Archived community.zenoss.org | full text search
Skip navigation
1 2 Previous Next 174762 Views 22 Replies Latest reply: Sep 21, 2009 9:34 AM by jmp242 RSS
fdeckert Rank: Green Belt 110 posts since
Jul 2, 2008
Currently Being Moderated

May 5, 2009 2:44 PM

zenwin "NT_STATUS_NET_WRITE_FAULT" with restricted

Hi,

We are trying to setup a wmi restricted account for zenwin and zeneventlog. Using wmic, it's working fine, but from Zenwin it broke, complaining both about "NT_STATUS_NET_WRITE_FAULT" and "NT_STATUS_ACCESS_DENIED".

I noticed the trick with wmic needing "\\" between the AD domain and the account name. But on zProperties we set it with a single "\".

wmic -U emea-klif\\wmimon%Sopra123 //wscomklif02a.ptx.fr.sopra "select * from Win32_ComputerSystem"
CLASS: Win32_ComputerSystem
AdminPasswordStatus|AutomaticManagedPagefile|AutomaticResetBootOption|
AutomaticResetCapability|BootOptionOnLimit|BootOptionOnWatchDog|BootROMSupported|
BootupState|Caption|ChassisBootupState|CreationClassName|CurrentTimeZone|DaylightInEffect|
Description|DNSHostName|Domain|DomainRole|EnableDaylightSavingsTime|FrontPanel
ResetStatus|InfraredSupported|InitialLoadInfo|InstallDate|KeyboardPasswordStatus|
LastLoadInfo|Manufacturer|Model|Name|NameFormat|NetworkServerModeEnabled|
NumberOfLogicalProcessors|NumberOfProcessors|OEMLogoBitmap|OEMStringArray|
PartOfDomain|PauseAfterReset|PCSystemType|PowerManagementCapabilities|
PowerManagementSupported|PowerOnPasswordStatus|PowerState|PowerSupplyState|
PrimaryOwnerContact|PrimaryOwnerName|ResetCapability|ResetCount|ResetLimit|
Roles|Status|SupportContactDescription|SystemStartupDelay|SystemStartupOptions|
SystemStartupSetting|SystemType|ThermalState|TotalPhysicalMemory|UserName|
WakeUpType|Workgroup
1|True|True|True|0|0|True|
Normal boot|WSCOMKLIF02A|4|Win32_ComputerSystem|120|True|AT/AT COMPATIBLE|
wscomklif02a|emea-klif.msad-klif.sopra|3|True|2|False|NULL|(null)|2|(null)|Dell Inc.|
OptiPlex 755                 |WSCOMKLIF02A|(null)|True|2|1|NULL|(www.dell.com)|
True|-1|5|NULL|False|1|0|3|(null)|Windows User|1|-1|-1|(LM_Workstation,LM_Server,NT,Server_NT)|
OK|NULL|0|NULL|0|x64-based PC|3|2101157888|EMEA-KLIF\wmimon|6|(null)


Any idea how we can get work ?
DEBUG:zen.Watcher:connecting to wscomklif02a.ptx.fr.sopra
Failed to bind to uuid 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 - NT_STATUS_NET_WRITE_FAULT
ERROR:zen.pysamba:Attempt to connect resulted in NT_STATUS_ACCESS_DENIED
ERROR:zen.Watcher:NT_STATUS_ACCESS_DENIED
Traceback (most recent call last):
  File "/usr/local/zenoss/zenoss/Products/ZenWin/Watcher.py", line 39, in inner
    driver.next()
  File "/usr/local/zenoss/zenoss/Products/ZenUtils/Driver.py", line 64, in result
    raise ex
WMIFailure: NT_STATUS_ACCESS_DENIED
ERROR:zen.zenwin:NT_STATUS_ACCESS_DENIED
Traceback (most recent call last):
  File "/usr/local/zenoss/zenoss/Products/ZenWin/zenwin.py", line 139, in inner
    driver.next()
  File "/usr/local/zenoss/zenoss/Products/ZenUtils/Driver.py", line 64, in result
    raise ex
WMIFailure: NT_STATUS_ACCESS_DENIED
DEBUG:zen.zenwin:Queueing event {'manager': 'zenoss.ptx.fr.sopra', 'severity': 4, 'device': 'wscomklif02a.ptx.fr.sopra', 'eventClass': '/Status/Wmi', 'component': 'zenwin', 'agent': 'zenwin', 'summary': 'Could not read the status of Windows services (NT_STATUS_ACCESS_DENIED). Check your username/password settings and verify network connectivity.'}


--
Florian Deckert
SopraGroup - France
  • cgibbons Rank: White Belt 60 posts since
    Apr 9, 2008
    You need the double backslash because your shell is using it as an escape. Generally you need to either backslash escape it as you are doing, or you use single quotes for the domain & username, e.g.

    wmic -U 'ZENOSS-DEV\Administrator' ...

    You may also use the forward slash instead.

    Access Denied from the zenwin daemon is because it is trying to access the Windows Service Manager, not just WMI classes. See if http://support.microsoft.com/kb/907460 helps you with that.
  • alzoo Rank: White Belt 74 posts since
    May 11, 2009
    Currently Being Moderated
    2. May 11, 2009 6:55 AM (in response to cgibbons)
    WMI access problems
    Hi cgibbons,
    I'm working with Florian on this as well, and I did as you suggested withthe MS KB but that hasn't worked unfortunately. Do you need to put in a \\ in the zproperties user field? We have windows server 2003SP2 and a few 2008 servers
    I have read your other posts on wmi security here
    http://forums.zenoss.com/viewtopic.php?t=8745

    Here what has been done so far, any info you have to let me know what went wrong or what still needs to be done is greatly appreciated.

     

     

    These are the errors.
    component zeneventlog
    message Could not read the Windows event log (ExecNotificationQuery (WBEM_E_ACCESS_DENIED)). Check your username/password settings and verify network connectivity.

    component zeneventlog
    message Could not read the Windows event log (int() argument must be a string or a number). Check your username/password settings and verify network connectivity.

    component zenwin
    message Could not read the status of Windows services (int argument required). Check your username/password settings and verify network connectivity.

    component zenwin
    message Could not read the status of Windows services (NT_STATUS_ACCESS_DENIED). Check your username/password settings and verify network connectivity.



    NO firewall enabled.

    domain user added to local group distributed com users, performance log&monitor users group

    In the security of WMI control properties, added to root and subnamespaces distributed com users group with allow execute method, Provider Write, Enable Account Remote Enabled

    Modified the GPO view and then added the domain user SSID permission full access A;; 0x7;;;S-1-5-21-etc to Application, security & system event logs

    dcom security
    for DCOM remote launch and activation permissions for a user,
    added Remote Launch select Remote Activation for domain user even though local distributed COM group has those permissions

    for DCOM remote access permissions,
    selected ANONYMOUS LOGON selected Remote Access, also added my domain user and local distributed COM group already had remote access

    changed the access for the Service control manager to include my domain user with the following command
    sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
    D:(A;;CC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPRC;;;S-1-5-21-etc)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

    I also just added the SSID on some different servers to check this difference between this and the AU setting to see if this works
    D:(A;;CC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPRC;;;S-1-5-21-etc)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

    Does http://support.microsoft.com/default.aspx?scid=kb;en-us;164018
    need to be applied as its for NT351, NT4.0 and 2000?


    I'm getting tired... it's not funny I have to do all this just to get wmi to work, can't wait for your KB...
    Many thanks
    Alex
  • alzoo Rank: White Belt 74 posts since
    May 11, 2009
    Currently Being Moderated
    3. May 11, 2009 9:10 AM (in response to alzoo)
    more info
    P.S forgot to mention a
    wmic -U domainf\\user%password //sever.fr "Select * from Win32_NTLogEvent"

    works like a treat, the eventlog pours forth like a waterfall
  • cgibbons Rank: White Belt 60 posts since
    Apr 9, 2008
    Currently Being Moderated
    4. May 11, 2009 11:53 AM (in response to alzoo)
    RE: more info
    You don't want to use a double blackslash in the zProperties.

    You don't need it for zenwin & zeneventlog, but there is at least one community ZenPack that adds Windows performance monitoring (I forget which one) that in turn calls wmic commands. It doesn't properly escape the backslash either, so a lot of people just use a forward slash. If you want to know it works, just use that for now.

    Setting up a non-Administrative user for remote Windows management is a real hassle, but it makes sense - you're effectively trying to do Administrative functionality with something that isn't intended to do it, so it's not like they (Microsoft) have made it easy.

    We do have a knowledge base article written on how to do it fully, but it's within our enterprise support portal; we don't yet have a process for getting these KB articles published to the community yet, but we are working on it.

    If you're already an experienced Windows administrator, you can do a lot of this automatically with the Group Policy Editor, so that helps a lot.
  • alzoo Rank: White Belt 74 posts since
    May 11, 2009
    Currently Being Moderated
    5. May 12, 2009 3:48 AM (in response to cgibbons)
    more precise info
    thanks for that info.. will keep working on it and try the forward slash...

    just for more info on the subject, I added 1 machine in a step at a time to determine what is failing, as you can see from the final results the only error I know get is the for the event log. as soon as I modified the rights to the service control manager, my zenwin windows services errors were cleared. before that step I added the rights to the dcom which stopped the last two zeneventlog errors. only Could not read the Windows event log (ExecNotificationQuery (WBEM_E_ACCESS_DENIED)) keeps counting up (91).



    component     eventClass     summary                                                                                      firstTime          lastTime     count     
     
    /¬Perf/¬Memory     Unknown                                                                                               2009/05/11 16:36:05     2009/05/12 9:19:20     201     
     
    zeneventlog     /¬Status/¬Wmi     not read the Windows event log (ExecNotificationQuery .      2009/05/11 18:12:51     2009/05/12 9:12:49     91     
     
    zeneventlog     /¬Status/¬Wmi     not read the Windows event log (NT code 0xc002001b). 2009/05/11 18:03:55     2009/05/11 18:03:55     1     
     
    zeneventlog     /¬Status/¬Wmi     not read the Windows event log (NT_STATUS_ACCESS_DENIED).     2009/02/13 14:34:31     2009/05/11 17:52:50     21
  • alzoo Rank: White Belt 74 posts since
    May 11, 2009
    Currently Being Moderated
    6. May 12, 2009 10:40 AM (in response to alzoo)
    RE: more precise info
    Quick question,

    Does my domain user need to be in any Local groups for remote wmi request to work after I've made all these changes as specified above.

    Distributed COM users
    Performance log user
    Performance monitor users

    thanks again
    Alex
  • cgibbons Rank: White Belt 60 posts since
    Apr 9, 2008
    Currently Being Moderated
    7. May 12, 2009 10:41 AM (in response to alzoo)
    RE: more precise info
    Another Microsoft KB article on event log permissions: http://support.microsoft.com/kb/323076
  • alzoo Rank: White Belt 74 posts since
    May 11, 2009
    Currently Being Moderated
    8. May 14, 2009 5:47 AM (in response to cgibbons)
    rights issue...
    thanks again for that KB, I had naturally read it in your last post, but decided to check it out again and apply the section on editing the rights locally on a sever outside of the GPO.

    I have figured out the following after lots of trial and error. It is a logical process, almost like walking through one security door after another to get to the windows Eventlog. The only question I now have is what is ZenEventlog trying to read? (app, sys, security, dns, file) as the KB you posted only deals with rights to the Application and System log, do I need to add rights to the other logs as well?


    component       zenwin
    message   Could not read the status of Windows services (NT_STATUS_ACCESS_DENIED). Check your username/password settings and verify network connectivity.
    
    component       zeneventlog
    message   Could not read the Windows event log (NT_STATUS_ACCESS_DENIED). Check your username/password settings and verify network connectivity.
    

    This is error is resolved by implementing
    http://msdn.microsoft.com/en-us/library/aa393266.aspx

    component       zeneventlog
    message      Could not read the Windows event log (NT code 0xc0041003). Check your username/password settings and verify network connectivity.
    
    component       zenwin
    message      Could not read the status of Windows services (NT code 0xc0041003). Check your username/password settings and verify network connectivity.

    This is error is resolved by implementing
    http://technet.microsoft.com/en-us/library/cc787533.aspx

    component       zenwin
    message      Could not read the status of Windows services (Retrieve Result Data DOS 0xc00001001). Check your username/password settings and verify network connectivity.

    This is error is resolved by implementing
    http://support.microsoft.com/kb/907460
    once this is done you get a cleared zenwin wmi connection is up message

    component       zeneventlog
    message      Could not read the Windows event log (ExecNotificationQuery (WBEM_E_ACCESS_DENIED)). Check your username/password settings and verify network connectivity.

    This is error is resolved by implementing
    http://support.microsoft.com/kb/323076
    once this is done you get a cleared zeneventlog wmi connection is up message

    I also got these two, do you know what int argument the error is referring to?
    component       zeneventlog
    message      Could not read the Windows event log (int() argument must be a string or a number). Check your username/password settings and verify network connectivity.
    component       zenwin
    message      Could not read the status of Windows services (int argument required). Check your username/password settings and verify network connectivity.


    again any help you can provide is greatly appreciated.
  • alzoo Rank: White Belt 74 posts since
    May 11, 2009
    Currently Being Moderated
    9. May 14, 2009 11:41 AM (in response to alzoo)
    (ExecNotificationQuery (WBEM_E_ACCESS_DENIED))
    sort of answering my own questions...

    anyway it seems like you need to add permissions to each log, application, system, internet explorer, directory services, windows power shell, the list goes on. if you miss one you'll get the error

     

     

    component zeneventlog
    message Could not read the Windows event log (ExecNotificationQuery (WBEM_E_ACCESS_DENIED)). Check your username/password settings and verify network connectivity.



    it also looks like you must specify the domain user SID, I've tried it with a group and it doesn't seem to work - not that the KB mentions it....

    Also the below errors are due to the SDDL not being in hex, the security log SDDL uses ACE characters similar to KB 907460

     

     

    component zeneventlog
    message Could not read the Windows event log (int() argument must be a string or a number). Check your username/password settings and verify network connectivity.

    component zenwin
    message Could not read the status of Windows services (int argument required). Check your username/password settings and verify network connectivity.



    I'm still not out of the woods as some servers are fine and receive the clear alert, some continue to get one or the other or both, trying to sort this out on a DC or W2K8 adds to the problem.

    Would love your thoughts or comments on the matter.
    Ta
  • alzoo Rank: White Belt 74 posts since
    May 11, 2009
    Currently Being Moderated
    10. Jun 23, 2009 11:13 AM (in response to alzoo)
    RE: (ExecNotificationQuery (WBEM_E_ACCESS_DENIED))
    I'd love it if one of the Zenoss Community Managers would be able to help out with this response...

    Many thanks
  • buzzle74 Newbie 1 posts since
    Aug 3, 2009
    Currently Being Moderated
    11. Aug 3, 2009 9:37 PM (in response to alzoo)
    RE: (ExecNotificationQuery (WBEM_E_ACCESS_DENIED))
    So judging by the complete lack of response from the community managers evaluating Zenoss is a complete waste of time. If a guy who obviously has busted a gut trying to get something so fundamental as wmi to work doesnt get a response then there is no point in any of us admins investing time into this software. Obviously unless your a paying customer you will get no support. Its absurd that you guys cannot resolve this fundamental problem.
  • jmp242 ZenossMaster 4,060 posts since
    Mar 7, 2007
    Currently Being Moderated
    12. Aug 4, 2009 8:06 AM (in response to buzzle74)
    zenwin "NT_STATUS_NET_WRITE_FAULT&quot
    I'm not sure what you're looking for here? cgibbions offered advice, but
    yes, you're trying to do something non supported by core. Their docs
    state that core needs an admin account. If you want to use some other
    configuration, then in this case you need to pay for support or figure
    it out yourself, or wait for the community to work it out.

    I can personally attest that in the supported configuration using an
    Admin account on the servers you're monitoring, Core WMI works out of
    the box at least through 2.3.3.
    --
    James Pulver
    Information Technology Area Supervisor
    LEPP Computer Group
    Cornell University



    buzzle74 wrote, On 8/3/2009 9:37 PM:

     

     

    So judging by the complete lack of response from the community managers evaluating Zenoss is a complete waste of time. If a guy who obviously has busted a gut trying to get something so fundamental as wmi to work doesnt get a response then there is no point in any of us admins investing time into this software. Obviously unless your a paying customer you will get no support. Its absurd that you guys cannot resolve this fundamental problem.







    _______________________________________________
    zenoss-windows mailing list
    zenoss-windows@zenoss.org
    http://lists.zenoss.org/mailman/listinfo/zenoss-windows

    _______________________________________________
    zenoss-windows mailing list
    zenoss-windows@zenoss.org
    http://lists.zenoss.org/mailman/listinfo/zenoss-windows
  • alzoo Rank: White Belt 74 posts since
    May 11, 2009
    Currently Being Moderated
    13. Aug 21, 2009 10:49 AM (in response to jmp242)
    missing the point.
    The issue is.
    1. you cant expect Zenoss to configure and design their application to use the admin account in today's modern world. no one in their right mind lets you do that let alone advocate it. why should Zenoss take the easy way out and say just use the admin account. In that case why doesn't everyone just have admin access, it will make everyone's life a whole lot simpler. helpdesk, change the user rights on user Bob to provide access to suchnsuch, no need they're admin.... see my point.

    2. I asked a specific question concerning the error response to a configuration setting. They could at least comment that they don't comment or won't provide any further assistance than give me the wall of silence treatment. And since its radio silence, I naturally assume it's because I'm not a enterprise client. So either buy the product and support or figure it out on your own. such is life.
  • cgibbons Rank: White Belt 60 posts since
    Apr 9, 2008
    Currently Being Moderated
    14. Aug 24, 2009 10:44 AM (in response to alzoo)
    RE: missing the point.
    alzoo,

    I'm on my support rotation starting next week, so if you'd like we can do a little bit of troubleshooting on IRC and maybe figure out what's going on.

    At this point you have dug deeper than I have on getting this to work, so I'm not quite sure what you're running into that's preventing it from working.
1 2 Previous Next

More Like This

  • Retrieving data ...