Setting http nonfictions for gotify crashes Crowdsec on Windows Machine
As soon as I uncomment notifications in profiles.yaml to configure http_default gotify notifications I receive the following error. It appears that the plugin broker is going through the .exe files in C:\ProgramData\CrowdSec\plugins\ and getting some kind of permissions error. The crowdsec service is running as Local System. The error goes away if I instead change log on as to a privileged admin account with user name and password. C:\ProgramData\CrowdSec\plugins\ file permission include SYSTEM - Full Control.
level=debug msg="current owner is S-1-5-18 (S-1-5-18) (defaulted: false)"
level=debug msg="current group is nil (defaulted: false), using builtin admin instead"
level=debug msg="current group is S-1-5-32-544 (S-1-5-32-544) (defaulted: false)"
level=debug msg="starting router, logging to C:\ProgramData\CrowdSec\log\crowdsec_api.log"
level=info msg="initiating plugin broker"
level=debug msg="starting FlushAgentsAndBouncers"
level=debug msg="checking permissions of C:\ProgramData\CrowdSec\plugins\notification-email.exe\n"
level=info msg="CrowdSec service stopped"
level=fatal msg="api server init: plugin broker: loading plugin: while looking up current user sid: No mapping between account names and security IDs was done."
Using the following solution did not work for me.
plugin_config:
user: crowdsec
group: crowdsec
As seen here: https://github.com/crowdsecurity/crowdsec/issues/3562 This also did not work: plugin_config: user: 'machine1\User1' group: 'Administrators' These are the current \plugins\ permissions: icacls 'C:\ProgramData\CrowdSec\plugins\notification-email.exe' C:\ProgramData\CrowdSec\plugins\notification-email.exe NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) Testing with cscli notifications test http_default correctly sends the test notification to gotify as expected.
As seen here: https://github.com/crowdsecurity/crowdsec/issues/3562 This also did not work: plugin_config: user: 'machine1\User1' group: 'Administrators' These are the current \plugins\ permissions: icacls 'C:\ProgramData\CrowdSec\plugins\notification-email.exe' C:\ProgramData\CrowdSec\plugins\notification-email.exe NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) Testing with cscli notifications test http_default correctly sends the test notification to gotify as expected.
GitHub
Cannot start CrowdSec with (notification) plugins in a non-root con...
What happened? When using a non-root user (and (probably WLOG) in my case user namespace remapping) with the container, notification plugins don't work. crowdsec | time="2025-04-05T20:08:0...
3 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
SERVICE_NAME: CrowdSec
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\CrowdSec\crowdsec.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Crowdsec
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
This is almost certainly the issue I think
"current group is nil (defaulted: false), using builtin admin instead"
which is causing the SID mapping error.
I tried to run the plugin_config: as a different user but either my syntax is wrong or its not solving the problem. How do I change the user and group for the crowsec service itself in the config.yaml file, and would this possibly solve the issue?
any ideas? I created a local non admin account with Program Data\Crowdsec\ permissions but it caused more problems.
I'm not sure the group error is related (or more exactly, it might be the same root cause, but I don't think it's something coming from crowdsec)
The lookup that fails is for the user that is currently running crowdsec.
I'm a bit surprised it fails in that way, we are just calling a standard windows API with the username (which should be the local system user by default).
Is your windows server in a domain or has any special config ?