[BUG] Windows CRC pre-create error primary domain failed #771

loitho · 2019-10-24T12:33:58Z

General information

OS: Windows
Hypervisor: Hyper-V
Did you run crc setup before starting it (Yes)?

CRC version

# Put `crc version` output here
version: 1.0.0-rc.0+34371d3
OpenShift version: 4.2.0-0.nightly-2019-09-26-192831 (embedded in binary)

CRC status

# Put `crc status` output here
ERRO Error occurred: Machine "crc" does not exist. Use "crc start" to add a new one.

CRC config

# Put `crc config view` output here
- skip-check-hyperv-installed           : true
- skip-check-user-in-hyperv-group       : true
- warn-check-user-in-hyperv-group       : false

Host Operating System

# Put the output of `systeminfo` in case of Windows
OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.16299 N/A Build 16299

Steps to reproduce

Download and unzip
run crc setup
run crc start in the computer in the domain

Expected

Everything ok

Actual

Error about "primary domain failed"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive @([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole("S-1-5-32-578")
(crc) DBG | [stderr =====>] : Exception calling "IsInRole" with "1" argument(s): "The trust relationship between this workstation and the primary domain failed."

My user is in the correct group to access Hyper-V,
My computer is in an AD domain, and the user in the HyperV group is my AD user. I can run hyperv commands.

I think it's a problem with the powershell command as this works :

$sid = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-32-578')
([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole($sid)

Same problem as this issue with minishift :
minishift/minishift#2047

Logs

C:\D\crc-windows-amd64\crc-windows-1.0.0-rc.0-amd64>crc start --log-level debug
DEBU Error checking if a new version is available: Get https://mirror.openshift.com/pub/openshift-v4/clients/crc/latest/release-info.json: dial tcp: lookup mirror.openshift.com: no such host
INFO Checking if running as normal user
INFO Checking if oc binary is cached
DEBU oc binary already cached
INFO Check Windows 10 release
INFO Hyper-V installed and operational
WARN Skipping above check ...
INFO Is user a member of the Hyper-V Administrators group
WARN Skipping above check ...
INFO Does the Hyper-V virtual switch exist
Checking file: C:\Users\therbin\.crc\machines\crc\.crc-exist
? Image pull secret [? for help] ****************************

INFO Loading bundle: crc_hyperv_4.2.0-0.nightly-2019-09-26-192831.crcbundle ...
WARN Bundle certificates are going to expire in 3 days, better to use new release
INFO Creating CodeReady Containers VM for OpenShift 4.2.0-0.nightly-2019-09-26-192831...
Found binary path at crc.exe
Launching plugin server for driver hyperv
Plugin server listening at address 127.0.0.1:56859
() Calling .GetVersion
Using API Version  1
() Calling .SetConfigRaw
() Calling .GetMachineName
(crc) Calling .GetMachineName
(crc) Calling .DriverName
Running pre-create checks...
(crc) Calling .PreCreateCheck
(crc) DBG | [executing ==>] : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive @(Get-Module -ListAvailable hyper-v).Name | Get-Unique
(crc) DBG | [stdout =====>] : Hyper-V
(crc) DBG |
(crc) DBG | [stderr =====>] :
(crc) DBG | [executing ==>] : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive @([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole("S-1-5-32-578")
(crc) DBG | [stdout =====>] :
(crc) DBG | [stderr =====>] : Exception calling "IsInRole" with "1" argument(s): "The trust relationship between this workstation and the primary domain failed.
(crc) DBG | "
(crc) DBG | At line:1 char:1
(crc) DBG | + @([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIde ...
(crc) DBG | + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(crc) DBG |     + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
(crc) DBG |     + FullyQualifiedErrorId : SystemException
(crc) DBG |
(crc) DBG |
(crc) DBG | exit status 1
(crc) DBG | [executing ==>] : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive @([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
(crc) DBG | [stdout =====>] : False
(crc) DBG |
(crc) DBG | [stderr =====>] :
ERRO Error occurred: Error creating host: Error creating the VM. Error with pre-create check: "Hyper-v commands have to be run as an Administrator"
Making call to close driver server
(crc) Calling .Close
Successfully made call to close driver server
Making call to close connection to plugin binary
(crc) DBG | Closing plugin on server side

You can start crc with crc start --log-level debug to collect logs.
Please consider posting this on http://gist.github.com/ and post the link in the issue.

The text was updated successfully, but these errors were encountered:

anagna · 2019-10-25T15:13:08Z

Hi, I have the same problem.

Looking at hashicorp/packer#5216, it appears that if one would use IsInRole('Hyper-V Administrators') instead of using IsInRole('S-1-5-32-578'), this would bypass the issue..

I tried it on my machine and it works ok: When calling the below powershell command, instead of an error I get a proper "True" response:
powershell.exe -NoProfile -NonInteractive @([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole('Hyper-V Administrators')

cfergeau · 2019-10-25T15:48:28Z

I think we don't use 'Hyper-V Administrators' directly as it might need to be translated on some Windows versions, see crc-org/machine@f748ac13

gbraad · 2019-10-25T18:26:01Z

The fix would be to not rely on type variance, as this seems to fail (PowerShell assums it is a string?), but use $sid = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-32-578') and pass the $sid to the role check.

dharmit · 2019-11-12T05:17:30Z

Hi, I think I'm facing similar issue when doing crc start:

PS C:\Users\dshah> crc start
INFO Checking if running as normal user
INFO Checking if oc binary is cached
INFO Check Windows 10 release
INFO Hyper-V installed and operational
INFO Is user a member of the Hyper-V Administrators group
INFO Does the Hyper-V virtual switch exist
? Image pull secret [? for help] ******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************

INFO Loading bundle: crc_hyperv_4.2.2.crcbundle ...
INFO Creating CodeReady Containers VM for OpenShift 4.2.2...
ERRO Error creating host: Error creating the VM: Error with pre-create check: "Hyper-v commands have to be run as an Administrator"

CRC version info:

PS C:\Users\dshah> crc version
crc version: 1.1.0+95966a9
OpenShift version: 4.2.2 (embedded in binary)

gbraad · 2019-11-12T06:20:44Z

ERRO Error creating host: Error creating the VM: Error with pre-create check: "Hyper-v commands have to be run as an Administrator"

can you provide the username and group membership information? Please see if #742 might be the reason?

Please add crc start --log-level debug output also,

dharmit · 2019-11-12T06:38:45Z

can you provide the username and group membership information?

I hope below is the correct command to fetch the requested info:

PS C:\Users\dshah> whoami.exe \all
ERROR: Invalid argument/option - '\all'.
Type "WHOAMI /?" for usage.
PS C:\Users\dshah> whoami.exe /all

USER INFORMATION
----------------

User Name SID
========= ==============================================
win\dshah S-1-5-21-2496811084-580859778-1166941775-12836


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                     Alias            S-1-5-32-544 Group used for deny only
BUILTIN\Hyper-V Administrators             Alias            S-1-5-32-578 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1     Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

ERROR: Unable to get user claims information.

Please add crc start --log-level debug output also,

PS C:\Users\dshah> crc start --log-level debug
DEBU No new version available. The latest version is 1.1.0
INFO Checking if running as normal user
INFO Checking if oc binary is cached
DEBU oc binary already cached
INFO Check Windows 10 release
INFO Hyper-V installed and operational
INFO Is user a member of the Hyper-V Administrators group
INFO Does the Hyper-V virtual switch exist
Checking file: C:\Users\dshah\.crc\machines\crc\.crc-exist
? Image pull secret [? for help] ******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************

INFO Loading bundle: crc_hyperv_4.2.2.crcbundle ...
INFO Creating CodeReady Containers VM for OpenShift 4.2.2...
Found binary path at C:\bin\crc.exe
Launching plugin server for driver hyperv
Plugin server listening at address 127.0.0.1:51883
() Calling .GetVersion
Using API Version  1
() Calling .SetConfigRaw
() Calling .GetMachineName
(crc) Calling .GetMachineName
(crc) Calling .DriverName
Running pre-create checks...
(crc) Calling .PreCreateCheck
(crc) DBG | [executing ==>] : C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive @(Get-Module -ListAvailable hyper-v).Name | Get-Unique
(crc) DBG | [stdout =====>] : Hyper-V
(crc) DBG |
(crc) DBG | [stderr =====>] :
(crc) DBG | [executing ==>] : C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive @([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole("S-1-5-32-578")
(crc) DBG | [stdout =====>] :
(crc) DBG | [stderr =====>] : Exception calling "IsInRole" with "1" argument(s): "The trust relationship between this workstation and the primary domain failed.
(crc) DBG | "
(crc) DBG | At line:1 char:1
(crc) DBG | + @([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIde ...
(crc) DBG | + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(crc) DBG |     + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
(crc) DBG |     + FullyQualifiedErrorId : SystemException
(crc) DBG |
(crc) DBG |
(crc) DBG | exit status 1
(crc) DBG | [executing ==>] : C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive @([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
(crc) DBG | [stdout =====>] : False
(crc) DBG |
(crc) DBG | [stderr =====>] :
ERRO Error creating host: Error creating the VM: Error with pre-create check: "Hyper-v commands have to be run as an Administrator"
Making call to close driver server
(crc) Calling .Close
(crc) DBG | Closing plugin on server side
Successfully made call to close driver server
Making call to close connection to plugin binary

gbraad · 2019-11-12T07:27:09Z

Exception calling "IsInRole" with "1" argument(s): "The trust relationship between this workstation and the primary domain failed.

Can you explain more about the setup? Would have to recreate somethimh similar.

At the moment there is a now workaround for this, as it fails inside the libmachine code (no skips are possible).

dharmit · 2019-11-12T07:37:02Z

Can you explain more about the setup? Would have to recreate somethimh similar.

It's a Windows box provided by the IT team at my organization. I have to use some app called "Make Me Admin" to let me have administrator privileges for some time. I'm not sure what other piece of information might help you but I could try to answer any questions you might have. 🙂

anagna · 2019-11-12T16:23:10Z

Hi, as I mentioned above in #771 (comment), I'm also getting exactly the same problem (and the debug output also matches exactly the one from @dharmit). The current version of Windows 10 running on my laptop is 10.0.18362.418. The laptop is joined to a Windows domain, and I am a local administrator on it.

@gbraad: Let me know if there is any other information that I can provide to you in order to recreate / troubleshoot the issue. By the way, from reading various articles on this, it seems that the solution that you mention in your #771 (comment) is what is needed to fix this (i.e. use a temporary variable to store the security identifier).

gbraad · 2019-11-12T16:40:55Z

Dharmit is trying this out at the moment. I will also setup a local environment with a domain joined machine. But have to wait until additional hardware arrives for this... and sinc eit was 11.11 the express services will be delayed here in China.

dharmit · 2019-11-13T04:55:55Z

Pardon my naive question but where am I supposed to execute the command mentioned in #771 (comment)? I opened "Run" and executed the command but the Powershell closed immediately. Next when I opened Powershell by going to Start menu and crc start, I'm back to the same error.

I'm really not comfortable using Windows. So bear with my silly questions, please!

UPDATE: I also start cmd as Administrator and executed the powershell.exe command. Then I started Powershell as normal user and did crc start. Still fails.

anagna · 2019-11-13T10:41:27Z

Hi @dharmit, you just need to open a simple cmd prompt (no need to start it as Administrator) and run the Powershell command exactly as listed.

I'm attaching a screenshot.

dharmit · 2019-11-14T06:04:56Z

Thanks @anagna. Among other things, I did try what you suggested. I did it again and then did crc start --log-level debug in Powershell. I still see the error:

PS C:\Users\dshah> crc start --log-level debug
DEBU No new version available. The latest version is 1.1.0
INFO Checking if running as normal user
WARN Skipping above check ...
INFO Checking if oc binary is cached
DEBU oc binary already cached
INFO Check Windows 10 release
INFO Hyper-V installed and operational
INFO Is user a member of the Hyper-V Administrators group
INFO Does the Hyper-V virtual switch exist
Checking file: C:\Users\dshah\.crc\machines\crc\.crc-exist
? Image pull secret [? for help] ******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************

INFO Loading bundle: crc_hyperv_4.2.2.crcbundle ...
INFO Creating CodeReady Containers VM for OpenShift 4.2.2...
Found binary path at C:\bin\crc.exe
Launching plugin server for driver hyperv
Plugin server listening at address 127.0.0.1:63783
() Calling .GetVersion
Using API Version  1
() Calling .SetConfigRaw
() Calling .GetMachineName
(crc) Calling .GetMachineName
(crc) Calling .DriverName
Running pre-create checks...
(crc) Calling .PreCreateCheck
(crc) DBG | [executing ==>] : C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive @(Get-Module -ListAvailable hyper-v).Name | Get-Unique
(crc) DBG | [stdout =====>] : Hyper-V
(crc) DBG |
(crc) DBG | [stderr =====>] :
(crc) DBG | [executing ==>] : C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive @([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole("S-1-5-32-578")
(crc) DBG | [stdout =====>] :
(crc) DBG | [stderr =====>] : Exception calling "IsInRole" with "1" argument(s): "The trust relationship between this workstation and the primary
(crc) DBG | domain failed.
(crc) DBG | "
(crc) DBG | At line:1 char:1
(crc) DBG | + @([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIde ...
(crc) DBG | + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(crc) DBG |     + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
(crc) DBG |     + FullyQualifiedErrorId : SystemException
(crc) DBG |
(crc) DBG |
(crc) DBG | exit status 1
(crc) DBG | [executing ==>] : C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive @([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
(crc) DBG | [stdout =====>] : False
(crc) DBG |
(crc) DBG | [stderr =====>] :
ERRO Error creating host: Error creating the VM: Error with pre-create check: "Hyper-v commands have to be run as an Administrator"
Making call to close driver server
(crc) Calling .Close
Successfully made call to close driver server
Making call to close connection to plugin binary
(crc) DBG | Closing plugin on server side

anjannath · 2019-11-14T09:53:26Z

The check is failing in the driver's PreCreateCheck code, so the changes have to be made on that side and tested with crc.
https://github.com/code-ready/machine/blob/e149ff68f0482ab3377bb59a9590164e2dab1037/drivers/hyperv/powershell.go#L87-L106

anagna · 2019-11-14T16:28:15Z

Yes, @anjannath, that's exactly right. And the change that is needed is described in #771 (comment).

gbraad · 2019-11-14T23:27:13Z

@anjannath can you verify machine-drivers/machine#24 ?

anjannath · 2020-01-03T08:27:26Z

crc-org/machine#30 and machine-drivers/machine#24 are merged, and we have the fix in crc 1.3.0

loitho added the kind/bug Something isn't working label Oct 24, 2019

gbraad self-assigned this Oct 25, 2019

gbraad added the os/windows label Oct 25, 2019

gbraad added this to To do in Sprint 174 Oct 25, 2019

gbraad mentioned this issue Nov 14, 2019

Fix HyperV Administrator check machine-drivers/machine#24

Merged

anjannath closed this as completed Jan 3, 2020

[BUG] Windows CRC pre-create error primary domain failed #771

[BUG] Windows CRC pre-create error primary domain failed #771

loitho commented Oct 24, 2019

anagna commented Oct 25, 2019 •

edited by cfergeau

cfergeau commented Oct 25, 2019

gbraad commented Oct 25, 2019

dharmit commented Nov 12, 2019 •

edited

gbraad commented Nov 12, 2019 •

edited

dharmit commented Nov 12, 2019

gbraad commented Nov 12, 2019

dharmit commented Nov 12, 2019

anagna commented Nov 12, 2019

gbraad commented Nov 12, 2019 via email

dharmit commented Nov 13, 2019 •

edited

anagna commented Nov 13, 2019

dharmit commented Nov 14, 2019

anjannath commented Nov 14, 2019

anagna commented Nov 14, 2019

gbraad commented Nov 14, 2019

anjannath commented Jan 3, 2020

[BUG] Windows CRC pre-create error primary domain failed #771

[BUG] Windows CRC pre-create error primary domain failed #771

Comments

loitho commented Oct 24, 2019

General information

CRC version

CRC status

CRC config

Host Operating System

Steps to reproduce

Expected

Actual

Logs

anagna commented Oct 25, 2019 • edited by cfergeau

cfergeau commented Oct 25, 2019

gbraad commented Oct 25, 2019

dharmit commented Nov 12, 2019 • edited

gbraad commented Nov 12, 2019 • edited

dharmit commented Nov 12, 2019

gbraad commented Nov 12, 2019

dharmit commented Nov 12, 2019

anagna commented Nov 12, 2019

gbraad commented Nov 12, 2019 via email

dharmit commented Nov 13, 2019 • edited

anagna commented Nov 13, 2019

dharmit commented Nov 14, 2019

anjannath commented Nov 14, 2019

anagna commented Nov 14, 2019

gbraad commented Nov 14, 2019

anjannath commented Jan 3, 2020

anagna commented Oct 25, 2019 •

edited by cfergeau

dharmit commented Nov 12, 2019 •

edited

gbraad commented Nov 12, 2019 •

edited

dharmit commented Nov 13, 2019 •

edited