Details
-
Bug
-
Status: Resolved
-
Medium
-
Resolution: Fixed
-
None
-
None
-
Night's Watch
-
3
-
NW - 2020-01-22
-
Needs Assessment
-
Bug Fix
-
-
Needs Assessment
Description
Puppet Version: 6.3.0
Puppet Server Version: N/A (happens with puppet apply)
OS Name/Version: Windows Server 2012 R2 (and I believe other Windows OS')
When using the below user resource declaration on a domain joined computer that also has a user called 'test_user' in the domain an error is thrown and the user is not created.
user { 'test_user':
ensure => present,
comment => 'Test user',
password => 'user_pass',
groups => ['Administrators'],
}
The name of the user to be created, whether noop is on/off and whether using puppet apply or puppet agent do not matter.
Desired Behavior:
A local user with the same name is created on the computer using the attributes specified.
Actual Behavior:
The following output is produced:
Notice: Compiled catalog for member.domain.com in environment production in 0.02 seconds
Error: /Stage[main]/Main/User[test_user]: Could not evaluate: ADSI connection error: failed to parse display name of moniker `WinNT://./test_user,user'
HRESULT error code:0x800708ad
The user name could not be found.
Wrapped exception:
failed to parse display name of moniker `WinNT://./test_user,user'
HRESULT error code:0x800708ad
The user name could not be found.
Notice: Applied catalog in 0.04 seconds
Partial workaround:
If we change the manifest to the one shown below then the user is created successfully when not in noop mode:
$username = 'test_user'
$user_pass = 'user_pass'
exec { 'create local user first':
command => "${system32}/net.exe user ${username} ${user_pass} /add /y",
unless => "${system32}/net.exe user ${username}",
before => User[$username],
}
user { $username:
ensure => present,
comment => 'Test user',
password => $user_pass,
groups => ['Administrators'],
}
In noop mode the error still appears.
Other information:
According to the documentation (https://puppet.com/docs/puppet/latest/types/user.html#user-provider-windows_adsi) the user resource is for local user management and hence shouldn't be effected by domain users.
I think the issue lies in the fact that principal.rb uses 'LookupAccountSidW' which specifies that if an account can't be found on the local system it tries to resolve it using domain controllers. https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-lookupaccountsidw
This is not the behaviour wanted when managing a local user but it looks like the same code is also being used for finding users to be placed as members of groups which does allow domain users.
I'm wondering if it's possible to separate the local user management out and use 'LookupAccountSidLocalW' which only looks on the local machine for the account. https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-lookupaccountsidlocalw
A trace log with the original resource declaration is attached
