Issue #12833 has been updated by Clay Caviness.
I'm seeing this with your full patch (puppet 3.x) as well: <pre> $ sudo puppet resource group --debug --trace Debug: Failed to load library 'ldap' for feature 'ldap' Debug: Puppet::Type::Group::ProviderLdap: true value when expecting false Debug: Puppet::Type::Group::ProviderPw: file pw does not exist Debug: Puppet::Type::Group::ProviderGroupadd: file groupmod does not exist Debug: Puppet::Type::Group::ProviderLdap: true value when expecting false Debug: Puppet::Type::Group::ProviderPw: file pw does not exist Debug: Puppet::Type::Group::ProviderGroupadd: file groupmod does not exist Debug: Executing '/usr/bin/dscl -plist . -list /Groups' Debug: Executing '/usr/bin/dscl -plist . -list /Groups' Debug: Executing '/usr/bin/dscl -plist . -read /Groups/_amavisd' Debug: Executing '/usr/bin/plutil -convert xml1 -o /dev/stdout /var/db/dslocal/nodes/Default/users/_amavisd.plist' Debug: Executing '/usr/bin/dscl -plist . -list /Groups' Debug: Executing '/usr/bin/dscl -plist . -read /Groups/_appleevents' Debug: Executing '/usr/bin/plutil -convert xml1 -o /dev/stdout /var/db/dslocal/nodes/Default/users/_appleevents.plist' Debug: Executing '/usr/bin/dscl -plist . -list /Groups' Debug: Executing '/usr/bin/dscl -plist . -read /Groups/_appowner' Debug: Executing '/usr/bin/plutil -convert xml1 -o /dev/stdout /var/db/dslocal/nodes/Default/users/_appowner.plist' Debug: Executing '/usr/bin/dscl -plist . -list /Groups' Debug: Executing '/usr/bin/dscl -plist . -read /Groups/_appserveradm' Error: Could not run: /var/db/dslocal/nodes/Default/users/_appserveradm.plist is not readable, please check that permissions are correct and that the file is not corrupt. /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:317 /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:152 /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:191 /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:73 /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:72 /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:72 /Library/Ruby/Site/1.8/puppet/type.rb:867 /Library/Ruby/Site/1.8/puppet/type.rb:860 /Library/Ruby/Site/1.8/puppet/type.rb:860 /Library/Ruby/Site/1.8/puppet/indirector/resource/ral.rb:14 /Library/Ruby/Site/1.8/puppet/indirector/indirection.rb:250 /Library/Ruby/Site/1.8/puppet/application/resource.rb:230 /Library/Ruby/Site/1.8/puppet/application/resource.rb:142 /Library/Ruby/Site/1.8/puppet/application.rb:350 /Library/Ruby/Site/1.8/puppet/application.rb:342 /Library/Ruby/Site/1.8/puppet/application.rb:436 /Library/Ruby/Site/1.8/puppet/application.rb:342 /Library/Ruby/Site/1.8/puppet/util.rb:513 /Library/Ruby/Site/1.8/puppet/application.rb:342 /Library/Ruby/Site/1.8/puppet/util/command_line.rb:74 /usr/bin/puppet:10 </pre> ---------------------------------------- Bug #12833: Password property for User type is broke in OS X 10.8 https://projects.puppetlabs.com/issues/12833#change-69043 Author: Gary Larizza Status: In Topic Branch Pending Review Priority: Normal Assignee: Gary Larizza Category: OSX Target version: 3.x Affected Puppet version: 3.0.0rc3 Keywords: password user mac mountain lion os x Branch: https://github.com/glarizza/puppet-1/tree/bug/master/12833_OSX_PBKDF2_UPDATE Setting users passwords is broke in 10.8 due to the fact that Apple moved to PBKDF2 passwords in 10.8: <pre> Garys-Mac:~ glarizza$ sudo puppet resource user glarizza Password: /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:379:in `get_password': undefined method `string' for nil:NilClass (NoMethodError) from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:199:in `generate_attribute_hash' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:235:in `single_report' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:76:in `instances' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:75:in `collect' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:75:in `instances' from /Library/Ruby/Site/1.8/puppet/type.rb:889:in `instances' from /Library/Ruby/Site/1.8/puppet/type.rb:882:in `collect' from /Library/Ruby/Site/1.8/puppet/type.rb:882:in `instances' from /Library/Ruby/Site/1.8/puppet/indirector/resource/ral.rb:4:in `find' from /Library/Ruby/Site/1.8/puppet/indirector/indirection.rb:196:in `find' from /Library/Ruby/Site/1.8/puppet/application/resource.rb:222:in `find_or_save_resources' from /Library/Ruby/Site/1.8/puppet/application/resource.rb:144:in `main' from /Library/Ruby/Site/1.8/puppet/application.rb:317:in `run_command' from /Library/Ruby/Site/1.8/puppet/application.rb:309:in `run' from /Library/Ruby/Site/1.8/puppet/application.rb:413:in `hook' from /Library/Ruby/Site/1.8/puppet/application.rb:309:in `run' from /Library/Ruby/Site/1.8/puppet/application.rb:404:in `exit_on_fail' from /Library/Ruby/Site/1.8/puppet/application.rb:309:in `run' from /Library/Ruby/Site/1.8/puppet/util/command_line.rb:69:in `execute' from /usr/bin/puppet:4 </pre> It's from this code (line 379 in lib/puppet/provider/nameservice/directoryservice.rb): <pre> password_hash = converted_hash_plist['SALTED-SHA512'].string.unpack("H*")[0] </pre> So, I'm trying to update Puppet to be able to handle/change the user's password in 10.8 and I notice that the methodology I need to access/generate/change it has changed from 10.7 to 10.8. Since our product uses Ruby, I'll be displaying the steps in Ruby. In 10.7 I used this methodology to access the password: <pre> require 'facter/util/plist' users_plist = Plist::parse_xml(`plutil -convert xml1 -o /dev/stdout /var/db/dslocal/nodes/Default/users/brit_xml.plist`) password_hash_plist = users_plist['ShadowHashData'][0].string IO.popen('plutil -convert xml1 -o - -', mode='r+') do |io| io.write password_hash_plist io.close_write @converted_plist = io.read end converted_hash_plist = Plist::parse_xml(@converted_plist) password_hash = converted_hash_plist['SALTED-SHA512'].string.unpack("H*")[0] puts password_hash </pre> This is all well and good since the value of converted_hash_plist['SALTED-SHA512'] was a StringIO object containing the binary version of the salted sha512 password. In 10.8, all of the steps are the same up to a point - it seems the value of converted_hash_plist is different: <pre> >> pp converted_hash_plist {"SALTED-SHA512-PBKDF2"=> {"salt"=>#<StringIO:0x10f31e498>, "entropy"=>#<StringIO:0x10f31e998>, "iterations"=>15174}} => nil </pre> Indeed, this looks like a 128 byte PBKDF2 password (since the value of converted_hash_plist['SALTED-SHA512-PBKDF2']['entropy'].string.unpack('H*').first is 256 characters). This makes sense since it looks like Apple has dabbled in PBKDF2 before http://people.cis.ksu.edu/~sakthi/src/data/filevault_sakthi.pdf. Ruby does have a PBKDF2 gem (https://github.com/emerose/pbkdf2-ruby), but of course there's no built-in method to handle passwords in this fashion. Basically, the format has changed. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
