Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SqlSetup: Add documentation around how to use built-in account #1230

Closed
johlju opened this issue Sep 21, 2018 · 8 comments · Fixed by #1576
Closed

SqlSetup: Add documentation around how to use built-in account #1230

johlju opened this issue Sep 21, 2018 · 8 comments · Fixed by #1576
Labels
documentation The issue is related to documentation only.

Comments

@johlju
Copy link
Member

johlju commented Sep 21, 2018

Details of the scenario you tried and the problem that is occurring

To use built-in accounts a password must be provided in the credential properties, e.g. SQLSvcAccount. That password can be any string as the password is ignored by the resource when it sees a built-in account, e.g. 'NT AUTHORITY\NetworkService'.

Verbose logs showing the problem

n/a

Suggested solution to the issue

Add information around this into the documentation of the SqlSetup resource.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

n/a

SQL Server edition and version the target node is running

Any

SQL Server PowerShell modules present on the target node

Any

The operating system the target node is running

Any

Version and build of PowerShell the target node is running

Any

Version of the DSC module that was used ('dev' if using current dev branch)

Dev

@johlju johlju added help wanted The issue is up for grabs for anyone in the community. documentation The issue is related to documentation only. labels Sep 21, 2018
@kungfoome
Copy link

This would be useful for group service account as well. But this also begs the question, is there any reason we can't just pass it a string as well?

@johlju
Copy link
Member Author

johlju commented Mar 6, 2019

It can’t be a string because if the account used actually have a password, for example a domain account, then the password should be encrypted, that’s why it needs to be a PSCredential object.

@kungfoome
Copy link

@johlju I get that. Not suggesting to get rid of that, but I was thinking more along the lines of using CredentialAttribute, but I'm not sure it makes it any less complicated thinking about it. I'll have to do a few tests of mine own to see

@cnilak
Copy link

cnilak commented Oct 8, 2019

Is there an example to use gMsa?

@johlju
Copy link
Member Author

johlju commented Nov 2, 2019

@cnilak I don't think so. If you do install using gMSA please sen in an example. It would be much appreciated.

@rdeheld
Copy link

rdeheld commented Nov 6, 2019

I would also like a solution for this, Isnt this possible by just passing the credential it as a string?

@kungfoome
Copy link

@rdeheld @cnilak I'll try to post example later. Hopefully I can't remember. But it's really just creating a credential, but make sure you add '$' at the end and the password can be anything

@johlju johlju added in progress The issue is being actively worked on by someone. and removed help wanted The issue is up for grabs for anyone in the community. labels Jun 26, 2020
johlju added a commit that referenced this issue Jul 1, 2020
- SqlServerDsc
  - Remove the file `.github/CONTRIBUTION.md` as it no longer filled any
    purpose as GitHub will find the CONTRIBUTION.md in the root folder
    directly now (issue #1227).
  - The documentation in CONTRIBUTING.md has been somewhat updated.
  - Update documentation around design pattern for accounts that does not
    use passwords (issue #378)
    and (issue #1230).
  - Updating the Integration Test README.md to better explain what the
    integration tests for SqlSetup, SqlRSSetup, and SqlRS does (issue #1315).
- SqlAGReplica
  - Update documentation with a requirement for SqlServer in certain circumstances
    (issue #1033).
- SqlRSSetup
  - There was a typo in the error message that was thrown when not passing
    either the `Edition` or `ProductKey` that could be misleading (issue #1386).
  - Updated the parameter descriptions for the parameters `Edition` and
    `ProductKey` that they are mutually exclusive (issue #1386).
@johlju johlju removed the in progress The issue is being actively worked on by someone. label Jul 1, 2020
@WobblyDave
Copy link

WobblyDave commented Nov 15, 2021

You still have to pass a password - even if it is a fake one. I am using the SqlServiceAccount DSC resource & after many hours of head scratching I found a post where gMSA credential is passed with the dollar sign and a fake password.

Generate a fake password string to prevent NULL password errors during execution

        $password = ('temppassword' | ConvertTo-SecureString -AsPlainText -Force)

         # Create PSCredential objects for use in SQLServiceAccount resource
         $gmsaSqlServiceCred = new-object -typename System.Management.Automation.PSCredential -argumentlist $SqlSvcAccount,$password

I then passed the PSCredential object into the resource.

SqlServiceAccount SetSQLServiceAccountgMSA{

             ServerName           = $Node.ServerName
             InstanceName         = $Node.InstanceName
             ServiceType          = 'DatabaseEngine'
             ServiceAccount       = $gmsaSqlServiceCred
             RestartService       = $true
             PsDscRunAsCredential = $SQLInstallCredential
         }

you cannot just pass the object as a string because it errors out & you cannot create a PSCredential without a password. All a bit counter intuitive.

http://ryannielsen.org/2020/06/desired-state-configuration-sql-always-on-deployment/

Please note that I have already include the domain in the service account string & just appended a dollar sign to it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation The issue is related to documentation only.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants