Details
-
Bug
-
Status: Closed
-
Normal
-
Resolution: Done
-
PUP 3.7.3
-
Windows
-
1
-
Windows 2015-04-08
-
New Feature
Description
Try to create a domain style account with a manifest like:
user { "domain\\bud":
|
ensure => present,
|
groups => 'Administrator'
|
}
|
Puppet will error with 8007089A
Error: User update failed: (in OLE method `SetInfo': )
|
OLE error code:8007089A in Active Directory
|
The specified username is invalid.
|
|
|
HRESULT error code:0x80020009
|
Exception occurred.
|
Wrapped exception:
|
(in OLE method `SetInfo': )
|
OLE error code:8007089A in Active Directory
|
The specified username is invalid.
|
|
|
HRESULT error code:0x80020009
|
Exception occurred.
|
Error: /Stage[main]/Main/User[domain\bud]/ensure: change from absent to present failed: User update failed: (in OLE method `SetInfo': )
|
OLE error code:8007089A in Active Directory
|
The specified username is invalid.
|
|
|
HRESULT error code:0x80020009
|
Exception occurred.
|
There should be some discussion around Puppets intended behavior in this case, as there are multiple potential outcomes here, given the domain user creation is usually only available to Domain Administrators. Puppet has traditionally understood only local accounts, and has allowed the manipulation of local groups to include domain accounts.
With that said, for a User resource that references a domain account:
- Puppet should try to resolve the account name to a SID as it does normally (which currently should work OK)
- When the account doesn't exist, Puppet should trap 8007089A, and expose an error to the user about the domain account not existing / state that Puppet doesn't perform that functionality
- Puppet should add the domain user to local groups where appropriate
Based on a user report, Puppet may also emit 80070562 when trying to add the domain user to a local group. For instance,
Notice: /Stage[main]/Profiles::Scd::Users/User[cppib\svc_scd_dev]/groups: groups changed 'Proofpoint Archive User Membership,Domain Users,wf1_ibimr-role_AnalyticalUser,wf1_ibimr-grp_managementre,wf1_ibimr-grp_herbiportal' to 'Administrators,Domain Users,Proofpoint Archive User Membership,wf1_ibimr-grp_herbiportal,wf1_ibimr-grp_managementre,wf1_ibimr-role_AnalyticalUser'
|
|
|
Error: /User[cppib\svc_scd_dev]: Could not evaluate: User update failed: (in OLE method `SetInfo': )
|
OLE error code:80070005 in Active Directory
|
Access is denied.
|
|
|
HRESULT error code:0x80020009
|
Exception occurred.
|
Wrapped exception:
|
(in OLE method `SetInfo': )
|
OLE error code:80070005 in Active Directory
|
Access is denied.
|
|
|
HRESULT error code:0x80020009
|
Exception occurred.
|
|
|
Notice: Finished catalog run in 18.38 seconds
|
On the second run:
Error: (in OLE method `Add': )
|
OLE error code:80070562 in Active Directory
|
The specified account name is already a member of the group.
|
|
|
HRESULT error code:0x80020009
|
Exception occurred.
|
|
|
Error: /Stage[main]/Profiles::Scd::Users/User[cppib\svc_scd_dev]/groups: change from Proofpoint Archive User Membership,Domain Users,wf1_ibimr-role_AnalyticalUser,wf1_ibimr-grp_managementre,wf1_ibimr-grp_herbiportal to Administrators,Domain Users,Proofpoint Archive User Membership,wf1_ibimrgrp_herbiportal,wf1_ibimr-grp_managementre,wf1_ibimr-role_AnalyticalUser failed: (in OLE method `Add': )
|
OLE error code:80070562 in Active Directory
|
The specified account name is already a member of the group.
|
|
|
HRESULT error code:0x80020009
|
