Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8470

Unable to modify local user group membership with forcelocal

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • PUP 5.4.0
    • PUP 5.5.0
    • Types and Providers
    • None
    • Platform Core
    • Platform Core KANBAN
    • Needs Assessment
    • 32283
    • 1
    • Bug Fix
    • Hide
      Currently `lusermod` has no way to manage group membership. Puppet is set up so that, in most cases, group membership is managed via the user resource. Now that setting `forcelocal => true` uses `lusermod` instead of `usermod`, we have lost the ability to manage group membership. This change ensures that `usermod` is called only when trying to manage group membership for a user resource. Depending on how the users environment is configured, this may or may not work. If we try to add a user to a NIS or LDAP group, the command will fail. This is consistent with the behavior of group membership management prior to Puppet 5.4.0.
      Show
      Currently `lusermod` has no way to manage group membership. Puppet is set up so that, in most cases, group membership is managed via the user resource. Now that setting `forcelocal => true` uses `lusermod` instead of `usermod`, we have lost the ability to manage group membership. This change ensures that `usermod` is called only when trying to manage group membership for a user resource. Depending on how the users environment is configured, this may or may not work. If we try to add a user to a NIS or LDAP group, the command will fail. This is consistent with the behavior of group membership management prior to Puppet 5.4.0.
    • No Action

    Description

      Puppet Version: 5.4.0
      Puppet Server Version: 5.2.0
      OS Name/Version: RHEL 7

      Breaking Change: https://tickets.puppetlabs.com/browse/PUP-8223

      I also validated this is broken when using a puppet apply with this code.

      group { 'group1' :
      		 
       ensure => present,
      		 
       gid => '901',
      		 
       forcelocal => true,
      		 
       }
      		 
       
      		 
      group { 'group2' :
      		 
       ensure => present,
      		 
       gid => '902',
      		 
       forcelocal => true,
      		 
       }
      		 
       
      		 
      user { 'user1' :
      		 
       ensure => present,
      		 
       home => '/home/user1',
      		 
       uid => '900',
      		 
       gid => 'user1',
      		 
       comment => 'user1',
      		 
       shell => '/bin/bash',
      		 
       forcelocal => true,
      		 
       managehome => true,
      		 
       groups => ['group1', 'group2'],
      		 
       require => Group['group1', 'group2'],
      		 
       }

      So far I have found two issues.

      1) lusermod does not support -G

      1. lusermod --help
        Usage: lusermod [OPTION...] user
        -i, --interactive prompt for all information
        -c, --gecos=STRING GECOS information
        -d, --directory=STRING home directory
        -m, --movedirectory move home directory contents
        -s, --shell=STRING set shell for user
        -u, --uid=NUM set UID for user
        -g, --gid=NUM set primary GID for user
        -l, --login=STRING change login name for user
        -P, --plainpassword=STRING plaintext password for the user
        -p, --password=STRING pre-hashed password for the user
        -L, --lock lock account
        -U, --unlock unlock account
        --commonname=STRING set common name for user
        --givenname=STRING set given name for user
        --surname=STRING set surname for user
        --roomnumber=STRING set room number for user
        --telephonenumber=STRING set telephone number for user
        --homephone=STRING set home telephone number for user

      Help options:
      -?, --help Show this help message
      --usage Display brief usage message

      2) the new code will not "modify" the user's groups in /etc/group because the user already exists.

      Desired Behavior: 
      user type allowed to modify local users groups

      Actual Behavior:

      Error: UID 900 already exists, use allowdupe to force user creation
      		 
       Error: /Stage[main]/Localusers::Identities/User[user1]/groups: change from to 'group1,group2' failed: UID 900 already exists, use allowdupe to force user creation

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. PUP-9195 Unable to modify user account expiry date when forcelocal == true

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed
          mentioned in

          Page Loading...

          Page Loading...

          Page Loading...

          Activity

            People

              eric.delaney Eric Delaney
              csschwe Chuck Schweizer
              Votes:
              3 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support