Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-1294

The 'forcelocal' parameter for the 'user' resource still performs NSS lookups for certain subkeys



    • Bug
    • Status: Closed
    • Normal
    • Resolution: Won't Fix
    • None
    • None
    • None
    • Needs Priority


      I have a particular configuration where a custom NSS plugin intercepts getent passwd calls and replaces the login shell with a new shell. In this situation, using the standard 'user' resource causes a false-positive for Puppet where it thinks the shell is configured as this new value, but it should be set to the value specified in the manifest. Unfortunately, setting 'forcelocal' to 'true' does not appear to solve the issue. I did a little looking through the code, and as far as I can tell, only certain specific subkeys (uid, gid, etc.) utilize the 'forcelocal' parameter (and the login shell is unfortunately not one of them).

      If 'forcelocal' does not support certain keys than (IMO) either:

      1. The documentation should be updated to explicitly list the supported keys
      2. The behavior should change so that all of the keys are supported.
      3. The login shell key is made compatible with 'forcelocal', and #1 is done to boot for the remaining keys to avoid future confusion about this issue

      Right now this is not a huge blocker, but it's requiring me to avoid validating the local settings for login shells wherever this custom NSS module is being used.

      As a side note, my 'libuser' Puppet feature appears to be loading correctly (which is a prereq for 'forcelocal')


        Issue Links



              Unassigned Unassigned
              redmine.exporter redmine.exporter
              0 Vote for this issue
              4 Start watching this issue



                Zendesk Support