Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-4208

Name Collision When Managing Users or Groups in Trusted Domains

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: PUP 3.7.4
    • Fix Version/s: None
    • Component/s: Types and Providers
    • Environment:

      Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Trusted Active Directory Domains

    • Template:
      PUP Bug Template
    • Team:
      Windows
    • Release Notes:
      Not Needed
    • Release Notes Summary:
      Hide
      See release notes for PUP-8231.
      Show
      See release notes for PUP-8231 .

      Description

      If the same NT user name or group name exists in multiple trusted domains and a local group resource is defined with two identically-named accounts or groups as members, the local domain account will resolve properly and the remote (trusted) domain account will resolve incorrectly as the local domain account or group.

      Example (double \ removed):

      	group { 'Administrators':
      			ensure => 'present',
      			members => [
      				"${$::hostname}\Administrator",
      				"domainA\Domain Admins",
      				"domainA\serviceAcct",
      				"domainB\serviceAcct",
      				],
      		}
      

      Despite defining a service account with the same name "serviceAcct" in "domainA" and "domainB", if the computer resides in "domainA", both user references will resolve to "domainA" by the Puppet agent.

      If attempting to use SID to reference user accounts to ensure uniqueness, the resource is properly set by the Puppet agent, but it will continue to unnecessarily 'change' the resource on each Puppet agent run, as the "domainB" user account is continually resolved incorrectly in "domainA".

      Example:

      	group { 'Administrators':
      			ensure => 'present',
      			members => [
      				"${$::hostname}\Administrator",
      				"domainA\Domain Admins",
      				"S-1-5-21-111111111-11111111-1111111111-1111", # SID for "domainA\serviceAcct"
      				"S-1-5-21-222222222-22222222-2222222222-2222", # SID for "domainB\serviceAcct"
      				],
      			}
      

      Log Result:

      	members changed 'servername\Administrator,domainA\Domain Admins,domainA\serviceAcct,domainB\serviceAcct' to 'servername\Administrator,domainA\Domain Admins,domainA\serviceAcct,domainA\serviceAcct'
      

      Because of this behavior it is impossible to manage user accounts or groups in trusted domains that have the same name. The user account or group that resides in the local domain will always take precedence.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              ethan Ethan Brown
              Reporter:
              cstephens Chris Stephens
              QA Contact:
              Eric Thompson Eric Thompson
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support

                    Time Tracking

                    Estimated:
                    Original Estimate - 2 days
                    2d
                    Remaining:
                    Remaining Estimate - 2 days
                    2d
                    Logged:
                    Time Spent - Not Specified
                    Not Specified