Issue #17031 has been updated by Andrew Parker. Target version deleted (2.7.x)
As the 2.7.x line is winding down, I am removing the target at 2.7.x from tickets in the system. The 2.7 line should only receive fixes for major problems (crashes, for instance) or security problems. ---------------------------------------- Bug #17031: Can't add domain user account as a member of a local group https://projects.puppetlabs.com/issues/17031#change-80549 Author: Josh Cooper Status: Accepted Priority: Normal Assignee: Category: Target version: Affected Puppet version: 2.7.6 Keywords: windows user group domain Branch: This is a common need when managing domain service accounts that need to be a member of the local Administrators account. I thought it would be resolved once #16581 was fixed, but there's a more fundamental issue with the group provider, so I'm filing this as a separate issue. First, it attempts to add members to the group using an ADSI path of `WinNT://WIN-QP47VOHA2P4/BIZARRO\albert,user`, but it needs to be `WinNT://WIN-QP47VOHA2P4/BIZARRO/albert,user` <pre> def add_members(*names) names.each do |name| native_group.Add(Puppet::Util::ADSI::User.uri(name)) end end </pre> It may be possible to just use the SID form `WinNT://<SID>` but I'm not sure if that will work in a non-domain environment. Second, when calculating whether the group's members are insync? it compares names: <pre> members_to_add = desired_members - current_members add_members(*members_to_add) </pre> However the ADSI provider returns current members as, e.g. `albert`. But since this doesn't match `BIZARRO\albert`, the provider will think the resource is out of sync and will attempt to re-add a user that is already a member of the group and fail: <pre> err: /Stage[main]//Group[Foobars]/members: change from albertAdministrator to BIZARRO\albert Administrator failed: Add OLE error code:80070562 in Active Directory The specified account name is already a member of the group. HRESULT error code:0x80020009 Exception occurred. </pre> Really, the group provider needs to compare the current vs desired SIDs to determine which users to add, similar to what we do in the file and scheduled_task providers. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
