Jira (PUP-9645) User Rights Management SIP issue on MacOS 10.14.x
Title: Message Title Marshall Taylor commented on PUP-9645 Re: User Rights Management SIP issue on MacOS 10.14.x Gheorghe Popescu - Adding pxp-agent and terminal to full disk access under Security & Privacy -> Privacy fixed this issue. I tried it both with 6.4.0 and 6.4.111.gab37c441 (which self identified as '6.5.0' BTW) and it work with both. Thanks so much for providing this solution! Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9645) User Rights Management SIP issue on MacOS 10.14.x
Title: Message Title Gheorghe Popescu commented on PUP-9645 Re: User Rights Management SIP issue on MacOS 10.14.x Marshall Taylor can you try with http://nightlies.puppet.com/downloads/mac/puppet6-nightly/10.14/x86_64/puppet-agent-6.4.1.111.gab37c44-1.osx10.14.dmg Let me know if you encounter any issues Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9645) User Rights Management SIP issue on MacOS 10.14.x
Title: Message Title Gheorghe Popescu commented on PUP-9645 Re: User Rights Management SIP issue on MacOS 10.14.x Seems like that, because it was user management which was failing Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9645) User Rights Management SIP issue on MacOS 10.14.x
Title: Message Title Marshall Taylor commented on PUP-9645 Re: User Rights Management SIP issue on MacOS 10.14.x Gheorghe Popescu - I would be happy to test out a nightly build. So, my issue is related to issue raised in PUP-9502? Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9645) User Rights Management SIP issue on MacOS 10.14.x
Title: Message Title
Gheorghe Popescu commented on PUP-9645
Re: User Rights Management SIP issue on MacOS 10.14.x
Marshall Taylor I run successfully the following manifest on an agent that contains PUP-9502 fixes
user { 'company_admin13':
ensure => 'present',
comment => 'company Administrator',
gid => '20',
groups => ['admin'],
home => '/var/company_admin13',
iterations => '28328',
shell => '/bin/bash',
password => 'pwd',
salt => 'salt',
uid => 411
}
file { '/var/company_admin13':
Jira (PUP-9645) User Rights Management SIP issue on MacOS 10.14.x
Title: Message Title
Marshall Taylor commented on PUP-9645
Re: User Rights Management SIP issue on MacOS 10.14.x
Gheorghe Popescu below is a config file that I believe will trigger the failure: class company_mac::config inherits company_mac { $munkitools_version = '3.6.0.3733' $simian_version = '2.5' $puppet_major_version = '6' $puppet_version = '6.3.0' $puppet_os_version = '10.13' # leave manually set to slightly old version, as current version not available package { "puppet-agent-${puppet_version}-1.osx${puppet_os_version}.dmg": ensure => 'present', provider => 'pkgdmg', source => "https://downloads.puppetlabs.com/mac/puppet${puppet_major_version}/${puppet_os_version}/x86_64/puppet-agent-${puppet_version}-1.osx${puppet_os_version}.dmg", } macdefaults { 'Hide local admin account': domain => '/Library/Preferences/com.apple.loginwindow', key => 'Hide500Users', type => 'boolean', value => true, } if $facts['remote_login'] == false { exec {'Turn on sshd': command => '/usr/sbin/systemsetup -f -setremotelogin on', } } user { 'company_admin': ensure => 'present', comment => 'company Administrator', gid => '20', groups => ['admin'], home => '/var/company_admin', iterations => '28328', # lint:ignore:140chars password => '[passwd]', # lint:endignore salt => '[salt]', shell => '/bin/bash', uid => '499', } file { '/var/company_admin': ensure => directory, owner => 'company_admin', group => 'wheel', mode => '0700', require => User['company_admin'], } }
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Jira (PUP-9645) User Rights Management SIP issue on MacOS 10.14.x
Title: Message Title Gheorghe Popescu assigned an issue to Gheorghe Popescu Puppet / PUP-9645 User Rights Management SIP issue on MacOS 10.14.x Change By: Gheorghe Popescu Assignee: Gheorghe Popescu Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9645) User Rights Management SIP issue on MacOS 10.14.x
Title: Message Title Gheorghe Popescu commented on PUP-9645 Re: User Rights Management SIP issue on MacOS 10.14.x Marshall Taylor i set up an agent with the latest OS X that fixed user management and i was able to run puppet agent -t. Can you provide an example of a manifest that would break the functionality? Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9645) User Rights Management SIP issue on MacOS 10.14.x
Title: Message Title Mihai Buzgau updated an issue Puppet / PUP-9645 User Rights Management SIP issue on MacOS 10.14.x Change By: Mihai Buzgau Sprint: PR - Triage 2019-05-02 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9645) User Rights Management SIP issue on MacOS 10.14.x
Title: Message Title Mihai Buzgau updated an issue Puppet / PUP-9645 User Rights Management SIP issue on MacOS 10.14.x Change By: Mihai Buzgau Story Points: 2 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9645) User Rights Management SIP issue on MacOS 10.14.x
Title: Message Title
Marshall Taylor updated an issue
Puppet / PUP-9645
User Rights Management SIP issue on MacOS 10.14.x
Change By:
Marshall Taylor
*Puppet Version: 6.4.0* *Puppet Server Version: 6.3.0* *OS Name/Version: MacOS 10.14.3*Since moving to Mojave I have been unable to run puppet agent --test without first booting into Recovery Mode and disabling SIP with 'csrutil disable'. I then boot normally and run puppet to configure my Macs, then boot back into Recovery Mode to reenable SIP. I suspect it's a result of this issue. Below is the output that I get when I attempt to run puppet with SIP enabled on a 10.14.3 system: {noformat} FVF23JIL23KD:~ jdoe$ sudo /opt/puppetlabs/puppet/bin/puppet agent --testPassword:Info: Using configured environment 'production'Info: Retrieving pluginfactsInfo: Retrieving pluginInfo: Retrieving localesInfo: Loading factsInfo: Caching catalog for fvf23jil23kd.company.comInfo: Applying configuration version 'puppet-production-50e48363285'Notice: Hiera returned role: mac_laptopNotice: /Stage[main]/Main/Notify[Hiera returned role: mac_laptop]/message: defined 'message' as 'Hiera returned role: mac_laptop'Error: Operation not permitted @ rb_sysopen - /var/db/dslocal/nodes/Default/users/company_admin.plistError: /Stage[main]/company_mac::Config/User[company_admin]/password: change from [redacted] to [redacted] failed: Operation not permitted @ rb_sysopen - /var/db/dslocal/nodes/Default/users/company_admin.plistError: Operation not permitted @ rb_sysopen - /var/db/dslocal/nodes/Default/users/company_admin.plistError: /Stage[main]/company_mac::Config/User[company_admin]/salt: change from '2922d494d507d8228f83cd286788b3bd188bebb507c911424332ae9031a7e804' to '40cb359a1408e382fd1198f86eaa7d3b1ccdb522f105662c0afd916c576872c9' failed: Operation not permitted @ rb_sysopen - /var/db/dslocal/nodes/Default/users/company_admin.plistError: Operation not permitted @ rb_sysopen - /var/db/dslocal/nodes/Default/users/laptop_admin.plistError: /Stage[main]/company_mac::Config/User[company_admin]/iterations: change from 74626 to 28328 failed: Operation not permitted @ rb_sysopen - /var/db/dslocal/nodes/Default/users/company_admin.plistNotice: /Stage[main]/company_mac::Config/File[/var/company_admin]: Dependency User[company_admin] has failures: trueWarning: /Stage[main]/company_mac::Config/File[/var/company_admin]: Skipping because of failed dependenciesInfo: Stage[main]: Unscheduling all events on Stage[main]Notice: Applied catalog in 13.34 seconds{noformat} Puppet appears unable to manage user rights with SIP enabled.*Desired Behavior:*Puppet client could manage user rights without needing to disable SIP.*Actual Behavior:*(attached)
Jira (PUP-9645) User Rights Management SIP issue on MacOS 10.14.x
Title: Message Title Mihai Buzgau updated an issue Puppet / PUP-9645 User Rights Management SIP issue on MacOS 10.14.x Change By: Mihai Buzgau Sprint: PR - Triage Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9645) User Rights Management SIP issue on MacOS 10.14.x
Title: Message Title
Josh Cooper updated an issue
Puppet / PUP-9645
User Rights Management SIP issue on MacOS 10.14.x
Change By:
Josh Cooper
*Puppet Version: 6.4.0* *Puppet Server Version: 6.3.0* *OS Name/Version: MacOS 10.14.3*Since moving to Mojave I have been unable to run puppet agent --test without first booting into Recovery Mode and disabling SIP with 'csrutil disable'. I then boot normally and run puppet to configure my Macs, then boot back into Recovery Mode to reenable SIP. I suspect it's a result of this issue. Below is the output that I get when I attempt to run puppet with SIP enabled on a 10.14.3 system: {noformat} FVF23JIL23KD:~ jdoe$ sudo /opt/puppetlabs/puppet/bin/puppet agent --test Password: Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Retrieving locales Info: Loading facts Info: Caching catalog for fvf23jil23kd.company.com Info: Applying configuration version 'puppet-production-50e48363285' Notice: Hiera returned role: mac_laptop Notice: /Stage[main]/Main/Notify[Hiera returned role: mac_laptop]/message: defined 'message' as 'Hiera returned role: mac_laptop' Error: Operation not permitted @ rb_sysopen - /var/db/dslocal/nodes/Default/users/company_admin.plist Error: /Stage[main]/company_mac::Config/User[company_admin]/password: change from [redacted] to [redacted] failed: Operation not permitted @ rb_sysopen - /var/db/dslocal/nodes/Default/users/company_admin.plist Error: Operation not permitted @ rb_sysopen - /var/db/dslocal/nodes/Default/users/company_admin.plist Error: /Stage[main]/company_mac::Config/User[company_admin]/salt: change from '2922d494d507d8228f83cd286788b3bd188bebb507c911424332ae9031a7e804' to '40cb359a1408e382fd1198f86eaa7d3b1ccdb522f105662c0afd916c576872c9' failed: Operation not permitted @ rb_sysopen - /var/db/dslocal/nodes/Default/users/company_admin.plist Error: Operation not permitted @ rb_sysopen - /var/db/dslocal/nodes/Default/users/laptop_admin.plist Error: /Stage[main]/company_mac::Config/User[company_admin]/iterations: change from 74626 to 28328 failed: Operation not permitted @ rb_sysopen - /var/db/dslocal/nodes/Default/users/company_admin.plist Notice: /Stage[main]/company_mac::Config/File[/var/company_admin]: Dependency User[company_admin] has failures: true Warning: /Stage[main]/company_mac::Config/File[/var/company_admin]: Skipping because of failed dependencies Info: Stage[main]: Unscheduling all events on Stage[main] Notice: Applied catalog in 13.34 seconds {noformat} Puppet appears unable to manage user rights with SIP enabled. *Desired Behavior:*Puppet client could manage user rights without needing to disable SIP. *Actual Behavior:*(attached)
Jira (PUP-9645) User Rights Management SIP issue on MacOS 10.14.x
Title: Message Title Josh Cooper updated an issue Puppet / PUP-9645 User Rights Management SIP issue on MacOS 10.14.x Change By: Josh Cooper Team: Puppet Romania Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-9645) User Rights Management SIP issue on MacOS 10.14.x
Title: Message Title
Marshall Taylor updated an issue
Puppet / PUP-9645
User Rights Management SIP issue on MacOS 10.14.x
Change By:
Marshall Taylor
Summary:
{brief summary of User Rights Management SIP issue } on MacOS 10.14.x
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.
