[PUP-3883] Support for user resource with a DOMAIN\User title Created: 2015/01/21  Updated: 2015/04/03  Resolved: 2015/04/03

Status: Closed
Project: Puppet
Component/s: Types and Providers
Affects Version/s: PUP 3.7.0
Fix Version/s: None

Type: New Feature Priority: Normal
Reporter: Jay Wallace Assignee: Jay Wallace
Resolution: Won't Fix Votes: 1
Labels: customer
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to PUP-2628 Ability to add a member to a group, i... Closed
relates to PUP-3719 Group resource non-authoritative by d... Closed
relates to PUP-3804 User resource cannot add DOMAIN\User ... Closed
Template:
QA Contact: Eric Thompson

 Description   

User resource with a DOMAIN\User title should be supported behavior with Puppet. Puppet is not inherently aware of domain style names when defining a user in such a manner. For this to even theoretically work, the account that Puppet is running on would have to have domain administration credentials for this to ever work properly.

user { "domain\\bud":
  ensure => present,
  groups => 'Administrator'
}

Code above propagates the following error:

Propagates error 8007089A
 
Error: User update failed: (in OLE method `SetInfo': )
    OLE error code:8007089A in Active Directory
      The specified username is invalid.
 
    HRESULT error code:0x80020009
      Exception occurred.
Wrapped exception:
(in OLE method `SetInfo': )
    OLE error code:8007089A in Active Directory
      The specified username is invalid.
 
    HRESULT error code:0x80020009
      Exception occurred.
Error: /Stage[main]/Main/User[domain\bud]/ensure: change from absent to present failed: User update failed: (in OLE method `SetInfo': )
    OLE error code:8007089A in Active Directory
      The specified username is invalid.
 
    HRESULT error code:0x80020009
      Exception occurred.



 Comments   
Comment by Josh Cooper [ 2015/01/21 ]

Puppet doesn't support managing domain user account. The same effect can be achieved by managing the local Administrators group, and adding the domain user account as a member:

group { 'Administrators':
  ensure => present,
  members => ["domain\\bud"]
}

Also, due to PUP-3719, Puppet 4.0 will not require the complete list of members to be specified. IOW, puppet will ensure that the Administrators group contains *at least* the specified user. You can specify the complete list using the auth_membership parameter.

Please provide additional information about why they are trying to manage via the user resource, or close as will not fix.

Comment by Jason Chinsen [ 2015/01/22 ]

i agree that if we the functionality is going to be there in v4 to mange the local group with at least then this is a null point. Thanks for your time

When is the eta for 4.0?

Comment by Josh Cooper [ 2015/01/22 ]

Jason Chinsen puppet has been able to manage local groups with domain members on Windows for awhile, but before 4.0 you had to specify the complete list of members, which can be difficult to do in some cases. Starting in 4.0, you will be able to specify a partial list (in PUP-2628), and the default is changing from requiring the complete list to partial list (in PUP-3719). Puppet 4 should be out real soon now.

Comment by Ethan Brown [ 2015/04/03 ]

Closing this ticket because PUP-3804 will handle emitting a message that the user resource cannot specify a DOMAIN\User title.

Generated at Sat Jul 20 13:38:49 PDT 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.