[Puppet - Bug #17031] (Accepted) Can't add domain user account as a member of a local group

[tickets]

Issue #17031 has been reported by Josh Cooper.

----------------------------------------
Bug #17031: Can't add domain user account as a member of a local group
https://projects.puppetlabs.com/issues/17031

Author: Josh Cooper
Status: Accepted
Priority: Normal
Assignee: 
Category: 
Target version: 2.7.x
Affected Puppet version: 2.7.6
Keywords: windows user group domain
Branch: 


This is a common need when managing domain service accounts that need to be a 
member of the local Administrators account. I thought it would be resolved once 
#16581 was fixed, but there's a more fundamental issue with the group provider, 
so I'm filing this as a separate issue.

First, it attempts to add members to the group using an ADSI path of 
`WinNT://WIN-QP47VOHA2P4/BIZARRO\albert,user`, but it needs to be 
`WinNT://WIN-QP47VOHA2P4/BIZARRO/albert,user`

<pre>
    def add_members(*names)
      names.each do |name|
        native_group.Add(Puppet::Util::ADSI::User.uri(name))
      end
    end
</pre>

It may be possible to just use the SID form `WinNT://<SID>` but I'm not sure if 
that will work in a non-domain environment.

Second, when calculating whether the group's members are insync? it compares 
names:

<pre>
      members_to_add = desired_members - current_members
      add_members(*members_to_add)
</pre>

However the ADSI provider returns current members as, e.g. `albert`. But since 
this doesn't match `BIZARRO\albert`, the provider will think the resource is 
out of sync and will attempt to re-add a user that is already a member of the 
group and fail:

<pre>
err: /Stage[main]//Group[Foobars]/members: change from albertAdministrator to 
BIZARRO\albert Administrator failed: Add
    OLE error code:80070562 in Active Directory
      The specified account name is already a member of the group.

    HRESULT error code:0x80020009
      Exception occurred.
</pre>

Really, the group provider needs to compare the current vs desired SIDs to 
determine which users to add, similar to what we do in the file and 
scheduled_task providers.


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to puppet-bugs@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-bugs+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.