Opened 11 months ago
#534 new defect
#131 Runas does not work when NSClient runs under Local System Account
| Reported by: | mopp | Owned by: | mickem |
|---|---|---|---|
| Priority: | 1 | Milestone: | 0.4.2 |
| Component: | CheckExternalScripts | Version: | 0.4.0 |
| Severity: | Bugs | Keywords: | |
| Cc: |
Description
Hi,
I didn't find a documentation regarding the new runas function from #131, so I might did something wrong.
My sample entry:
scripts/scripts/check_something
command=cmd /c "dir c:\"
user=test_user
password=testpassword
OS: W2k3
The password is correct, if I use the wrong password I get this error message:
ExternalCommands?: failed to create process (cmd /c dir c:"): 1326: Logon failure: unknown user name or bad password.
But with the correct password the following message is shown.
ExternalCommands?: failed to create process (cmd /c dir c:"): 5: Access is denied.
The problem occurs with every command.
I think it is the same problem as the PSExec return code 5 problem described here: http://forum.sysinternals.com/psexec-error-code-5_topic20674.html ("Windows XP with SP2 and Windows Server 2003: You cannot call CreateProcessWithLogonW from a process that is running under the "LocalSystem?" account, because the function uses the logon SID in the caller token, and the token for the "LocalSystem?" account does not contain this SID. As an alternative, use the CreateProcessAsUser? and LogonUser? functions.")
Everything works if I run "nscp test", because it runs in a different (non system account) user context.
