Issue #12833 has been updated by Josh Cooper. Status changed from Merged - Pending Release to Code Insufficient
This breaks user providers that don't implement salt getter/setters. You probably need a provider feature so that we only manage salt on systems where that makes sense. On Windows, I get: <pre> C:\work\puppet>envpuppet puppet resource user --trace Error: Could not run: undefined method `salt' for #<Puppet::Type::User::ProviderWindows_adsi:0xdb457e0> c:/work/puppet/lib/puppet/property.rb:280:in `send' c:/work/puppet/lib/puppet/property.rb:280:in `retrieve' c:/work/puppet/lib/puppet/type/user.rb:367:in `retrieve' c:/puppetwinbuilder/sys/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:62:in `inject' c:/work/puppet/lib/puppet/type/user.rb:361:in `each' c:/work/puppet/lib/puppet/type/user.rb:361:in `inject' c:/work/puppet/lib/puppet/type/user.rb:361:in `retrieve' c:/work/puppet/lib/puppet/type.rb:693:in `retrieve_resource' c:/work/puppet/lib/puppet/type.rb:1775:in `to_resource' c:/work/puppet/lib/puppet/indirector/resource/ral.rb:15:in `search' c:/work/puppet/lib/puppet/indirector/resource/ral.rb:14:in `map' c:/work/puppet/lib/puppet/indirector/resource/ral.rb:14:in `search' c:/work/puppet/lib/puppet/indirector/indirection.rb:250:in `search' c:/work/puppet/lib/puppet/application/resource.rb:230:in `find_or_save_resources' c:/work/puppet/lib/puppet/application/resource.rb:142:in `main' c:/work/puppet/lib/puppet/application.rb:354:in `run_command' c:/work/puppet/lib/puppet/application.rb:346:in `run' c:/work/puppet/lib/puppet/application.rb:438:in `plugin_hook' c:/work/puppet/lib/puppet/application.rb:346:in `run' c:/work/puppet/lib/puppet/util.rb:496:in `exit_on_fail' c:/work/puppet/lib/puppet/application.rb:346:in `run' c:/work/puppet/lib/puppet/util/command_line.rb:87:in `execute' c:/work/puppet/bin/puppet:4 </pre> ---------------------------------------- Bug #12833: Password property for User type is broke in OS X 10.8 https://projects.puppetlabs.com/issues/12833#change-76624 Author: Gary Larizza Status: Code Insufficient Priority: Normal Assignee: Category: OSX Target version: 3.0.2 Affected Puppet version: Keywords: password user mac mountain lion os x Branch: https://github.com/puppetlabs/puppet/pull/1266 Setting users passwords is broke in 10.8 due to the fact that Apple moved to PBKDF2 passwords in 10.8: <pre> Garys-Mac:~ glarizza$ sudo puppet resource user glarizza Password: /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:379:in `get_password': undefined method `string' for nil:NilClass (NoMethodError) from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:199:in `generate_attribute_hash' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:235:in `single_report' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:76:in `instances' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:75:in `collect' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:75:in `instances' from /Library/Ruby/Site/1.8/puppet/type.rb:889:in `instances' from /Library/Ruby/Site/1.8/puppet/type.rb:882:in `collect' from /Library/Ruby/Site/1.8/puppet/type.rb:882:in `instances' from /Library/Ruby/Site/1.8/puppet/indirector/resource/ral.rb:4:in `find' from /Library/Ruby/Site/1.8/puppet/indirector/indirection.rb:196:in `find' from /Library/Ruby/Site/1.8/puppet/application/resource.rb:222:in `find_or_save_resources' from /Library/Ruby/Site/1.8/puppet/application/resource.rb:144:in `main' from /Library/Ruby/Site/1.8/puppet/application.rb:317:in `run_command' from /Library/Ruby/Site/1.8/puppet/application.rb:309:in `run' from /Library/Ruby/Site/1.8/puppet/application.rb:413:in `hook' from /Library/Ruby/Site/1.8/puppet/application.rb:309:in `run' from /Library/Ruby/Site/1.8/puppet/application.rb:404:in `exit_on_fail' from /Library/Ruby/Site/1.8/puppet/application.rb:309:in `run' from /Library/Ruby/Site/1.8/puppet/util/command_line.rb:69:in `execute' from /usr/bin/puppet:4 </pre> It's from this code (line 379 in lib/puppet/provider/nameservice/directoryservice.rb): <pre> password_hash = converted_hash_plist['SALTED-SHA512'].string.unpack("H*")[0] </pre> So, I'm trying to update Puppet to be able to handle/change the user's password in 10.8 and I notice that the methodology I need to access/generate/change it has changed from 10.7 to 10.8. Since our product uses Ruby, I'll be displaying the steps in Ruby. In 10.7 I used this methodology to access the password: <pre> require 'facter/util/plist' users_plist = Plist::parse_xml(`plutil -convert xml1 -o /dev/stdout /var/db/dslocal/nodes/Default/users/brit_xml.plist`) password_hash_plist = users_plist['ShadowHashData'][0].string IO.popen('plutil -convert xml1 -o - -', mode='r+') do |io| io.write password_hash_plist io.close_write @converted_plist = io.read end converted_hash_plist = Plist::parse_xml(@converted_plist) password_hash = converted_hash_plist['SALTED-SHA512'].string.unpack("H*")[0] puts password_hash </pre> This is all well and good since the value of converted_hash_plist['SALTED-SHA512'] was a StringIO object containing the binary version of the salted sha512 password. In 10.8, all of the steps are the same up to a point - it seems the value of converted_hash_plist is different: <pre> >> pp converted_hash_plist {"SALTED-SHA512-PBKDF2"=> {"salt"=>#<StringIO:0x10f31e498>, "entropy"=>#<StringIO:0x10f31e998>, "iterations"=>15174}} => nil </pre> Indeed, this looks like a 128 byte PBKDF2 password (since the value of converted_hash_plist['SALTED-SHA512-PBKDF2']['entropy'].string.unpack('H*').first is 256 characters). This makes sense since it looks like Apple has dabbled in PBKDF2 before http://people.cis.ksu.edu/~sakthi/src/data/filevault_sakthi.pdf. Ruby does have a PBKDF2 gem (https://github.com/emerose/pbkdf2-ruby), but of course there's no built-in method to handle passwords in this fashion. Basically, the format has changed. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
