The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #14454

User group membership cannot be managed if nss uses any data sources beyond "files"

Added by Joe Julian over 2 years ago. Updated over 1 year ago.

Status:Needs More InformationStart date:05/13/2012
Priority:NormalDue date:
Assignee:Andrew Parker% Done:

0%

Category:user
Target version:-
Affected Puppet version: Branch:
Keywords: customer

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This ticket may be automatically exported to the PUP project on JIRA using the button below:


Description

Using this resource definition:

user { 'root':
    ensure           => 'present',
    comment          => 'root',
    gid              => '0',
    groups           => ['bin', 'daemon', 'sys', 'adm', 'disk', 'wheel'],
    home             => '/root',
    password         => '$1$CGNOIogj$cRaZjrS0Bv1dmwJ0m.kkI.',
    password_max_age => '99999',
    password_min_age => '0',
    shell            => '/bin/bash',
    uid              => '0',
}

This should mean that at a minimum, root it a member of the listed groups.

On some of our end-user facing machines, we add ldap authentication in nsswitch.conf. This results in getgrent returning this list of groups:

["daemon", "sys", "adm", "disk", "wheel", "bin", "daemon", "sys", "adm", "disk", "wheel", "Domain Admins", "Administrators", "app"]

Now this list does contain the required groups, so my expectation would be that nothing happens.

Instead, this list is tested against /\s+/ and an error is produced because there’s a space in “Domain Admins” (useradd.rb line 18).

If we were making changes, instead of erroring it should either wrap the group in quotes, or backquote the space(s). For instance, if I changed the groups to [‘bin’, ‘daemon’, ‘sys’, ‘adm’, ‘disk’, ‘wheel’, ‘mail’] so it would need to add ‘mail’, it’s going to error out because of Domain Admins.

If I remove that check, it’s going to fail because of the space. If I call usermod -G manually with the complete list, having Domain Admins quoted, it works to change the “files” group memberships (adding “mail” in my example). It does not, of course, do anything for ldap group memberships.

The nss library calls are obviously insufficient to make this work correctly. There’s no way to know what the source is for the group, and groups can be duplicated between nss data sources.

History

#1 Updated by Joe Julian over 2 years ago

Changing the last line of the groups function in Puppet::Provider::NameService to

groups.uniq.join(",")

does at least prevent usermod from trying to change the groups if the user is already in those groups.

#2 Updated by Andrew Parker over 2 years ago

  • Status changed from Unreviewed to Needs More Information

It isn’t clear to me what the bug is as you see it. Is it the problem that you point to with puppet not handling groups with spaces in their names? Or is the problem that puppet cannot manage groups that are part of any other than the file source?

We can probably handle spaces in group names, but I don’t think we are likely to take on the task of modifying groups in the way you are indicating (see Daniel’s response to #14245)

#3 Updated by Andrew Parker over 2 years ago

  • Assignee set to Andrew Parker

#4 Updated by Andrew Parker over 2 years ago

Joe has opened a pull request for the proposed change at https://github.com/puppetlabs/puppet/pull/773

#5 Updated by Charlie Sharpsteen over 1 year ago

  • Keywords set to customer

Also available in: Atom PDF