Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title Kenn Hussey updated an issue Puppet / PUP-4208 Name Collision When Managing Users or Groups in Trusted Domains Change By: Kenn Hussey Fix Version/s: PUP 5.3.6 Fix Version/s: PUP 5.5.0 Fix Version/s: PUP 4.10.11 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title Kenn Hussey updated an issue Puppet / PUP-4208 Name Collision When Managing Users or Groups in Trusted Domains Change By: Kenn Hussey Release Notes Summary: See release notes for PUP-8231. Release Notes: Not Needed Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title Ethan Brown updated an issue Puppet / PUP-4208 Name Collision When Managing Users or Groups in Trusted Domains Change By: Ethan Brown Fix Version/s: PUP 5.y Fix Version/s: PUP 5.3.6 Fix Version/s: PUP 4.10.11 Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title Ethan Brown updated an issue Puppet / PUP-4208 Name Collision When Managing Users or Groups in Trusted Domains Change By: Ethan Brown Fix Version/s: PUP 5.5.0 Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title Craig Gomes updated an issue Puppet / PUP-4208 Name Collision When Managing Users or Groups in Trusted Domains Change By: Craig Gomes Sprint: Agent N+1 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title Craig Gomes updated an issue Puppet / PUP-4208 Name Collision When Managing Users or Groups in Trusted Domains Change By: Craig Gomes Team: Agent Windows Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title Ethan Brown updated an issue Puppet / PUP-4208 Name Collision When Managing Users or Groups in Trusted Domains Change By: Ethan Brown Priority: Normal Major Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title Ethan Brown updated an issue Puppet / PUP-4208 Name Collision When Managing Users or Groups in Trusted Domains Change By: Ethan Brown Sprint: Agent Triage N+1 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title Ethan Brown assigned an issue to Ethan Brown Puppet / PUP-4208 Name Collision When Managing Users or Groups in Trusted Domains Change By: Ethan Brown Assignee: Kylo Ginsberg Ethan Brown Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title Ethan Brown updated an issue Puppet / PUP-4208 Name Collision When Managing Users or Groups in Trusted Domains Change By: Ethan Brown Fix Version/s: PUP 5.y Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title Ethan Brown updated an issue Puppet / PUP-4208 Name Collision When Managing Users or Groups in Trusted Domains Change By: Ethan Brown Sprint: Agent Triage Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-4208 Name Collision When Managing Users or Groups in Trusted Domains Change By: Moses Mendoza Labels: help_wanted puppet-agent triaged windows Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title Rob Lucke updated an issue Puppet / PUP-4208 Name Collision When Managing Users or Groups in Trusted Domains Change By: Rob Lucke Labels: help_wanted puppet-agent triaged windows Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title Josh Cooper commented on PUP-4208 Re: Name Collision When Managing Users or Groups in Trusted Domains Chris Stephens Puppet should definitely handle specifying the members as SIDs correctly. That said we've made several improvements, eg PUP-5684 , could you try a more recent version of puppet to see if that part of the issue is fixed? About the second issue, the domain not being preserved, I am guessing that our LookupAccountSid call is not passing in the parsed domain and is instead falling back silently to whatever domain the agent is running in. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title
Josh Cooper updated an issue
Puppet / PUP-4208
Name Collision When Managing Users or Groups in Trusted Domains
Change By:
Josh Cooper
If the same NT user name or group name exists in multiple trusted domains and a local group resource is defined with two identically-named accounts or groups as members, the local domain account will resolve properly and the remote (trusted) domain account will resolve incorrectly as the local domain account or group.Example (double \ removed): {code:puppet} group { 'Administrators': ensure => 'present', members => [ "${$::hostname}\Administrator", "domainA\Domain Admins", "domainA\serviceAcct", "domainB\serviceAcct", ], } {code} Despite defining a service account with the same name "serviceAcct" in "domainA" and "domainB", if the computer resides in "domainA", both user references will resolve to "domainA" by the Puppet agent.If attempting to use SID to reference user accounts to ensure uniqueness, the resource is properly set by the Puppet agent, but it will continue to unnecessarily 'change' the resource on each Puppet agent run, as the "domainB" user account is continually resolved incorrectly in "domainA".Example: {code:puppet} group { 'Administrators': ensure => 'present', members => [ "${$::hostname}\Administrator", "domainA\Domain Admins", "S-1-5-21-1--11-", # SID for "domainA\serviceAcct" "S-1-5-21-2--22-", # SID for "domainB\serviceAcct" ], } {code} Log Result: {noformat} members changed 'servername\Administrator,domainA\Domain Admins,domainA\serviceAcct,domainB\serviceAcct' to 'servername\Administrator,domainA\Domain Admins,domainA\serviceAcct,domainA\serviceAcct' {noformat} Because of this behavior it is impossible to manage user accounts or groups in trusted domains that have the same name. The user account or group that resides in the local domain will always take precedence.
Add Comment
This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title Ethan Brown updated an issue Puppet / PUP-4208 Name Collision When Managing Users or Groups in Trusted Domains Change By: Ethan Brown Team: Agent & Platform Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title
Chris Stephens updated an issue
Puppet / PUP-4208
Name Collision When Managing Users or Groups in Trusted Domains
Change By:
Chris Stephens
IfthesameNTusernameorgroupnameexistsinmultipletrusteddomainsandalocalgroupresourceisdefinedwithtwoidentically-namedaccountsorgroups asmembers ,thelocaldomainaccountwillresolveproperlyandtheremote(trusted)domainaccountwillresolveincorrectlyasthelocaldomainaccountorgroup.Example(double\removed): group{'Administrators': ensure='present', members=[ ${$::hostname}\Administrator, domainA\DomainAdmins, domainA\serviceAcct, domainB\serviceAcct, ], }DespitedefiningaserviceaccountwiththesamenameserviceAcctindomainAanddomainB,ifthecomputerresidesindomainA,bothuserreferenceswillresolvetodomainAbythePuppetagent.IfattemptingtouseSIDtoreferenceuseraccountstoensureuniqueness,theresourceisproperlysetbythePuppetagent,butitwillcontinuetounnecessarily'change'theresourceoneachPuppetagentrun,asthedomainBuseraccountiscontinuallyresolvedincorrectlyindomainA.Example: group{'Administrators': ensure='present', members=[ ${$::hostname}\Administrator, domainA\DomainAdmins, S-1-5-21-1--11-,#SIDfordomainA\serviceAcct S-1-5-21-2--22-,#SIDfordomainB\serviceAcct ], }LogResult: memberschanged'servername\Administrator,domainA\DomainAdmins,domainA\serviceAcct,domainB\serviceAcct'to'servername\Administrator,domainA\DomainAdmins,domainA\serviceAcct,domainA\serviceAcct'Becauseofthisbehavioritisimpossibletomanageuseraccountsorgroupsintrusteddomainsthathavethesamename.Theuseraccountorgroupthatresidesinthelocaldomainwillalwaystakeprecedence.
Add Comment
This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a)
Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title
Chris Stephens updated an issue
Puppet / PUP-4208
Name Collision When Managing Users or Groups in Trusted Domains
Change By:
Chris Stephens
IfthesameNTusernameorgroupnameexistsinmultipletrusteddomainsandalocalgroupresourceisdefinedwithtwoidentically-namedaccountsorgroups,thelocaldomainaccountwillresolveproperlyandtheremote(trusted)domainaccountwillresolveincorrectlyasthelocaldomainaccountorgroup.Example (double\removed) : group{'Administrators': ensure='present', members=[ ${$::hostname}\Administrator, domainA\DomainAdmins, domainA\serviceAcct, domainB\serviceAcct, ], }DespitedefiningaserviceaccountwiththesamenameserviceAcctindomainAanddomainB,ifthecomputerresidesindomainA,bothuserreferenceswillresolvetodomainAbythePuppetagent.IfattemptingtouseSIDtoreferenceuseraccountstoensureuniqueness,theresourceisproperlysetbythePuppetagent,butitwillcontinuetounnecessarily'change'theresourceoneachPuppetagentrun,asthedomainBuseraccountiscontinuallyresolvedincorrectlyindomainA.Example: group{'Administrators': ensure='present', members=[ ${$::hostname}\Administrator, domainA\DomainAdmins, S-1-5-21-1--11-,#SIDfordomainA\serviceAcct S-1-5-21-2--22-,#SIDfordomainB\serviceAcct ], }LogResult: memberschanged'servername\Administrator,domainA\DomainAdmins,domainA\serviceAcct,domainB\serviceAcct'to'servername\Administrator,domainA\DomainAdmins,domainA\serviceAcct,domainA\serviceAcct'Becauseofthisbehavioritisimpossibletomanageuseraccountsorgroupsintrusteddomainsthathavethesamename.Theuseraccountorgroupthatresidesinthelocaldomainwillalwaystakeprecedence.
Add Comment
This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a)
Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title Chris Stephens created an issue Puppet / PUP-4208 Name Collision When Managing Users or Groups in Trusted Domains Issue Type: Bug Affects Versions: PUP 3.7.4 Assignee: Kylo Ginsberg Components: Client, Types and Providers Created: 2015/03/15 12:55 AM Environment: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Trusted Active Directory Domains Labels: windows puppet-agent Priority: Normal Reporter: Chris Stephens Original Estimate: 2 days Remaining Estimate:
Jira (PUP-4208) Name Collision When Managing Users or Groups in Trusted Domains
Title: Message Title
Chris Stephens updated an issue
Puppet / PUP-4208
Name Collision When Managing Users or Groups in Trusted Domains
Change By:
Chris Stephens
IfthesameNTusernameorgroupnameexistsinmultipletrusteddomainsandalocalgroupresourceisdefinedwithtwoidentically-namedaccountsorgroups,thelocaldomainaccountwillresolveproperlyandtheremote(trusted)domainaccountwillresolveincorrectlyasthelocaldomainaccountorgroup.Example: group{'Administrators': ensure='present', members=[ ${$::hostname}\ \ Administrator, domainA\ \ DomainAdmins, domainA\ \ serviceAcct, domainB\ \ serviceAcct, ], }DespitedefiningaserviceaccountwiththesamenameserviceAcctindomainAanddomainB,ifthecomputerresidesindomainA,bothuserreferenceswillresolvetodomainAbythePuppetagent.IfattemptingtouseSIDtoreferenceuseraccountstoensureuniqueness,theresourceisproperlysetbythePuppetagent,butitwillcontinuetounnecessarily'change'theresourceoneachPuppetagentrun,asthedomainBuseraccountiscontinuallyresolvedincorrectlyindomainA.Example: group{'Administrators': ensure='present', members=[ ${$::hostname}\ \ Administrator, domainA\ \ DomainAdmins, S-1-5-21-1--11-,#SIDfordomainA\ \ serviceAcct S-1-5-21-2--22-,#SIDfordomainB\ \ serviceAcct ], }LogResult: memberschanged'servername\Administrator,domainA\DomainAdmins,domainA\serviceAcct,domainB\serviceAcct'to'servername\Administrator,domainA\DomainAdmins,domainA\serviceAcct,domainA\serviceAcct'Becauseofthisbehavioritisimpossibletomanageuseraccountsorgroupsintrusteddomainsthathavethesamename.Theuseraccountorgroupthatresidesinthelocaldomainwillalwaystakeprecedence.
Add Comment
This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a)
