Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-11241

Not all user attributes honor forcelocal (e.g. home, shell)



    • Bug
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • PUP 6.19.1, PUP 7.9.0, PUP 7.10.0
    • PUP 6.25.0, PUP 7.12.0
    • None
    • CentOS 7
    • Night's Watch
    • 1
    • NW - 2021-09-22
    • Needs Assessment
    • natemccurdy
    • Bug Fix
    • Fix an issue where setting `forcelocal => true` on an user resource would still check the resource's `home` and `shell` attributes against their values from the directory service provider. Contributed by community member natemccurdy
    • Needs Assessment


      Puppet Version: 6.19.1, 7.9.0
      Puppet Server Version: N/A
      OS Name/Version: CentOS 7

      When setting forcelocal => true on a user resource, I'd expect all user attributes available via /etc/passwd to be used as the "is" value for the insync? check.

      This appears to not be the case for the home and shell attributes.

      Those are always checked against their values from directory services rather than from /etc/passwd, which means those attributes appear to change on each puppet run and the user resource is no longer idempotent.

      Desired Behavior:

      When an OS has directory services enabled (e.g. LDAP via SSSD) and a puppet-managed user exists in LDAP...

      Given an /etc/passwd file containing:

      nate:x:1000:1001:hello world:/opt/hello:/bin/zsh

      This code should read "shell", "home", and "comment" all from /etc/passwd when comparing the "is" state to the "should" state:

      user { 'nate':
        ensure     => present,
        forcelocal => true,
        shell      => '/bin/zsh',
        home       => '/opt/hello',
        comment    => 'hello world',

      Actual Behavior:

      Only "uid", "gid", "comment", and "groups" are fetched from /etc/passwd when forcelocal => true:

      "home" and "shell" are fetched from directory services, not from /etc/passwd.

      The user resource shows a change to "home" and "shell" on each Puppet run even though nothing is changing.

      Support for "comment" when forcelocal is true was added here: https://github.com/puppetlabs/puppet/pull/7768

      Basically, I'm asking for that same support for all the other attributes pulled from /etc/passwd in the finduser() method


        Issue Links



              Unassigned Unassigned
              natemccurdy Nate McCurdy
              1 Vote for this issue
              4 Start watching this issue



                Zendesk Support