Issue #4855 has been updated by Gary Larizza. Status changed from Investigating to Accepted Assignee changed from Nigel Kersten to Gary Larizza Target version set to 2.7.x
Nigel, I can take it from here (since I'm updating the rest of the OS X bugs this week). I can merge in Clay's code, for the time being, and create some tests for it until we figure out a good answer to this problem. ---------------------------------------- Bug #4855: group resources on OS X may fail is group members are non-existant https://projects.puppetlabs.com/issues/4855 Author: Clay Caviness Status: Accepted Priority: Normal Assignee: Gary Larizza Category: OSX Target version: 2.7.x Affected Puppet version: 2.6.1 Keywords: Branch: The group provider on OS X uses "dseditgroup" to manage group membership. Due to Apple bug 8481241 ("dseditgroup can't remove unknown users from groups"), however, if the puppet group provider needs to remove a non-existant user from a group it manages, it will fail. To reproduce, first apply: <pre> group { "testgroup": ensure => present, members => ["testuser", "root"], require => User["testuser"] } user { "testuser": ensure => present } [...]info: Applying configuration version '1285616257' debug: Puppet::Type::User::ProviderDirectoryservice: Executing '/usr/bin/dscl -plist . -list /Users' debug: Puppet::Type::User::ProviderDirectoryservice: Executing '/usr/bin/dscl -plist . -list /Users' debug: User[testuser](provider=directoryservice): Executing '/usr/bin/dscl -plist . -create /Users/testuser GeneratedUID 90209F1B-B066-4630-8BD0-5B19C640CBFF' notice: /Stage[main]//User[testuser]/ensure: created debug: Puppet::Type::Group::ProviderDirectoryservice: Executing '/usr/bin/dscl -plist . -list /Groups' debug: Puppet::Type::Group::ProviderDirectoryservice: Executing '/usr/bin/dscl -plist . -read /Groups/testgroup' debug: Group[testgroup](provider=directoryservice): Executing 'dseditgroup -o edit -n . -a root testgroup' notice: /Stage[main]//Group[testgroup]/members: members changed 'testuser' to 'testuser,root' debug: Finishing transaction 2194047380 </pre> Delete the user via: <pre>dscl . -delete /Users/testuser</pre> (Alternatively, the user can be deleted via puppet, though ordering may allow this to be successful.) Now try to apply a change to the group that would cause the testuser user to be removed from group membership: <pre> group { "testgroup": ensure => present, members => "root"} [...] info: Applying configuration version '1285616630' debug: Puppet::Type::Group::ProviderDirectoryservice: Executing '/usr/bin/dscl -plist . -list /Groups' debug: Puppet::Type::Group::ProviderDirectoryservice: Executing '/usr/bin/dscl -plist . -read /Groups/testgroup' debug: Group[testgroup](provider=directoryservice): Executing 'dseditgroup -o edit -n . -d testuser testgroup' err: /Stage[main]//Group[testgroup]/members: change from roottestuser to root failed: Could not remove testuser from group: testgroup, Execution of 'dseditgroup -o edit -n . -d testuser testgroup' returned 200: Record was not found. debug: Finishing transaction 2190850540 </pre> **All** attempts to make changes to the group membership from this point will fail, as dseditgroup cannot remove a user from a group if that user does not exist. Running puppet 2.6.1 on OS X 10.6.4. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
