Merge pull request #703 from Icinga:fix/ifw_managed_user_pass_handling

Fix: Icinga for Windows managed user password handling Fixes Icinga for Windows password management for the managed user `icinga`, which could fail in some cases because of ambiguous characters or complexity errors and will now retry up to 10 times before giving up
Icinga · Mar 25, 2024 · ce03447 · ce03447
2 parents f636b98 + 877d236
commit ce03447
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 4 deletions.
diff --git a/doc/100-General/10-Changelog.md b/doc/100-General/10-Changelog.md
@@ -20,6 +20,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
 * [#685](https://github.com/Icinga/icinga-powershell-framework/pull/685) Fixes an issue while trying to stop the JEA process in certain cases, which results in an error during installation but has no other effect on the environment
 * [#686](https://github.com/Icinga/icinga-powershell-framework/pull/686) Fixes certutil error handling and message output in case the icingaforwindows.pfx could not be created
 * [#687](https://github.com/Icinga/icinga-powershell-framework/pull/687) Fixes Icinga for Windows port handling on installation, which will now use the proper defined port for communicating with the Icinga CA
+* [#699](https://github.com/Icinga/icinga-powershell-framework/issues/699) Fixes Icinga for Windows password management for the managed user `icinga`, which could fail in some cases because of ambiguous characters or complexity errors and will now retry up to 10 times before giving up
 * [#702](https://github.com/Icinga/icinga-powershell-framework/pull/702) Fixes an issue with Icinga Director Self-Service API, which ignored the defined service user
 
 ### Enhancements

diff --git a/lib/core/windows/Get-IcingaRandomChars.psm1 b/lib/core/windows/Get-IcingaRandomChars.psm1
@@ -2,7 +2,7 @@ function Get-IcingaRandomChars()
 {
     param (
         [int]$Count      = 10,
-        [string]$Symbols = 'abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!§$%&/()=?}][{@#*+'
+        [string]$Symbols = 'abcdefghiklmnoprstuvwxyzABCDEFGHKLMNOPRSTUVWXYZ1234567890!§$%()=?}][{@#*+'
     );
 
     $RandomChars = '';

diff --git a/lib/core/windows/New-IcingaWindowsUser.psm1 b/lib/core/windows/New-IcingaWindowsUser.psm1
@@ -33,17 +33,29 @@ function New-IcingaWindowsUser()
 
         # User already exist -> override password - but only if the user is entirely managed by Icinga
         if ($UserConfig.IcingaManagedUser) {
-            $Result = Start-IcingaProcess -Executable 'net' -Arguments ([string]::Format('user "{0}" "{1}"', $IcingaUser, (ConvertFrom-IcingaSecureString -SecureString (New-IcingaWindowsUserPassword))));
+            # In case the password set fails, we need to try again
+            [int]$Attempts = 0;
+            [bool]$Success = $FALSE;
 
-            if ($Result.ExitCode -ne 0) {
+            while ($Attempts -lt 10) {
+                $Result = Start-IcingaProcess -Executable 'net' -Arguments ([string]::Format('user "{0}" "{1}"', $IcingaUser, (ConvertFrom-IcingaSecureString -SecureString (New-IcingaWindowsUserPassword))));
+
+                if ($Result.ExitCode -eq 0) {
+                    $Success = $TRUE;
+                    break;
+                }
+
+                $Attempts += 1;
+            }
+
+            if ($Success -eq $FALSE) {
                 Write-IcingaConsoleError 'Failed to update password for user "{0}": {1}' -Objects $IcingaUser, $Result.Error;
 
                 return @{
                     'User' = $UserConfig.Caption;
                     'SID'  = $UserConfig.SID;
                 };
             }
-
             Write-IcingaConsoleNotice 'User updated successfully.';
         } else {
             Write-IcingaConsoleWarning 'User "{0}" is not managed by Icinga for Windows. No changes were made.' -Objects $IcingaUser;