[PUP-7326] Group resource (with auth_membership) fails if local Windows group contains not resolvable Domain accounts - Puppet Jira Server

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: PUP 4.9.3
Fix Version/s: PUP 4.10.11, PUP 5.3.6, PUP 5.5.0
Component/s: Windows
Labels:
- windows
Environment:

Tested with multiple Windows versions (i.e. Server 2012R2) and Puppet Apply 4.9.3

Epic Link:
Windows Customer Escalations
Team:
Windows
Sprint:
Windows Kanban
Method Found:
Customer Feedback

CS Priority:
Normal
CS Frequency:
2 - 5-25% of Customers
CS Severity:
3 - Serious
CS Business Value:
5 - $$$$$$
CS Impact:
Group is one of the core resource types and should work as expected on all supported platform including windows.

Release Notes:
Bug Fix
Release Notes Summary:

Hide
Previously when Windows local groups contained members that were at one point valid domain members but have since been deleted (creating unresolvable SIDs), Puppet would produce warnings or errors when managing such groups. Puppet can now safely handle unresolvable SIDs inside of groups.

Show
Previously when Windows local groups contained members that were at one point valid domain members but have since been deleted (creating unresolvable SIDs), Puppet would produce warnings or errors when managing such groups. Puppet can now safely handle unresolvable SIDs inside of groups.

QA Risk Assessment:
Needs Assessment

Description

After leaving a Domain Windows systems may still contain not resolvable domain accounts inside local groups, i.e. in Administrators group:

When trying to manage this group using auth_membership => true (to ensure all not resolvable domain user accounts are tidied to only have the local user Administrator inside the local Administrators group), Puppet will fail:

group {'Administrators':

    members => ['Administrator'],

    auth_membership => true

Tested with the following Puppet Apply command:

puppet apply -e "group {'Administrators': members => ['Administrator'], auth_membership => true }

Error: Could not resolve name: S-1-5-21-776561741-1409082233-725345543-15784

Error: /Stage[main]/Main/Group[Administrators]/members: change from TEST-WIN2012\Administrator,S-1-5-21-776561741-1409082233-725345543-15784 to TEST-WIN2012\Administrator failed: Could not resolve name: S-1-5-21-776561741-1409082233-725345543-15784

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

debugtraceoutput.txt
26 kB
2019/04/03 8:02 PM
local_administrators_group_with_former_domain_object.png
14 kB
2017/03/09 5:45 AM
puppet_apply_example.png
12 kB
2017/03/09 5:51 AM
Screen Shot 2019-04-03 at 11.44.28 AM.png
95 kB
2019/04/02 8:44 PM
Screen Shot 2019-04-03 at 11.45.12 AM.png
19 kB
2019/04/02 8:45 PM

Issue Links

relates to

PUP-9604 Group resource (with auth_membership) fails if local Windows group contains not resolvable Domain accounts (possible regression)

Closed

PUP-4208 Name Collision When Managing Users or Groups in Trusted Domains

Closed

PUP-8231 Managing an existing Windows Group resource may error when any of its members is a virtual account (like IIS AppPool\DefaultAppPool or NT Service\Dhcp)

Closed

mentioned in: Page Loading...; Page Loading...; Page Loading...

(1 mentioned in)

Activity

People

Assignee:: Ethan Brown

Reporter:: Paul W

Votes:: 3 Vote for this issue

Watchers:: 18 Start watching this issue

Dates

Created:: 2017/03/09 5:57 AM

Updated:: 2019/04/04 7:42 PM

Resolved:: 2019/04/03 8:37 PM

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Zendesk Support