Issue #14454 has been updated by Andrew Parker. Status changed from Unreviewed to Needs More Information
It isn't clear to me what the bug is as you see it. Is it the problem that you point to with puppet not handling groups with spaces in their names? Or is the problem that puppet cannot manage groups that are part of any other than the file source? We can probably handle spaces in group names, but I don't think we are likely to take on the task of modifying groups in the way you are indicating (see Daniel's response to #14245) ---------------------------------------- Bug #14454: User group membership cannot be managed if nss uses any data sources beyond "files" https://projects.puppetlabs.com/issues/14454#change-63931 Author: Joe Julian Status: Needs More Information Priority: Normal Assignee: Category: user Target version: Affected Puppet version: Keywords: Branch: Using this resource definition: user { 'root': ensure => 'present', comment => 'root', gid => '0', groups => ['bin', 'daemon', 'sys', 'adm', 'disk', 'wheel'], home => '/root', password => '$1$CGNOIogj$cRaZjrS0Bv1dmwJ0m.kkI.', password_max_age => '99999', password_min_age => '0', shell => '/bin/bash', uid => '0', } This should mean that at a minimum, root it a member of the listed groups. On some of our end-user facing machines, we add ldap authentication in nsswitch.conf. This results in getgrent returning this list of groups: ["daemon", "sys", "adm", "disk", "wheel", "bin", "daemon", "sys", "adm", "disk", "wheel", "Domain Admins", "Administrators", "app"] Now this list does contain the required groups, so my expectation would be that nothing happens. Instead, this list is tested against /\s+/ and an error is produced because there's a space in "Domain Admins" (useradd.rb line 18). If we *were* making changes, instead of erroring it should either wrap the group in quotes, or backquote the space(s). For instance, if I changed the groups to ['bin', 'daemon', 'sys', 'adm', 'disk', 'wheel', 'mail'] so it would need to add 'mail', it's going to error out because of Domain Admins. If I remove that check, it's going to fail because of the space. If I call usermod -G manually with the complete list, having Domain Admins quoted, it works to change the "files" group memberships (adding "mail" in my example). It does not, of course, do anything for ldap group memberships. The nss library calls are obviously insufficient to make this work correctly. There's no way to know what the source is for the group, and groups can be duplicated between nss data sources. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
