Issue #22539 has been updated by Nigel Kersten.
Odd. This does in fact look to be a bug with only the root user account. Verified that managing a non-root user works fine. The original bug report described the problem as being Puppet making the password entry a single string rather than an array with a single entry. From investigating, that's not the problem as fixing the root.plist by hand to contain an array doesn't fix the problem. The actual problem to me looks to be that we're not creating an authentication_authority property for the root user for some reason. <code> --- root_user_created_by_puppet.plist 2013-10-02 09:54:02.000000000 -0700 +++ root_enabled_with_dsenableroot.plist 2013-10-02 09:54:02.000000000 -0700 @@ -2,17 +2,36 @@ <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd";> <plist version="1.0"> <dict> + <key>KerberosKeys</key> + <array> + <data> + MIIBS6EDAgEBoIIBQjCCAT4wcKErMCmgAwIBEqEiBCBiW8NITtjV5x8hkSW6 + iqNuwOfamCzG9SLU2xzpD6JUb6JBMD+gAwIBA6E4BDZMS0RDOlNIQTEuNkRC + N0ZGOEE5RUUxODE4QkMzQzAxRjU5MzIyRDQwMkExQTVGRDlERnJvb3QwYKEb + MBmgAwIBEaESBBCkREnPPJLr6u7f6dfqU/KUokEwP6ADAgEDoTgENkxLREM6 + U0hBMS42REI3RkY4QTlFRTE4MThCQzNDMDFGNTkzMjJENDAyQTFBNUZEOURG + cm9vdDBooSMwIaADAgEQoRoEGNbZQwEs/ZR2aBq8btOhrr9SXtOia+rQbaJB + MD+gAwIBA6E4BDZMS0RDOlNIQTEuNkRCN0ZGOEE5RUUxODE4QkMzQzAxRjU5 + MzIyRDQwMkExQTVGRDlERnJvb3Q= + </data> + </array> <key>ShadowHashData</key> <array> <data> - YnBsaXN0MDDRAQJfEBRTQUxURUQtU0hBNTEyLVBCS0RGMtIDBAUGV2VudHJv - cHlUc2FsdE8QgIUjba87K+pnwSCbMta1ob7ppNct+4vI6n9UEqqsSu6V904X - ZmekPr4dx3lHvuJsOJYrdHBWBeQmJwvVPp/0iYFRP+W5Amo4tQCO2Non5nWl - oGLzNjGLKsGQVWJdhcMMQJu6smB9jspzD+awQn4eIRdLjGr2wA7yv+rhQjMR - ZDPXTxAgfUxhGu+PFbar1OXslvtUI1NjRzgnzTLGgzHrNI2PPvkICyInLzS3 - AAAAAAAAAQEAAAAAAAAABwAAAAAAAAAAAAAAAAAAANo= + YnBsaXN0MDDRAQJfEBRTQUxURUQtU0hBNTEyLVBCS0RGMtMDBAUGBwhXZW50 + cm9weVRzYWx0Wml0ZXJhdGlvbnNPEICVrnHZzmTNAYAKftnQNJh0dEklEyEk + ebnAg3z39BA/weW2xAtCv6oaFGjriSL59y+M4ahF6hRylAh58qwmc6H6KwkZ + cAGlYG0Z4zBIchF0coDCdbCwbQJC+cKE7VwQsmH0m9drmp9e0JFjpjWT1Np9 + stP3tv2AyBj/+SEOTEXYlk8QIK8Wj6ZqvZLBJ7uR2i2mJKu5SvSOjZaJAQ2G + iSWctorrEZLZCAsiKTE2QcTnAAAAAAAAAQEAAAAAAAAACQAAAAAAAAAAAAAA + AAAAAOo= </data> </array> + <key>authentication_authority</key> + <array> + <string>;ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2></string> + <string>;Kerberosv5;;root@LKDC:SHA1.6DB7FF8A9EE1818BC3C01F59322D402A1A5FD9DF;LKDC:SHA1.6DB7FF8A9EE1818BC3C01F59322D402A1A5FD9DF</string> + </array> <key>generateduid</key> <array> <string>FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000</string> @@ -31,7 +50,9 @@ <string>BUILTIN\Local System</string> </array> <key>passwd</key> - <string>********</string> + <array> + <string>********</string> + </array> <key>passwordpolicyoptions</key> <array> <data> @@ -39,9 +60,12 @@ WVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VO IiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4w LmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxLjAiPgo8ZGljdD4KCTxrZXk+ZmFp - bGVkTG9naW5Db3VudDwva2V5PgoJPGludGVnZXI+MTwvaW50ZWdlcj4KCTxr - ZXk+ZmFpbGVkTG9naW5UaW1lc3RhbXA8L2tleT4KCTxkYXRlPjIwMTMtMTAt - MDJUMTY6NDk6MDJaPC9kYXRlPgo8L2RpY3Q+CjwvcGxpc3Q+Cg== + bGVkTG9naW5Db3VudDwva2V5PgoJPGludGVnZXI+MDwvaW50ZWdlcj4KCTxr + ZXk+ZmFpbGVkTG9naW5UaW1lc3RhbXA8L2tleT4KCTxkYXRlPjIwMDEtMDEt + MDFUMDA6MDA6MDBaPC9kYXRlPgoJPGtleT5sYXN0TG9naW5UaW1lc3RhbXA8 + L2tleT4KCTxkYXRlPjIwMDEtMDEtMDFUMDA6MDA6MDBaPC9kYXRlPgoJPGtl + eT5wYXNzd29yZExhc3RTZXRUaW1lPC9rZXk+Cgk8ZGF0ZT4yMDEzLTEwLTAy + VDE2OjUwOjU3WjwvZGF0ZT4KPC9kaWN0Pgo8L3BsaXN0Pgo= </data> </array> <key>realname</key> </code> When I examine a non-root user created by Puppet, it correctly creates the authentication_authority attributes. ---------------------------------------- Bug #22539: passwd key is set incorrectly when managing root's password using the puppet user provider https://projects.puppetlabs.com/issues/22539#change-98305 * Author: Nate Walck * Status: Unreviewed * Priority: Normal * Assignee: * Category: user * Target version: * Affected Puppet version: 3.2.4 * Keywords: OSX mac 10.8 10.8.4 * Branch: ---------------------------------------- If you try to set the root password on OS X using the Puppet user provider, there are two bugs: 1. /var/db/dslocal/nodes/Default/users/root.plist has the 'passwd' key set incorrectly. It sets: <key>passwd</key> <string>********</string> when it should be: <key>passwd</key> <array> <string>********</string> <array> This causes 'dscl . read /Users/root' to not display the contents of the 'Password' attribute. If you use 'dsenableroot' to enable root, you can see how the passwd key should be set (both in dscl and reading the .plist in dslocal). 2. The root user cannot log in via the loginwindow (GUI login). SSH works, but the GUI does not. The major differences I see between root and other puppet-made accounts is that root lacks the 'KerberosKeys' and 'authentication_authority' keys in its dslocal plist. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
