Hi All,
If you run a foreman proxy accessing Microsoft's DHCP, what sort of user
account do you run the service as?
Do I need to run the ms-dhcp proxy on the DHCP server? The documentation
seems to indicate I don't, but my current installation doesn't seem to have
permission to access the external DHCP server.
c:\windows\system32\cmd.exe /c c:\Windows\System32\netsh.exe -c dhcp server
172.16.1.2 show scope
If I run that command in a normal user shell I get a message about elevated
privileges being required. If I run that command in an administrator
shell, I get "Access Denied".
Does anyone have any insight to this? If I run the proxy on a separate
windows host, does the DHCP server need to trust the remote proxy host's
local admin or localsystem account?
Thanks
···
From my proxy.log the command being run is:
I'm getting a little further - I did indeed need a domain account that had
access to change DHCP settings.
I added a line to native_ms.rb to show the response I was getting:
logger.debug "response: #{response}"
which now gives me:
executing: c:\windows\system32\cmd.exe /c c:\windows\system32\netsh.exe -c
dhcp server 172.16.1.2 show scope
response: ["The following command was not found: server 172.16.1.2 show
scope"]
So it looks like somehow the dhcp part isn't recognizing the "server
172.16.1.2" portion.
Which is weird because from the same shell (elevated admin privileges,
running as my domain user) I can run that command just fine.
I'll dig further into what is going on.
···
On Sunday, September 28, 2014 1:37:36 PM UTC-4, Anthony Clark wrote:
>
> Hi All,
>
> If you run a foreman proxy accessing Microsoft's DHCP, what sort of user
> account do you run the service as?
>
> Do I need to run the ms-dhcp proxy on the DHCP server? The documentation
> seems to indicate I don't, but my current installation doesn't seem to have
> permission to access the external DHCP server.
>
> From my proxy.log the command being run is:
>
> c:\windows\system32\cmd.exe /c c:\Windows\System32\netsh.exe -c dhcp
> server 172.16.1.2 show scope
>
> If I run that command in a normal user shell I get a message about
> elevated privileges being required. If I run that command in an
> administrator shell, I get "Access Denied".
>
> Does anyone have any insight to this? If I run the proxy on a separate
> windows host, does the DHCP server need to trust the remote proxy host's
> local admin or localsystem account?
>
> Thanks
>
Hi,
You have to run MS-DHCP smart proxy under a AD domain account which is
member of DHCP Administrators group (true for Windows 2008 R2 and I
belive for 2012)
I use runas.exe command to start proxy process - I do not run it as a
Windows service. It works fine however.
runas /user:DOMAIN\svcForemanProxy /savecred "C:\Ruby187\bin\ruby.exe
C:\ForemanProxy160\bin\smart-proxy"
Evgeny
···
On Sunday, September 28, 2014 10:37:36 AM UTC-7, Anthony Clark wrote:
>
> Hi All,
>
> If you run a foreman proxy accessing Microsoft's DHCP, what sort of user
> account do you run the service as?
>
> Do I need to run the ms-dhcp proxy on the DHCP server? The documentation
> seems to indicate I don't, but my current installation doesn't seem to have
> permission to access the external DHCP server.
>
> From my proxy.log the command being run is:
>
> c:\windows\system32\cmd.exe /c c:\Windows\System32\netsh.exe -c dhcp
> server 172.16.1.2 show scope
>
> If I run that command in a normal user shell I get a message about
> elevated privileges being required. If I run that command in an
> administrator shell, I get "Access Denied".
>
> Does anyone have any insight to this? If I run the proxy on a separate
> windows host, does the DHCP server need to trust the remote proxy host's
> local admin or localsystem account?
>
> Thanks
>
Hi Anthony,
You have to install "DHCP Support Tools" - by default Windows netsh.exe
does not have "server" option.
See the links below how to do that.
-
GUI way
http://casualit.wordpress.com/2012/11/17/where-are-the-server-2008-support-tools/
-
CLI way - http://technet.microsoft.com/en-us/library/cc731774.aspx
Evgeny
···
On Sunday, September 28, 2014 10:37:36 AM UTC-7, Anthony Clark wrote:
>
> Hi All,
>
> If you run a foreman proxy accessing Microsoft's DHCP, what sort of user
> account do you run the service as?
>
> Do I need to run the ms-dhcp proxy on the DHCP server? The documentation
> seems to indicate I don't, but my current installation doesn't seem to have
> permission to access the external DHCP server.
>
> From my proxy.log the command being run is:
>
> c:\windows\system32\cmd.exe /c c:\Windows\System32\netsh.exe -c dhcp
> server 172.16.1.2 show scope
>
> If I run that command in a normal user shell I get a message about
> elevated privileges being required. If I run that command in an
> administrator shell, I get "Access Denied".
>
> Does anyone have any insight to this? If I run the proxy on a separate
> windows host, does the DHCP server need to trust the remote proxy host's
> local admin or localsystem account?
>
> Thanks
>
Also MS-DHCP proxy AD account should have at least the below NTFS
permissions :
-
Read/List/Execute to the proxy folder - i.e. *C:\ForemanProxy160*
-
Write to the proxy's log folder - i.e. C:\ForemanProxy160\log
Evgeny
···
On Monday, September 29, 2014 10:00:06 AM UTC-7, Evgeny Vasilchenko wrote:
>
> Hi,
>
> You have to run MS-DHCP smart proxy under a *AD domain account* which is
> member of *DHCP Administrators group* (true for Windows 2008 R2 and I
> belive for 2012)
>
> I use runas.exe command to start proxy process - I do not run it as a
> Windows service. It works fine however.
>
> *runas /user:DOMAIN\svcForemanProxy /savecred "C:\Ruby187\bin\ruby.exe
> C:\ForemanProxy160\bin\smart-proxy"*
>
> Evgeny
>
>
> On Sunday, September 28, 2014 10:37:36 AM UTC-7, Anthony Clark wrote:
>>
>> Hi All,
>>
>> If you run a foreman proxy accessing Microsoft's DHCP, what sort of user
>> account do you run the service as?
>>
>> Do I need to run the ms-dhcp proxy on the DHCP server? The documentation
>> seems to indicate I don't, but my current installation doesn't seem to have
>> permission to access the external DHCP server.
>>
>> From my proxy.log the command being run is:
>>
>> c:\windows\system32\cmd.exe /c c:\Windows\System32\netsh.exe -c dhcp
>> server 172.16.1.2 show scope
>>
>> If I run that command in a normal user shell I get a message about
>> elevated privileges being required. If I run that command in an
>> administrator shell, I get "Access Denied".
>>
>> Does anyone have any insight to this? If I run the proxy on a separate
>> windows host, does the DHCP server need to trust the remote proxy host's
>> local admin or localsystem account?
>>
>> Thanks
>>
>