Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-5271

Windows user resource should not manage password unless specified

    Details

    • Template:
    • Agent OS:
      Windows Server 2008 R2 (x64)
    • Story Points:
      1
    • Sprint:
      Windows 2015-10-21, Windows 2015-11-04
    • CS Priority:
      Minor
    • CS Frequency:
      2 - 5-25% of Customers
    • CS Severity:
      3 - Serious
    • CS Business Value:
      2 - $$$
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      When you are attempting to create users without specifying the password and you have the Windows Password Policy for `Password must meet complexity requirements` set to Enabled, it caused Puppet to fail to create the user. Now it works appropriately.

      NOTE: When the Windows Password Policy `Minimum password length` is greater than 0, the password must always be specified. This is due to Windows validation for new user creation requiring a password for all new accounts, so it is not possible to leave password unspecified once that password policy is set.

      It is also important to note that when a user is specified with `managehome => true`, the password must always be specified if it is not an already existing user on the system.




      DOCS FOLKS NOTE: See this image (also on the ticket) to see how "Windows Password Policy" is visualized: https://tickets.puppetlabs.com/secure/attachment/23883/ComplexityEnabled.png
      Show
      When you are attempting to create users without specifying the password and you have the Windows Password Policy for `Password must meet complexity requirements` set to Enabled, it caused Puppet to fail to create the user. Now it works appropriately. NOTE: When the Windows Password Policy `Minimum password length` is greater than 0, the password must always be specified. This is due to Windows validation for new user creation requiring a password for all new accounts, so it is not possible to leave password unspecified once that password policy is set. It is also important to note that when a user is specified with `managehome => true`, the password must always be specified if it is not an already existing user on the system. DOCS FOLKS NOTE: See this image (also on the ticket) to see how "Windows Password Policy" is visualized: https://tickets.puppetlabs.com/secure/attachment/23883/ComplexityEnabled.png

      Description

      Attempts to have puppet create Windows users without passwords fail with result "OLE error code:800708C5 in Active Directory. The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements."

      `This occurs regardless of password security policy. This only occurs when password security policy has been applied for complexity and/or minimum length.

      Reproduction:

      Create following users:

      user {'bob': 
        ensure      => present,  
      }
       
      user {'bob_pwd': 
        ensure      => present,  
        password    => '@#SAFSawasf123',
      }
       
      user {'bob_managehome': 
        ensure      => present, 
        managehome  => true, 
      }
       
      user {'bob_managehome_pwd': 
        ensure      => present,  
        managehome  => true,
        password    => '@#SAFSawasf123',
      }
       
      user {'bob_groups': 
        ensure      => present, 
        groups      => 'Users', 
      }
       
      user {'bob_everything': 
        ensure      => present, 
        managehome  => true,
        groups      => 'Users', 
      }
       
      user {'bob_everything_pwd': 
        ensure      => present, 
        password    => '@#SAFSawasf123',
        managehome  => true,
        groups      => 'Users', 
      }
      

      Run puppet agent, then:

      C:\Users\Administrator>puppet resource user
      user { 'bob_everything_pwd':
        ensure => 'present',
        groups => ['Users'],
        uid    => 'S-1-5-21-1953236517-242735908-2433092285-1042',
      }
      user { 'bob_managehome_pwd':
        ensure => 'present',
        uid    => 'S-1-5-21-1953236517-242735908-2433092285-1045',
      }
      user { 'bob_pwd':
        ensure => 'present',
        uid    => 'S-1-5-21-1953236517-242735908-2433092285-1041',
      }
      

      Fixed by:

      Editing puppet/lib/puppet/util/windows/adsi.rb to force verification that password is not nil. Any attempts to use managehome => true without specifying a password should validly fail. It is not possible to logon a user (to ensure the home directories are set) without a password that is set. This also cannot address when "Minimum password length" is greater than 0, as that is a validation built-in to Windows that requires a password for all new accounts.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ryan.gard Ryan Gard
                Reporter:
                nathanael Nathanael Cole
                QA Contact:
                Ryan Gard
              • Votes:
                0 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support