Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-7326

Group resource (with auth_membership) fails if local Windows group contains not resolvable Domain accounts

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • PUP 4.9.3
    • PUP 4.10.11, PUP 5.3.6, PUP 5.5.0
    • Windows
    • Tested with multiple Windows versions (i.e. Server 2012R2) and Puppet Apply 4.9.3

    • Normal
    • 2 - 5-25% of Customers
    • 3 - Serious
    • 5 - $$$$$$
    • Group is one of the core resource types and should work as expected on all supported platform including windows.
    • Bug Fix
    • Hide
      Previously when Windows local groups contained members that were at one point valid domain members but have since been deleted (creating unresolvable SIDs), Puppet would produce warnings or errors when managing such groups. Puppet can now safely handle unresolvable SIDs inside of groups.
      Show
      Previously when Windows local groups contained members that were at one point valid domain members but have since been deleted (creating unresolvable SIDs), Puppet would produce warnings or errors when managing such groups. Puppet can now safely handle unresolvable SIDs inside of groups.
    • Needs Assessment

    Description

      After leaving a Domain Windows systems may still contain not resolvable domain accounts inside local groups, i.e. in Administrators group:

      When trying to manage this group using auth_membership => true (to ensure all not resolvable domain user accounts are tidied to only have the local user Administrator inside the local Administrators group), Puppet will fail:

      group {'Administrators': 
          members => ['Administrator'], 
          auth_membership => true 
      }
      

      Tested with the following Puppet Apply command:

      puppet apply -e "group {'Administrators': members => ['Administrator'], auth_membership => true }
      

      Error: Could not resolve name: S-1-5-21-776561741-1409082233-725345543-15784
      Error: /Stage[main]/Main/Group[Administrators]/members: change from TEST-WIN2012\Administrator,S-1-5-21-776561741-1409082233-725345543-15784 to TEST-WIN2012\Administrator failed: Could not resolve name: S-1-5-21-776561741-1409082233-725345543-15784
      

      Attachments

        1. debugtraceoutput.txt
          26 kB
          Halim Wijaya
        2. local_administrators_group_with_former_domain_object.png
          14 kB
          Paul W
        3. puppet_apply_example.png
          12 kB
          Paul W
        4. Screen Shot 2019-04-03 at 11.44.28 AM.png
          95 kB
          Halim Wijaya
        5. Screen Shot 2019-04-03 at 11.45.12 AM.png
          19 kB
          Halim Wijaya

        Issue Links

          Activity

            People

              ethan Ethan Brown
              PaulW Paul W
              Votes:
              3 Vote for this issue
              Watchers:
              18 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support