The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Bug #1583

Groups not recognised when group enumeration turned off

Added by Ross McKerchar over 7 years ago. Updated over 5 years ago.

Status:AcceptedStart date:09/20/2008
Priority:NormalDue date:
Assignee:-% Done:


Target version:-
Affected Puppet version:0.24.5 Branch:
Keywords:winbind samba groups group enum enumeration getgrent libnss nsswitch

We've Moved!

Ticket tracking is now hosted in JIRA:


When groups are not enumerable using the getgrent function puppet refuses to acknowledge a groups existence, erroring with “Could not find group”. This makes it impossible to set file ownership to a group that isn’t returned via a call to getgrent.

The problem comes to light when using winbind with the “winbind enum groups” option turned off, which is necesary in a large domain due to the huge number of groups returned by this call (it can take minutes to complete).

This problem does not affect users, only groups – I also have user enumeration disabled but can still use reference those users within puppet.

To reproduce: 1) Turn off group enumeration (exact method tends to be libnss plugin dependent, only tested with winbind, although suspect problem will exist whenever enumeration is disabled). In winbind this can be done by including the line “winbind enum groups = no” in smb.conf. 2) Try and apply the following recipe: file {“/tmp/test”: group => adsourcedgroup }


#1 Updated by James Turnbull over 7 years ago

  • Status changed from Unreviewed to Needs Decision
  • Assignee set to Luke Kanies
  • Target version set to 4

#2 Updated by Luke Kanies over 7 years ago

  • Assignee changed from Luke Kanies to Puppet Community

Does this break backward compatibility for those who are already using the existing category parameter?

#3 Updated by James Turnbull almost 7 years ago

  • Assignee deleted (Puppet Community)

#4 Updated by James Turnbull over 5 years ago

  • Assignee set to Nigel Kersten

#5 Updated by Nigel Kersten over 5 years ago

  • Status changed from Needs Decision to Accepted
  • Assignee deleted (Nigel Kersten)
  • Target version deleted (4)

We should be consistent with the user provider. It shouldn’t be necessary to enumerate all groups to check the existence of a single group.

Also available in: Atom PDF