Issue #4855 has been updated by Clay Caviness.
This patch just adds a hacky fallback call to dscl to delete the member from the group if dseditgroup fails. <pre> >From 2eae06a27d711d2cc9f3b37db8d0450c2b2055ce Mon Sep 17 00:00:00 2001 From: ccaviness <[email protected]> Date: Mon, 27 Sep 2010 17:02:55 -0400 Subject: [PATCH 5627/5627] Fall back to dscl if dseditgroup fails to remove a group member. Signed-off-by: ccaviness <[email protected]> --- .../provider/nameservice/directoryservice.rb | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) diff --git a/lib/puppet/provider/nameservice/directoryservice.rb b/lib/puppet/provider/nameservice/directoryservice.rb index 965a2aa..303d23d 100644 --- a/lib/puppet/provider/nameservice/directoryservice.rb +++ b/lib/puppet/provider/nameservice/directoryservice.rb @@ -447,7 +447,14 @@ class DirectoryService < Puppet::Provider::NameService begin execute(cmd) rescue Puppet::ExecutionFailure => detail - fail("Could not remove #{member} from group: #[email protected]}, #{detail}") + # TODO: We're falling back to removing the member using dscl due to rdar://8481241 + # This bug causes dseditgroup to fail to remove a member if that member doesn't exist + cmd = [:dscl, ".", "-delete", "/Groups/#[email protected]}", "GroupMembership", member] + begin + execute(cmd) + rescue Puppet::ExecutionFailure => detail + fail("Could not remove #{member} from group: #[email protected]}, #{detail}") + end end end end -- 1.7.2.2 </pre> ---------------------------------------- Bug #4855: group resources on OS X may fail is group members are non-existant http://projects.puppetlabs.com/issues/4855 Author: Clay Caviness Status: Unreviewed Priority: Normal Assignee: Category: Target version: Affected version: Keywords: Branch: The group provider on OS X uses "dseditgroup" to manage group membership. Due to Apple bug 8481241 ("dseditgroup can't remove unknown users from groups"), however, if the puppet group provider needs to remove a non-existant user from a group it manages, it will fail. To reproduce, first apply: <pre> group { "testgroup": ensure => present, members => ["testuser", "root"], require => User["testuser"] } user { "testuser": ensure => present } [...]info: Applying configuration version '1285616257' debug: Puppet::Type::User::ProviderDirectoryservice: Executing '/usr/bin/dscl -plist . -list /Users' debug: Puppet::Type::User::ProviderDirectoryservice: Executing '/usr/bin/dscl -plist . -list /Users' debug: User[testuser](provider=directoryservice): Executing '/usr/bin/dscl -plist . -create /Users/testuser GeneratedUID 90209F1B-B066-4630-8BD0-5B19C640CBFF' notice: /Stage[main]//User[testuser]/ensure: created debug: Puppet::Type::Group::ProviderDirectoryservice: Executing '/usr/bin/dscl -plist . -list /Groups' debug: Puppet::Type::Group::ProviderDirectoryservice: Executing '/usr/bin/dscl -plist . -read /Groups/testgroup' debug: Group[testgroup](provider=directoryservice): Executing 'dseditgroup -o edit -n . -a root testgroup' notice: /Stage[main]//Group[testgroup]/members: members changed 'testuser' to 'testuser,root' debug: Finishing transaction 2194047380 </pre> Delete the user via: <pre>dscl . -delete /Users/testuser</pre> (Alternatively, the user can be deleted via puppet, though ordering may allow this to be successful.) Now try to apply a change to the group that would cause the testuser user to be removed from group membership: <pre> group { "testgroup": ensure => present, members => "root"} [...] info: Applying configuration version '1285616630' debug: Puppet::Type::Group::ProviderDirectoryservice: Executing '/usr/bin/dscl -plist . -list /Groups' debug: Puppet::Type::Group::ProviderDirectoryservice: Executing '/usr/bin/dscl -plist . -read /Groups/testgroup' debug: Group[testgroup](provider=directoryservice): Executing 'dseditgroup -o edit -n . -d testuser testgroup' err: /Stage[main]//Group[testgroup]/members: change from roottestuser to root failed: Could not remove testuser from group: testgroup, Execution of 'dseditgroup -o edit -n . -d testuser testgroup' returned 200: Record was not found. debug: Finishing transaction 2190850540 </pre> **All** attempts to make changes to the group membership from this point will fail, as dseditgroup cannot remove a user from a group if that user does not exist. Running puppet 2.6.1 on OS X 10.6.4. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
