Issue #17031 has been updated by Rob Reynolds.
Ethan Brown wrote: > * Neither of the `LDAP` style bind syntax options may be used, as they > alway need a host, and in local testing `LDAP://./foo` and > `LDAP://localhost/foo` do not work by default on machines that are not > running a DC. In testing, a PowerShell style query like > `[ADSI]"LDAP://localhost/<SID=S-1-5-18>" | Select *` does not error, but it > also does not yield any results. When removing the host, > `[ADSI]"LDAP://<SID=S-1-5-18>" | Select *` does error with `exception > occurred while retrieving member "distinguishedName": "The specified domain > either does not exist or could not be contacted"`. NOTE: Also attempted were > non well-known SIDs as well (users local to a given test environment). Did you try `LDAP://machineName/foo` ? ---------------------------------------- Bug #17031: Can't add domain user account as a member of a local group https://projects.puppetlabs.com/issues/17031#change-97972 * Author: Josh Cooper * Status: Accepted * Priority: High * Assignee: Josh Cooper * Category: * Target version: 3.x * Affected Puppet version: 2.7.6 * Keywords: windows user group domain * Branch: ---------------------------------------- This is a common need when managing domain service accounts that need to be a member of the local Administrators account. I thought it would be resolved once #16581 was fixed, but there's a more fundamental issue with the group provider, so I'm filing this as a separate issue. First, it attempts to add members to the group using an ADSI path of `WinNT://WIN-QP47VOHA2P4/BIZARRO\albert,user`, but it needs to be `WinNT://WIN-QP47VOHA2P4/BIZARRO/albert,user` <pre> def add_members(*names) names.each do |name| native_group.Add(Puppet::Util::ADSI::User.uri(name)) end end </pre> It may be possible to just use the SID form `WinNT://<SID>` but I'm not sure if that will work in a non-domain environment. Second, when calculating whether the group's members are insync? it compares names: <pre> members_to_add = desired_members - current_members add_members(*members_to_add) </pre> However the ADSI provider returns current members as, e.g. `albert`. But since this doesn't match `BIZARRO\albert`, the provider will think the resource is out of sync and will attempt to re-add a user that is already a member of the group and fail: <pre> err: /Stage[main]//Group[Foobars]/members: change from albertAdministrator to BIZARRO\albert Administrator failed: Add OLE error code:80070562 in Active Directory The specified account name is already a member of the group. HRESULT error code:0x80020009 Exception occurred. </pre> Really, the group provider needs to compare the current vs desired SIDs to determine which users to add, similar to what we do in the file and scheduled_task providers. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
