[PUP-10303] Windows user management fails if group contains not resolvable Domain accounts - Puppet Jira Server

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: PUP 5.5.20, PUP 6.15.0
Component/s: None
Labels:
- doc_reviewed
- jira_escalated

Master Config:
Split
Master OS:
RHEL 7 (x86_64)
Team:
Night's Watch
Story Points:
5
Sprint:
NW - 2020-03-17, NW - 2020-04-01, NW - 2020-04-15
Method Found:
Needs Assessment

Zendesk Ticket IDs:
41900
Zendesk Ticket Count:
1

Release Notes:
Bug Fix
Release Notes Summary:

Hide
Before this fix, if an Active Directory user was added as member of a local group and the user was deleted afterwards, puppet cannot manage the respective group members anymore.
With this fix, puppet will me able to manage the group by showing SID instead of account name for non-resolvable users

Show
Before this fix, if an Active Directory user was added as member of a local group and the user was deleted afterwards, puppet cannot manage the respective group members anymore. With this fix, puppet will me able to manage the group by showing SID instead of account name for non-resolvable users

QA Risk Assessment:
Needs Assessment

Description

Puppet Version:6.11.1, 6.12, 6.13
Puppet Server Version: 6.7.1
OS Name/Version: Windows Server 2012 R2

Unable to manage windows users if a not resolvable SID exists in a group. Also, the command 'puppet resource group' fails if there is a not resolvable SID in any group on the server. We currently run Puppet 5.5.6 and this is not an issue. We are holding off on upgrading.

Steps to reproduce:

**Create a test user in Active Directory
Add the test user to the local Administrators group on a windows server
Delete the test user in Active Directory
There are two tests
1. Run puppet resource group command
2. Run puppet apply -e "group {'Administrators': ensure => 'present', members => ['Administrator'], auth_membership => false }"

Desired Behavior:

Puppet should ignore not resolvable SIDs so we can still manage windows users locally

Actual Behavior:

After running 'puppet resource group': Error: Could not run: Could not resolve name: S-1-5-21-994416979-1451695006-1560425512-1327 (unresolvable)

After running puppet apply -e "group {'Administrators': ensure => 'present', members => ['Administrator'], auth_membership => false }": Error: /Stage[main]/Main/Group[Administrators]: Could not evaluate: Could not resolve name: S-1-5-21-994416979-1451695006-1560425512-1327 (unresolvable)

Attachments

Activity

People

Assignee:: Ciprian Badescu

Reporter:: Shaun McEvoy

Votes:: 1 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2020/02/20 9:54 AM

Updated:: 2020/11/10 12:17 AM

Resolved:: 2020/04/02 11:58 PM