Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10219

Unable to create local user when username already exists in Windows domain

    XMLWordPrintable

    Details

    • Template:
      PUP Bug Template
    • Team:
      Night's Watch
    • Story Points:
      3
    • Sprint:
      NW - 2020-01-22
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      When domain-joined and checking for a local account on Windows, ignore case on the domain/computer name comparison.

      As of this release, Puppet ignores case for the domain/computer name comparison when checking for local accounts on domain-joined Windows machines.
      Show
      When domain-joined and checking for a local account on Windows, ignore case on the domain/computer name comparison. As of this release, Puppet ignores case for the domain/computer name comparison when checking for local accounts on domain-joined Windows machines.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet Version: 6.3.0
      Puppet Server Version: N/A (happens with puppet apply)
      OS Name/Version: Windows Server 2012 R2 (and I believe other Windows OS')

      When using the below user resource declaration on a domain joined computer that also has a user called 'test_user' in the domain an error is thrown and the user is not created.

      user { 'test_user':
        ensure   => present,
        comment  => 'Test user',
        password => 'user_pass',
        groups   => ['Administrators'],
      }

      The name of the user to be created, whether noop is on/off and whether using puppet apply or puppet agent do not matter.

      Desired Behavior:

      A local user with the same name is created on the computer using the attributes specified.

      Actual Behavior:

      The following output is produced:

      Notice: Compiled catalog for member.domain.com in environment production in 0.02 seconds
      Error: /Stage[main]/Main/User[test_user]: Could not evaluate: ADSI connection error: failed to parse display name of moniker `WinNT://./test_user,user'
        HRESULT error code:0x800708ad
          The user name could not be found.
      Wrapped exception:
      failed to parse display name of moniker `WinNT://./test_user,user'
        HRESULT error code:0x800708ad
          The user name could not be found.
      Notice: Applied catalog in 0.04 seconds

       

      Partial workaround:

      If we change the manifest to the one shown below then the user is created successfully when not in noop mode:

      $username  = 'test_user'
      $user_pass = 'user_pass'
      exec { 'create local user first':
        command => "${system32}/net.exe user ${username} ${user_pass} /add /y",
        unless  => "${system32}/net.exe user ${username}",
        before  => User[$username],
      }
      user { $username:
        ensure   => present,
        comment  => 'Test user',
        password => $user_pass,
        groups   => ['Administrators'],
      }

      In noop mode the error still appears.

      Other information:

      According to the documentation (https://puppet.com/docs/puppet/latest/types/user.html#user-provider-windows_adsi) the user resource is for local user management and hence shouldn't be effected by domain users.

      I think the issue lies in the fact that principal.rb uses 'LookupAccountSidW' which specifies that if an account can't be found on the local system it tries to resolve it using domain controllers. https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-lookupaccountsidw

      This is not the behaviour wanted when managing a local user but it looks like the same code is also being used for finding users to be placed as members of groups which does allow domain users.

      I'm wondering if it's possible to separate the local user management out and use 'LookupAccountSidLocalW' which only looks on the local machine for the account. https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-lookupaccountsidlocalw

      A trace log with the original resource declaration is attached

      user-trace.log

       

        Attachments

        1. user-trace.log
          47 kB
        2. 6.12.0_no_local_user.log
          22 kB
        3. 6.12.0_no_local_user_noop.log
          23 kB
        4. 6.12.0_local_user.log
          48 kB
        5. 6.12.0_local_user_noop.log
          23 kB

          Activity

            People

            Assignee:
            gabriel.nagy Gabriel Nagy
            Reporter:
            Stowill Steven Towill
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support