I've been using the docker on windows for teaching and students use active directory to login to the non-admin users on the computers.
The issue is, I've pulled images in advance with the admin account, but when they run docker, it was nothing there.
Does anyone else has similar experience? I am thinking if this is because every user creates their own image folder when they run docker.
This might be due to your local user in not added in the docker group and give the delegated control to read and write permission for other users.
Run Computer Management as an administrator and navigate to Local Users and Groups > Groups > docker-users. Right-click to add the user to the group. Log out and log back in for the changes to take effect.
You can refer this Discussion how to allow access to active directory user to access the docker
Related
Current State: I have implemented project based roles strategy (also called the item roles) and have the appropriate project folder level regex etc set up. And I have verified the regexes and other permissions work fine for most logged in users, except the below scenarios I am running into.
Plugin Version: 3.2
Jenkins Version: 2.263.4
Jenkins Authentication Provider: LDAP Connecting to Active Directory
Example regex(es): for project role dev = ^ABC\-DEF\/DEV\/.*
Issue: Certain users are only having issues while going through the project role based authorization plugin where they are not able to see the option to run builds or job configurations. While the same configurations work for a couple of other user who have the same permissions.
Example:
Users - adm-XXXX and adm-YYYY and a few more all starting with the prefix of adm- are not able to get the roles for the configure and run builds on the jobs based on the above regex.
While Users - adm-zzzz and others are able to get the same roles using the same permission matrix.
The issue is very inconsistent as some days it would work, and even the same configurations when I tested in another Jenkins instance it worked for the user - adm-XXXX so I am at a loss on how to debug why it does not work for a few users consistently. I can understand if it is a configuration issue it should not work for all users having the same role.
Are there any tips on enabling some extra debug to troubleshoot this since there are literally a couple of loggers in the code of the plugin.
Appreciate the help here from any one knowledegable.
I have same issue, where associating an LDAP/AD user to a local global role or item/project role with build and configure permissions enabled does not enable this permission in the project itself. The option to build and configure is not available.
The only way I got around this was to add the users into AD groups and associating the AD Group to a role with required permissions.
Enabling the exact same permissions on the AD group role that I had on the local role, enabled the build and configure option in the projects.
I am not sure if this is a bug, an AD integration issue that you cannot mix/match local and AD roles or I am missing some option or if anyone has managed to get around this anomoly - but this workaournd seems to overcome this.
I am creating a build envirnoment and freshly installed jenkins with ActiveDirectory/LDAP auth.
We will have external users which should not be able to login to our domain computers but they should have access to jenkins/jira/... in order to develop with us (perhaps vpn for accessing some dev backends).
So for these users in active directory I set a dummy host they are able to logon (which means no computer at all). Jira/Confluence and dav_svn have no problem with this but it seems jenkins checks this property and refuses the access.
Can anybody tell me what "host" I have to put in there so that jenkins accepts a logon of these users? Or if I have to set a hidden config value in jenkins?
The users to accept are all in a special developer group. If I could simply pass the name of the group but even this does not help (matrix based): the user cannot login.
Thanks ver much!
Aurel
I need to copy some files to Program files folder using Delphi. I know it can simply do with CopyFile() function easily if that user have access to program files folder. But if that user has no access to program files I need to do it with a specific user (some function can pass parameters of user and password and copy files ). How can I do this?
As far as I know you can't without starting a new process with elevated rights.
So you should either create a second app which does the copying and start that with elevated rights or restart your own app with elevated rights.
How to do that is shown in many places in stackoverflow, e.g. here:
use shell execute to run cmd as Admin.
I am creating an msi-package of a Windows service using Wix. I want to run the service under a regular user account without administrative priviliges. For better security I want to put the files of the service in the personal user folders (such as AppData\Local\Programs\CompanyName... for binaries and AppData\Local\CompanyName... for config and data files) with the appropriate file access permissions for the user. I imagine the following scenario:
Start the msi in the per-machine context.
During the client stage of the installation ask for the user name and password.
During the server stage of the installation:
a) create the user
b) change to its context and install the program files to ProgramFilesFolder and the data files to LocalAppDataFolder
c) change back to the admin context and install and configure the service to be run under the user account
I am stuck at the step 3 b) as from what I've learned I can't change the installation context after switching to the server side of the installation. Please could you advice me on how I could achive my goal described in the first lines. In particular if I have to copy files to another user's personal folders, what would be the most reliable way to get their paths? Or maybe I am wrong and installing a service into a personal user folder is bad practice at all?
I am aware of the presence of the built-in Local Service account but would like to narrow the service context even more.
The local appdata folder is the problem. If you create a user account the user folders aren't created until the user does an interactive login, and even then in some environments it may be redirected via policy. I am unaware of any reason that local data is better (in a security sense) then the ProgramFiles folder, which is write-restricted to administrators. I'd just install the service binaries to ProgramFiles. In the UI you can collect credentials and use them when the service is installed. A problem with using external credentials is that things like Repair and sometimes patching will fail unless you have the credentials available, having saved them somewhere safe, because otherwise the property values you use will be empty on repair. If localservice works then use it.
It normally doesn't matter what privileges a service has because it usually knows what it's doing. It's only an issue if it calls unknown external code that may try to do something bad, or if it gets asked to do random things such as "run this program" or "copy this file" without doing any internal validation or having a whitelist of what it's allowed to do. So it might be useful to know if there's a specific problem you're trying to address or just following good practices.
I don't think you're being overcautious, service isolation is definitely a good goal. If you can require Win7/2008R2 or later, then you can run the service under a virtual account. There is no password required for virtual accounts, and they don't have the ability to completely wreck the machine like SYSTEM does. You should be able to use it like this:
<ServiceInstall Account="NT SERVICE\$(var.ServiceName)" Name="$(var.ServiceName)".../>
It's actually better for the service executables to be in Program Files, that way the service can't modify its own exe.
I've created a trusted build by linking with my github account and the build process completed normally. However I can't find the image in the index page, nor with docker search.
The documentation reads:
You can search all publicly active repositories. If your repository isn't publicly active then it will not show up in the search results. To see what your repository status is, you can look at your profile page
When I go to this page I see that my repository status is "Initialized|Public|Owner", not "Active|Public|Owner". However I couldn't find how to make this "active".
How do I "fix" this?
(I have another image, which I pushed and which I can access normally, so I think that my account is configured correctly.)
When you run into problems with the Index or any of our services, please file at ticket with support#docker.com or https://docker.zendesk.com and we can help you out. For help with Docker itself, Stack Overflow is a great option (as is IRC on Freenode's #docker).
-- Andy Rothfusz
Docker Support