"config_store_connection_string": "\\\\FILESERVER\\arcgisserver\\config-store",

Otherwise if local paths, such as E:\\arcgisserver\\arcgisserver-hosting is specified then the server.rb recipe will attempt to create it if it doesn't exist:

arcgis-cookbook/cookbooks/arcgis-enterprise/recipes/server.rb

Lines 90 to 99 in 237b0e3

directory node['arcgis']['server']['directories_root'] do
owner node['arcgis']['run_as_user']
if node['platform'] != 'windows'
mode '0700'
end
recursive true
not_if { node['arcgis']['server']['directories_root'].start_with?('\\\\') ||
node['arcgis']['server']['directories_root'].start_with?('/net/') }
action :create
end

Thanks,
Cameron K.

@thk70
Copy link
Author

thk70 commented Nov 13, 2022
edited
Loading

Hi @cameronkroeker

In further investigation I found out that the Cinc client ( or rather the interactive user running the installation) needs at least Modify Permissions on the parent container (folder):
E:\arcgisserver
Which it didn't had -
Both containers for the directories root
E:\arcgisserver
E:\arcgisserver\arcgisserver-hosting
are pre-created, but the Serviceuser and the interactive user only has Full Permissions on the subfolder called arcgisserver-hosting.

This is not an issue running the manual installation. Only the Cinc installation requires permissions on all folders in the path. Even if they are already created. I would suggest that's a prevailing behaviour for the Cinc client.

However. I think the manual installation wizard requires the directories root is already created before running the installation. And Cinc is probably trying to create them in any case.

I found a workaround with "temporarily giving permissions during installation" which I think can pass the sec-office.

Thanks,
Thomas

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thk70 @cameronkroeker