[PUP-3804] User resource cannot add DOMAIN\User style accounts (through Active Directory) and should emit error message Created: 2015/01/02  Updated: 2019/04/04  Resolved: 2015/05/20

Status: Closed
Project: Puppet
Component/s: Types and Providers, Windows
Affects Version/s: PUP 3.7.3
Fix Version/s: PUP 3.8.0, PUP 4.1.0

Type: Bug Priority: Normal
Reporter: Ethan Brown Assignee: Unassigned
Resolution: Done Votes: 0
Labels: windows
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows


Issue Links:
Relates
relates to PUP-4373 Windows ADSI User groups property sho... Closed
relates to PUP-3883 Support for user resource with a DOMA... Closed
Template:
Story Points: 1
Sprint: Windows 2015-04-08
Release Notes: New Feature
QA Contact: Eric Thompson

 Description   

Try to create a domain style account with a manifest like:

user { "domain\\bud":
  ensure => present,
  groups => 'Administrator'
}

Puppet will error with 8007089A

Error: User update failed: (in OLE method `SetInfo': )
    OLE error code:8007089A in Active Directory
      The specified username is invalid.
 
    HRESULT error code:0x80020009
      Exception occurred.
Wrapped exception:
(in OLE method `SetInfo': )
    OLE error code:8007089A in Active Directory
      The specified username is invalid.
 
    HRESULT error code:0x80020009
      Exception occurred.
Error: /Stage[main]/Main/User[domain\bud]/ensure: change from absent to present failed: User update failed: (in OLE method `SetInfo': )
    OLE error code:8007089A in Active Directory
      The specified username is invalid.
 
    HRESULT error code:0x80020009
      Exception occurred.

There should be some discussion around Puppets intended behavior in this case, as there are multiple potential outcomes here, given the domain user creation is usually only available to Domain Administrators. Puppet has traditionally understood only local accounts, and has allowed the manipulation of local groups to include domain accounts.

With that said, for a User resource that references a domain account:

  • Puppet should try to resolve the account name to a SID as it does normally (which currently should work OK)
  • When the account doesn't exist, Puppet should trap 8007089A, and expose an error to the user about the domain account not existing / state that Puppet doesn't perform that functionality
  • Puppet should add the domain user to local groups where appropriate

Based on a user report, Puppet may also emit 80070562 when trying to add the domain user to a local group. For instance,

Notice: /Stage[main]/Profiles::Scd::Users/User[cppib\svc_scd_dev]/groups: groups changed 'Proofpoint Archive User Membership,Domain Users,wf1_ibimr-role_AnalyticalUser,wf1_ibimr-grp_managementre,wf1_ibimr-grp_herbiportal' to 'Administrators,Domain Users,Proofpoint Archive User Membership,wf1_ibimr-grp_herbiportal,wf1_ibimr-grp_managementre,wf1_ibimr-role_AnalyticalUser'
 
Error: /User[cppib\svc_scd_dev]: Could not evaluate: User update failed: (in OLE method `SetInfo': )
    OLE error code:80070005 in Active Directory
      Access is denied.
 
    HRESULT error code:0x80020009
      Exception occurred.
Wrapped exception:
(in OLE method `SetInfo': )
    OLE error code:80070005 in Active Directory
      Access is denied.
 
    HRESULT error code:0x80020009
      Exception occurred.
 
Notice: Finished catalog run in 18.38 seconds

On the second run:

Error: (in OLE method `Add': )
    OLE error code:80070562 in Active Directory
      The specified account name is already a member of the group.
 
    HRESULT error code:0x80020009
      Exception occurred.
 
Error: /Stage[main]/Profiles::Scd::Users/User[cppib\svc_scd_dev]/groups: change from Proofpoint Archive User Membership,Domain Users,wf1_ibimr-role_AnalyticalUser,wf1_ibimr-grp_managementre,wf1_ibimr-grp_herbiportal to Administrators,Domain Users,Proofpoint Archive User Membership,wf1_ibimrgrp_herbiportal,wf1_ibimr-grp_managementre,wf1_ibimr-role_AnalyticalUser failed: (in OLE method `Add': )
    OLE error code:80070562 in Active Directory
      The specified account name is already a member of the group.
 
    HRESULT error code:0x80020009



 Comments   
Comment by Ethan Brown [ 2015/04/01 ]

If a user wishes to add a DOMAIN\User style name to a group, they can do so with the group resource.

We don't intend to address adding domain accounts in the near-term, which would require a complicated active directory integration.

We can however address this by adding a warning message that such behavior is currently unsupported, which at least puts up some guard rails for an end user.

Comment by Ethan Brown [ 2015/04/03 ]

On further research to get to the bottom of the 0x80070562 error, it appears that we're not always using SIDs when evaluating what groups a User is a member of.. which we should since there can be duplicate names in different domains (i.e. local machine vs domain).

Setting the groups to which a user belongs should be handled like how setting users for a group is handled.

Bad:
https://github.com/puppetlabs/puppet/blob/9db23cedbb330ae79f7814c041858317ad101e23/lib/puppet/util/windows/adsi.rb#L190-L202

Good:
https://github.com/puppetlabs/puppet/blob/9db23cedbb330ae79f7814c041858317ad101e23/lib/puppet/util/windows/adsi.rb#L343-L353

PUP-4373 has been opened to address what we think could be the cause, and we'll proceed with the code we have for now warning about the issues that cause ERROR_BAD_USERNAME to close out this issue.

Comment by Ethan Brown [ 2015/04/03 ]

Merged to 3.x in https://github.com/puppetlabs/puppet/commit/f76fba979316be4f5f725c2541c2d53c3fb4d182

Comment by Kurt Wall [ 2015/04/06 ]

Validated in master at SHA=b301505df2e13204ee408a05588e225fdffeacb6. Puppet does not create a domain user and complains that it can't:

# x.pp
user { "\\delivery.puppetlabs.net\\KurtWall":
  ensure => present,
  groups => 'Administrator',
}
 
C:\Program Files\Puppet Labs\Puppet\bin>puppet apply x.pp
Notice: Compiled catalog for jkoohkjkozqs1hp.delivery.puppetlabs.net in environm
ent production in 0.30 seconds
Error: Puppet is not able to create/delete domain users with the user resource.
Wrapped exception:
(in OLE method `SetInfo': )
    OLE error code:8007089A in Active Directory
      The specified username is invalid.
 
    HRESULT error code:0x80020009
      Exception occurred.
Error: /Stage[main]/Main/User[\delivery.puppetlabs.net\KurtWall]/ensure: change
from absent to present failed: Puppet is not able to create/delete domain users
with the user resource.
Notice: Finished catalog run in 0.06 seconds
 
C:\Program Files\Puppet Labs\Puppet\bin>

Comment by Ryan Gard [ 2015/04/06 ]

Kurt Wall Tag you're it! I'm swamped with r10k work and I don't have time to FR this ticket. The biggest impediment to FR for this is getting AD running, but I know Tony has some infrastructure available.

Comment by Kurt Wall [ 2015/04/09 ]

I did the work before Ryan Gard asked me to. Is that awesome teamwork or what?

Generated at Sat Dec 14 03:40:48 PST 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.