The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Bug #14454

User group membership cannot be managed if nss uses any data sources beyond "files"

Added by Joe Julian over 3 years ago. Updated over 2 years ago.

Status:Needs More InformationStart date:05/13/2012
Priority:NormalDue date:
Assignee:-% Done:


Target version:-
Affected Puppet version: Branch:
Keywords: customer

We've Moved!

Ticket tracking is now hosted in JIRA:


Using this resource definition:

user { 'root':
    ensure           => 'present',
    comment          => 'root',
    gid              => '0',
    groups           => ['bin', 'daemon', 'sys', 'adm', 'disk', 'wheel'],
    home             => '/root',
    password         => '$1$CGNOIogj$cRaZjrS0Bv1dmwJ0m.kkI.',
    password_max_age => '99999',
    password_min_age => '0',
    shell            => '/bin/bash',
    uid              => '0',

This should mean that at a minimum, root it a member of the listed groups.

On some of our end-user facing machines, we add ldap authentication in nsswitch.conf. This results in getgrent returning this list of groups:

["daemon", "sys", "adm", "disk", "wheel", "bin", "daemon", "sys", "adm", "disk", "wheel", "Domain Admins", "Administrators", "app"]

Now this list does contain the required groups, so my expectation would be that nothing happens.

Instead, this list is tested against /\s+/ and an error is produced because there’s a space in “Domain Admins” (useradd.rb line 18).

If we were making changes, instead of erroring it should either wrap the group in quotes, or backquote the space(s). For instance, if I changed the groups to [‘bin’, ‘daemon’, ‘sys’, ‘adm’, ‘disk’, ‘wheel’, ‘mail’] so it would need to add ‘mail’, it’s going to error out because of Domain Admins.

If I remove that check, it’s going to fail because of the space. If I call usermod -G manually with the complete list, having Domain Admins quoted, it works to change the “files” group memberships (adding “mail” in my example). It does not, of course, do anything for ldap group memberships.

The nss library calls are obviously insufficient to make this work correctly. There’s no way to know what the source is for the group, and groups can be duplicated between nss data sources.


#1 Updated by Joe Julian over 3 years ago

Changing the last line of the groups function in Puppet::Provider::NameService to


does at least prevent usermod from trying to change the groups if the user is already in those groups.

#2 Updated by Anonymous over 3 years ago

  • Status changed from Unreviewed to Needs More Information

It isn’t clear to me what the bug is as you see it. Is it the problem that you point to with puppet not handling groups with spaces in their names? Or is the problem that puppet cannot manage groups that are part of any other than the file source?

We can probably handle spaces in group names, but I don’t think we are likely to take on the task of modifying groups in the way you are indicating (see Daniel’s response to #14245)

#3 Updated by Anonymous over 3 years ago

  • Assignee set to Anonymous

#4 Updated by Anonymous over 3 years ago

Joe has opened a pull request for the proposed change at

#5 Updated by Charlie Sharpsteen over 2 years ago

  • Keywords set to customer

Also available in: Atom PDF