The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #1583

Groups not recognised when group enumeration turned off

Added by Ross McKerchar about 6 years ago. Updated over 3 years ago.

Status:AcceptedStart date:09/20/2008
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:group
Target version:-
Affected Puppet version:0.24.5 Branch:
Keywords:winbind samba groups group enum enumeration getgrent libnss nsswitch

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This ticket may be automatically exported to the PUP project on JIRA using the button below:


Description

When groups are not enumerable using the getgrent function puppet refuses to acknowledge a groups existence, erroring with “Could not find group”. This makes it impossible to set file ownership to a group that isn’t returned via a call to getgrent.

The problem comes to light when using winbind with the “winbind enum groups” option turned off, which is necesary in a large domain due to the huge number of groups returned by this call (it can take minutes to complete).

This problem does not affect users, only groups – I also have user enumeration disabled but can still use reference those users within puppet.

To reproduce: 1) Turn off group enumeration (exact method tends to be libnss plugin dependent, only tested with winbind, although suspect problem will exist whenever enumeration is disabled). In winbind this can be done by including the line “winbind enum groups = no” in smb.conf. 2) Try and apply the following recipe: file {“/tmp/test”: group => adsourcedgroup }

History

#1 Updated by James Turnbull about 6 years ago

  • Status changed from Unreviewed to Needs Decision
  • Assignee set to Luke Kanies
  • Target version set to 4

#2 Updated by Luke Kanies about 6 years ago

  • Assignee changed from Luke Kanies to Puppet Community

Does this break backward compatibility for those who are already using the existing category parameter?

#3 Updated by James Turnbull over 5 years ago

  • Assignee deleted (Puppet Community)

#4 Updated by James Turnbull over 3 years ago

  • Assignee set to Nigel Kersten

#5 Updated by Nigel Kersten over 3 years ago

  • Status changed from Needs Decision to Accepted
  • Assignee deleted (Nigel Kersten)
  • Target version deleted (4)

We should be consistent with the user provider. It shouldn’t be necessary to enumerate all groups to check the existence of a single group.

Also available in: Atom PDF