Install non-root Windows agents
To configure a Windows agent node to run without root privileges, a root user must install the agent, configure non-root access to the primary server, and set up non-root users on the primary server and relevant agent nodes.
Before you begin:
Install the agent on each node you want to operate without root privileges. You can Install agents with the install script, Install agents from the console, or use one of the other methods to Install Windows agents.
Install the agent on each node you want to operate without root privileges. You can Install agents with the install script, Install agents from the console, or use one of the other methods to Install Windows agents.
Unless specified otherwise, perform these steps as an administrator.
- Log in to the agent node, open a command prompt as an administrator, and run
this command to add the non-root user:
puppet resource user <UNIQUE_NON-ADMIN_USERNAME> ensure=present managehome=true password="<PASSWORD>" groups="<EXISTING_GROUP>"
Each non-root user must have a unique name. - Because the
puppetservice runs as an administrator by default, you must disable it. To stop thepuppetservice, open a command prompt as an administrator and run:puppet resource service puppet ensure=stopped enable=false
- Switch to the non-root user and run this command to generate a CSR:
puppet agent -t --certname "<UNIQUE_NON-ADMIN_USERNAME.hostname>" --server "<PRIMARY_HOSTNAME>"
Make sure to format the
certnamestring correctly by combining the non-root user's username and the hostname with a period between.This Puppet run submits a CSR to the primary server and creates a/.puppetdirectory structure in the non-root user’s home directory. If this directory is not created automatically, you must manually create it before continuing. - As the non-root user, create a
puppet.conffile in the.puppetdirectory (at%USERPROFILE%/.puppet/). Edit thepuppet.conffile and specify the agentcertnameand the primary server'shostname. For example:[main] certname = <UNIQUE_NON-ADMIN_USERNAME.hostname> server = <PRIMARY_HOSTNAME>
- As the non-root user, run
puppet agent -tto submit a CSR. - On the primary server or in the PE console,
approve the CSR.It's possible to sign the root user certificate to allow the non-admin user to also manage the node; however, this is a security concern due to the opportunity for unwanted behavior. For example, if your
site.pphas no default node configuration, and a non-admin user runs the agent, unwanted node definitions could be generated with alt hostnames, which is a potential security issue. If you elect to allow non-admin users to also manage nodes, make sure you take precautions such as having clear node definitions, correctly scoping classes, and ensuring root and non-root users never try to manage the same resources. - On the agent node as the non-root user, run
puppet agent -t
Results
The configuration specified in the catalog is applied to the node.
The configuration specified in the catalog is applied to the node.
