Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10303

Windows user management fails if group contains not resolvable Domain accounts

    XMLWordPrintable

    Details

    • Template:
      PUP Bug Template
    • Master Config:
      Split
    • Agent OS:
      Windows Server 2012 R2 (x64)
    • Master OS:
      RHEL 7 (x86_64)
    • Team:
      Night's Watch
    • Story Points:
      5
    • Sprint:
      NW - 2020-03-17, NW - 2020-04-01, NW - 2020-04-15
    • Method Found:
      Needs Assessment
    • Zendesk Ticket IDs:
      41900
    • Zendesk Ticket Count:
      1
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      Before this fix, if an Active Directory user was added as member of a local group and the user was deleted afterwards, puppet cannot manage the respective group members anymore.
      With this fix, puppet will me able to manage the group by showing SID instead of account name for non-resolvable users

      Show
      Before this fix, if an Active Directory user was added as member of a local group and the user was deleted afterwards, puppet cannot manage the respective group members anymore. With this fix, puppet will me able to manage the group by showing SID instead of account name for non-resolvable users
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet Version:6.11.1, 6.12, 6.13
      Puppet Server Version: 6.7.1
      OS Name/Version: Windows Server 2012 R2

      Unable to manage windows users if a not resolvable SID exists in a group.  Also, the command 'puppet resource group' fails if there is a not resolvable SID in any group on the server.  We currently run Puppet 5.5.6 and this is not an issue.  We are holding off on upgrading.  

      Steps to reproduce:

      1. **Create a test user in Active Directory
      2. Add the test user to the local Administrators group on a windows server
      3. Delete the test user in Active Directory
      4. There are two tests
        1. Run puppet resource group command
        2. Run puppet apply -e "group {'Administrators': ensure => 'present', members => ['Administrator'], auth_membership => false }" 

      Desired Behavior:

      Puppet should ignore not resolvable SIDs so we can still manage windows users locally

      Actual Behavior:

       

      After running 'puppet resource group':  Error: Could not run: Could not resolve name: S-1-5-21-994416979-1451695006-1560425512-1327 (unresolvable)

      After running puppet apply -e "group {'Administrators': ensure => 'present', members => ['Administrator'], auth_membership => false }":  Error: /Stage[main]/Main/Group[Administrators]: Could not evaluate: Could not resolve name: S-1-5-21-994416979-1451695006-1560425512-1327 (unresolvable)

       

       

       

        Attachments

          Activity

            People

            Assignee:
            ciprian.badescu Ciprian Badescu
            Reporter:
            spmcevoy Shaun McEvoy
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support