On Thursday, April 7, 2016 at 4:24:13 PM UTC-5, Douglas Teixeira wrote:
>
> Hi everyone,
>
> We have been using Puppet to manage Windows workstations at work and it
> has been able to manage most of our machines' configurations smoothly.
> However, I stumbled upon a problem when trying to reset the password for a
> local user. The problem is that Puppet is resetting the password every time
> it runs. Is there a way to avoid that?
>
Do you mean that Puppet is performing a password change even though the
password is already as specified, or that Puppet having already changed the
password once and the user having subsequently changed to something else,
Puppet changes the password back to the one specified in the manifest?
>
> The manifest I am writing is very simple, and this problem occurrs even
> when I try to specify the password in plain-text inside the manifest
> (actually, from what I read Puppet isn't able to reset Windows passwords
> using a hash yet). The manifest I am writing looks like this:
>
> user { 'Administrator':
> ensure => 'present',
> password => 'newpassword'
> }
>
> Do you guys have any idea about what may be causing Puppet to reset the
> password every time it is executed?
>
>
Yes. Two things, linked to the two alternative interpretations of your
problem statement:
1. At a fundamental level, declarations in a Puppet manifest express the
desired state of one or more resources on the target system. With only one
minor caveat, on every run Puppet attempts to ensure that every resource
referenced in the catalog it is applying is in a state consistent with that
described in the catalog. In particular, if there is a User resource
with its password property set, then Puppet will attempt on every run to
ensure that the specified user has the specified password.
2. As you remarked, Puppet can manage Windows passwords only as
cleartext. This is because Windows itself provides no other way to do so.
There is no way to directly examine or set any encrypted or hashed form of
a user password. If you see Puppet setting the password to the same value
it already has, that's because Puppet can't tell whether it needs to set
the password or not. The only way it could make that determination is to
attempt to authenticate as the specified user, with the specified password.
I'm not positive that Puppet does not, in fact, do that, but myself, I
certainly wouldn't want it to do.
So it boils down to two things: (1) what you think your manifest means may
be different from what it actually does mean, and (2) limitations of
Windows.
John
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/15477b42-c4da-4d92-b363-268809b743ec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
