Details
-
Bug
-
Status: Resolved
-
Normal
-
Resolution: Fixed
-
PUP 6.4.3
-
Chrome
-
Monolithic
-
CentOS 7
-
Night's Watch
-
5
-
PR - Triage, NW - 2019-11-13, 2019-11-27, 2019-12-11
-
Needs Assessment
-
Bug Fix
-
Puppet no longer checks for domain users or groups when managing local resources on Windows. This fixes a local user management issue where an Active Directory account existed with the same name as the local user.
-
Needs Assessment
Description
Puppet Version: 6.4.3 (PE Agent from PE 2019.1.1)
Puppet Server Version: PE 2019.1.1
OS Name/Version: Tested against Windows 2016
Behavior of the user resource goes wonky when an AD account exists that has the same name as the local user account you’re trying to manage on a Windows server that is domain-joined.
Desired Behavior:
Enforcing configuration of local user accounts on Windows domain-member servers works normally.
Actual Behavior:
When a user account exists locally on a member server, and a user account with the same name also exists in the Active Directory domain, this happens when setting `ensure=>absent` on that local user account:
- The first puppet run, the local user account is detected, and removed
- The second puppet run, the provider seems to detect the domain user account, and tries to delete the account again (from the local user database), which fails with this error:
Could not set 'absent' on ensure: (in OLE method `Delete': )
OLE error code:800708AD in Active Directory
The user name could not be found.
HRESULT error code:0x80020009
Exception occurred. (file: /etc/puppetlabs/code/environments/development/site-modules/profile/manifests/base.pp, line: 98)
Wrapped exception:
(in OLE method `Delete': )
OLE error code:800708AD in Active Directory
The user name could not be found.
HRESULT error code:0x80020009
Exception occurred.