Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-11241

Not all user attributes honor forcelocal (e.g. home, shell)

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • PUP 6.19.1, PUP 7.9.0, PUP 7.10.0
    • PUP 6.25.0, PUP 7.12.0
    • None
    • PUP Bug Template
    • CentOS 7
    • CentOS 7
    • Night's Watch
    • 1
    • NW - 2021-09-22
    • Needs Assessment
    • natemccurdy
    • Bug Fix
    • Fix an issue where setting `forcelocal => true` on an user resource would still check the resource's `home` and `shell` attributes against their values from the directory service provider. Contributed by community member natemccurdy
    • Needs Assessment

    Description

      Puppet Version: 6.19.1, 7.9.0
      Puppet Server Version: N/A
      OS Name/Version: CentOS 7

      When setting forcelocal => true on a user resource, I'd expect all user attributes available via /etc/passwd to be used as the "is" value for the insync? check.

      This appears to not be the case for the home and shell attributes.

      Those are always checked against their values from directory services rather than from /etc/passwd, which means those attributes appear to change on each puppet run and the user resource is no longer idempotent.

      Desired Behavior:

      When an OS has directory services enabled (e.g. LDAP via SSSD) and a puppet-managed user exists in LDAP...

      Given an /etc/passwd file containing:

      nate:x:1000:1001:hello world:/opt/hello:/bin/zsh
      

      This code should read "shell", "home", and "comment" all from /etc/passwd when comparing the "is" state to the "should" state:

      user { 'nate':
        ensure     => present,
        forcelocal => true,
        shell      => '/bin/zsh',
        home       => '/opt/hello',
        comment    => 'hello world',
      }
      

      Actual Behavior:

      Only "uid", "gid", "comment", and "groups" are fetched from /etc/passwd when forcelocal => true:
      https://github.com/puppetlabs/puppet/blob/7.11.0/lib/puppet/provider/user/useradd.rb#L60-L78

      "home" and "shell" are fetched from directory services, not from /etc/passwd.

      The user resource shows a change to "home" and "shell" on each Puppet run even though nothing is changing.

      Related:
      Support for "comment" when forcelocal is true was added here: https://github.com/puppetlabs/puppet/pull/7768

      Basically, I'm asking for that same support for all the other attributes pulled from /etc/passwd in the finduser() method

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              natemccurdy Nate McCurdy
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support