The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Bug #7500

Don't let pw provider use -p

Added by Douglas Rand almost 5 years ago. Updated about 4 years ago.

Status:ClosedStart date:05/12/2011
Priority:NormalDue date:
Assignee:Douglas Rand% Done:


Target version:2.7.10
Affected Puppet version:2.6.7 Branch:
Keywords:freebsd pw password

We've Moved!

Ticket tracking is now hosted in JIRA:


The -p option to pw is documented as:

-p date       Set the account's password expiration date.  This field is
              similar to the account expiration date option, except that
              it applies to forced password changes.  This is set in the
              same manner as the -e option.

But provider/user/pw.rb takes the first character of each property as the option to pw (through provider/nameservice/objectadd.rb I think).

The problem is that that sets the password as expiring now().

Here is a patch to ignore the password property, which is already handled via cryptpw in pw.rb:

--- pw.rb-orig  2011-05-12 16:47:24.000000000 -0500
+++ pw.rb       2011-05-12 16:47:16.000000000 -0500
@@ -24,7 +24,7 @@
   def addcmd
     cmd = [command(:pw), "useradd", @resource[:name]]
     @resource.class.validproperties.each do |property|
-      next if property == :ensure
+      next if property == :ensure or property == :password
       # the value needs to be quoted, mostly because -c might
       # have spaces in it
       if value = @resource.should(property) and value != ""

patch Magnifier (486 Bytes) Douglas Rand, 05/12/2011 02:51 pm

Related issues

Related to Puppet - Feature #11046: Improve user and group pw providers on FreeBSD Closed 11/12/2011


#1 Updated by Douglas Rand almost 5 years ago

Sorry for the borked formatting. Attached is the patch.

Can you tell its my first redmine ticket?

#2 Updated by Ben Hughes almost 5 years ago

  • Status changed from Unreviewed to Investigating
  • Assignee set to Ben Hughes

Hi, thanks for the patch.

I’ve been trying to work out how to test/recreate this, as I can’t reproduce the symptoms. I don’t see how -p is getting in there.

Could you give me an example manifest that triggers this and what the actual and expected behaviour is please and I’ll look in to it more.


#3 Updated by Chris van der Wel over 4 years ago

Actually there are two issues, not only the password expiry date is set to the past, but also the password is not set. The patch above fixes the first issue with the expiry date, but the password is still not set when a new user is created. When I run puppet agent again, the password is correctly updated.

I used the following manifest:

    uid => 9999,
    gid => 'testgroup',
    password => 'encryptedpasswordstring',

The command which is executed is:

debug: User[testuser](provider=pw): Executing '/usr/sbin/pw useradd testuser -p encryptedpasswordstring -u 9999 -g testgroup'

Then this user entry is created:

testuser:*:9999:9999::1317333600:0:User &:/home/testuser:/bin/sh

But it should be:

testuser:encryptedpasswordstring:9999:9999::0:0:User &:/home/testuser:/bin/sh

So the pw command should be executed without the -p parameter but with the -H parameter like when a password is updated.

#4 Updated by Adrien Thebo over 4 years ago

  • Assignee changed from Ben Hughes to Adrien Thebo

#5 Updated by Tim Bishop over 4 years ago


The reason for the confusion is that the submitter is probably using the FreeBSD port. This includes a patch which enables manage_passwords but in a slightly broken way. This is what makes the -p flag come through in addcmd.

I’ve worked up a patch which uses the submitters fix along with the patch in the FreeBSD port, and adds a final fix to get it all working. It’s on github here:


#6 Updated by Adrien Thebo over 4 years ago

  • Status changed from Investigating to In Topic Branch Pending Review
  • Assignee changed from Adrien Thebo to Tim Bishop

That makes a lot of sense, thanks for tracking that down!

#7 Updated by Patrick Carlisle over 4 years ago

  • Assignee changed from Tim Bishop to Douglas Rand

Douglas, even though it’s a small patch, can you please sign the Contributor License Agreement?

#8 Updated by Douglas Rand over 4 years ago

On 2012-01-04 1:30 PM, wrote:

Issue #7500 has been updated by Patrick Carlisle.

  • Assignee changed from Tim Bishop to Douglas Rand

Douglas, even though it’s a small patch, can you please sign the Contributor License Agreement


#9 Updated by Patrick Carlisle over 4 years ago

  • Status changed from In Topic Branch Pending Review to Merged - Pending Release
  • Target version set to 2.7.10

Merged in

#10 Updated by Tim Bishop about 4 years ago

This has been released so the issue can be closed.

#11 Updated by Patrick Carlisle about 4 years ago

  • Status changed from Merged - Pending Release to Closed

Released in 2.7.10.

Also available in: Atom PDF