Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-5271

Windows user resource should not manage password unless specified

    XMLWordPrintable

Details

    • 1
    • Windows 2015-10-21, Windows 2015-11-04
    • Minor
    • 2 - 5-25% of Customers
    • 3 - Serious
    • 2 - $$$
    • Bug Fix
    • Hide
      When you are attempting to create users without specifying the password and you have the Windows Password Policy for `Password must meet complexity requirements` set to Enabled, it caused Puppet to fail to create the user. Now it works appropriately.

      NOTE: When the Windows Password Policy `Minimum password length` is greater than 0, the password must always be specified. This is due to Windows validation for new user creation requiring a password for all new accounts, so it is not possible to leave password unspecified once that password policy is set.

      It is also important to note that when a user is specified with `managehome => true`, the password must always be specified if it is not an already existing user on the system.




      DOCS FOLKS NOTE: See this image (also on the ticket) to see how "Windows Password Policy" is visualized: https://tickets.puppetlabs.com/secure/attachment/23883/ComplexityEnabled.png
      Show
      When you are attempting to create users without specifying the password and you have the Windows Password Policy for `Password must meet complexity requirements` set to Enabled, it caused Puppet to fail to create the user. Now it works appropriately. NOTE: When the Windows Password Policy `Minimum password length` is greater than 0, the password must always be specified. This is due to Windows validation for new user creation requiring a password for all new accounts, so it is not possible to leave password unspecified once that password policy is set. It is also important to note that when a user is specified with `managehome => true`, the password must always be specified if it is not an already existing user on the system. DOCS FOLKS NOTE: See this image (also on the ticket) to see how "Windows Password Policy" is visualized: https://tickets.puppetlabs.com/secure/attachment/23883/ComplexityEnabled.png

    Description

      Attempts to have puppet create Windows users without passwords fail with result "OLE error code:800708C5 in Active Directory. The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements."

      `This occurs regardless of password security policy. This only occurs when password security policy has been applied for complexity and/or minimum length.

      Reproduction:

      Create following users:

      user {'bob': 
        ensure      => present,  
      }
      		 
       
      		 
      user {'bob_pwd': 
        ensure      => present,  
        password    => '@#SAFSawasf123',
      		 
      }
      		 
       
      		 
      user {'bob_managehome': 
        ensure      => present, 
        managehome  => true, 
      }
      		 
       
      		 
      user {'bob_managehome_pwd': 
        ensure      => present,  
        managehome  => true,
      		 
        password    => '@#SAFSawasf123',
      		 
      }
      		 
       
      		 
      user {'bob_groups': 
        ensure      => present, 
        groups      => 'Users', 
      }
      		 
       
      		 
      user {'bob_everything': 
        ensure      => present, 
        managehome  => true,
      		 
        groups      => 'Users', 
      }
      		 
       
      		 
      user {'bob_everything_pwd': 
        ensure      => present, 
        password    => '@#SAFSawasf123',
      		 
        managehome  => true,
      		 
        groups      => 'Users', 
      }

      Run puppet agent, then:

      C:\Users\Administrator>puppet resource user
      		 
      user { 'bob_everything_pwd':
      		 
        ensure => 'present',
      		 
        groups => ['Users'],
      		 
        uid    => 'S-1-5-21-1953236517-242735908-2433092285-1042',
      		 
      }
      		 
      user { 'bob_managehome_pwd':
      		 
        ensure => 'present',
      		 
        uid    => 'S-1-5-21-1953236517-242735908-2433092285-1045',
      		 
      }
      		 
      user { 'bob_pwd':
      		 
        ensure => 'present',
      		 
        uid    => 'S-1-5-21-1953236517-242735908-2433092285-1041',
      		 
      }

      Fixed by:

      Editing puppet/lib/puppet/util/windows/adsi.rb to force verification that password is not nil. Any attempts to use managehome => true without specifying a password should validly fail. It is not possible to logon a user (to ensure the home directories are set) without a password that is set. This also cannot address when "Minimum password length" is greater than 0, as that is a validation built-in to Windows that requires a password for all new accounts.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. PUP-6483 "puppet resource user", when run in Windows creates a login attempt.

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. PUP-6483 "puppet resource user", when run in Windows creates a login attempt.

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed
          links to

          Web Link GH PR #4336

          Web Link Original Gist Showing the Repro

          Web Link Testing Gist with 0 length passwords allowed

          Activity

            People

              ryan.gard Ryan Gard
              nathanael Nathanael Cole
              Ryan Gard Ryan Gard
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support