Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-3804

User resource cannot add DOMAIN\User style accounts (through Active Directory) and should emit error message

    Details

    • Template:
    • Story Points:
      1
    • Sprint:
      Windows 2015-04-08
    • Release Notes:
      New Feature

      Description

      Try to create a domain style account with a manifest like:

      user { "domain\\bud":
        ensure => present,
        groups => 'Administrator'
      }
      

      Puppet will error with 8007089A

      Error: User update failed: (in OLE method `SetInfo': )
          OLE error code:8007089A in Active Directory
            The specified username is invalid.
       
          HRESULT error code:0x80020009
            Exception occurred.
      Wrapped exception:
      (in OLE method `SetInfo': )
          OLE error code:8007089A in Active Directory
            The specified username is invalid.
       
          HRESULT error code:0x80020009
            Exception occurred.
      Error: /Stage[main]/Main/User[domain\bud]/ensure: change from absent to present failed: User update failed: (in OLE method `SetInfo': )
          OLE error code:8007089A in Active Directory
            The specified username is invalid.
       
          HRESULT error code:0x80020009
            Exception occurred.
      

      There should be some discussion around Puppets intended behavior in this case, as there are multiple potential outcomes here, given the domain user creation is usually only available to Domain Administrators. Puppet has traditionally understood only local accounts, and has allowed the manipulation of local groups to include domain accounts.

      With that said, for a User resource that references a domain account:

      • Puppet should try to resolve the account name to a SID as it does normally (which currently should work OK)
      • When the account doesn't exist, Puppet should trap 8007089A, and expose an error to the user about the domain account not existing / state that Puppet doesn't perform that functionality
      • Puppet should add the domain user to local groups where appropriate

      Based on a user report, Puppet may also emit 80070562 when trying to add the domain user to a local group. For instance,

      Notice: /Stage[main]/Profiles::Scd::Users/User[cppib\svc_scd_dev]/groups: groups changed 'Proofpoint Archive User Membership,Domain Users,wf1_ibimr-role_AnalyticalUser,wf1_ibimr-grp_managementre,wf1_ibimr-grp_herbiportal' to 'Administrators,Domain Users,Proofpoint Archive User Membership,wf1_ibimr-grp_herbiportal,wf1_ibimr-grp_managementre,wf1_ibimr-role_AnalyticalUser'
       
      Error: /User[cppib\svc_scd_dev]: Could not evaluate: User update failed: (in OLE method `SetInfo': )
          OLE error code:80070005 in Active Directory
            Access is denied.
       
          HRESULT error code:0x80020009
            Exception occurred.
      Wrapped exception:
      (in OLE method `SetInfo': )
          OLE error code:80070005 in Active Directory
            Access is denied.
       
          HRESULT error code:0x80020009
            Exception occurred.
       
      Notice: Finished catalog run in 18.38 seconds
      

      On the second run:

      Error: (in OLE method `Add': )
          OLE error code:80070562 in Active Directory
            The specified account name is already a member of the group.
       
          HRESULT error code:0x80020009
            Exception occurred.
       
      Error: /Stage[main]/Profiles::Scd::Users/User[cppib\svc_scd_dev]/groups: change from Proofpoint Archive User Membership,Domain Users,wf1_ibimr-role_AnalyticalUser,wf1_ibimr-grp_managementre,wf1_ibimr-grp_herbiportal to Administrators,Domain Users,Proofpoint Archive User Membership,wf1_ibimrgrp_herbiportal,wf1_ibimr-grp_managementre,wf1_ibimr-role_AnalyticalUser failed: (in OLE method `Add': )
          OLE error code:80070562 in Active Directory
            The specified account name is already a member of the group.
       
          HRESULT error code:0x80020009
      

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  ethan Ethan Brown
                  QA Contact:
                  Eric Thompson
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Zendesk Support