Issue #17031 has been updated by Ethan Brown.
Rob Reynolds wrote: > Ethan Brown wrote: > > * Neither of the `LDAP` style bind syntax options may be used, as they > > alway need a host, and in local testing `LDAP://./foo` and > > `LDAP://localhost/foo` do not work by default on machines that are not > > running a DC. In testing, a PowerShell style query like > > `[ADSI]"LDAP://localhost/<SID=S-1-5-18>" | Select *` does not error, but it > > also does not yield any results. When removing the host, > > `[ADSI]"LDAP://<SID=S-1-5-18>" | Select *` does error with `exception > > occurred while retrieving member "distinguishedName": "The specified domain > > either does not exist or could not be contacted"`. NOTE: Also attempted > > were non well-known SIDs as well (users local to a given test environment). > > Did you try `LDAP://machineName/foo` ? Yes. The result is the same. ---------------------------------------- Bug #17031: Can't add domain user account as a member of a local group https://projects.puppetlabs.com/issues/17031#change-97977 * Author: Josh Cooper * Status: Accepted * Priority: High * Assignee: Josh Cooper * Category: * Target version: 3.x * Affected Puppet version: 2.7.6 * Keywords: windows user group domain * Branch: ---------------------------------------- This is a common need when managing domain service accounts that need to be a member of the local Administrators account. I thought it would be resolved once #16581 was fixed, but there's a more fundamental issue with the group provider, so I'm filing this as a separate issue. First, it attempts to add members to the group using an ADSI path of `WinNT://WIN-QP47VOHA2P4/BIZARRO\albert,user`, but it needs to be `WinNT://WIN-QP47VOHA2P4/BIZARRO/albert,user` <pre> def add_members(*names) names.each do |name| native_group.Add(Puppet::Util::ADSI::User.uri(name)) end end </pre> It may be possible to just use the SID form `WinNT://<SID>` but I'm not sure if that will work in a non-domain environment. Second, when calculating whether the group's members are insync? it compares names: <pre> members_to_add = desired_members - current_members add_members(*members_to_add) </pre> However the ADSI provider returns current members as, e.g. `albert`. But since this doesn't match `BIZARRO\albert`, the provider will think the resource is out of sync and will attempt to re-add a user that is already a member of the group and fail: <pre> err: /Stage[main]//Group[Foobars]/members: change from albertAdministrator to BIZARRO\albert Administrator failed: Add OLE error code:80070562 in Active Directory The specified account name is already a member of the group. HRESULT error code:0x80020009 Exception occurred. </pre> Really, the group provider needs to compare the current vs desired SIDs to determine which users to add, similar to what we do in the file and scheduled_task providers. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
