Thanks for the detailed answer, John! I appreciate that.

What I meant was that Puppet is changing the password even though the 
password is already as specified.

Also, I agree that it is best to change the password every time than to 
make some kind of check (for instance, trying to log in as the specified 
user, as you said) because such check may present more security and 
performance problems than simply resetting the password even though it is 
already the correct one.

Again, I appreciate your help.

Douglas

On Friday, April 8, 2016 at 10:32:02 AM UTC-3, jcbollinger wrote:
>
>
>
> On Thursday, April 7, 2016 at 4:24:13 PM UTC-5, Douglas Teixeira wrote:
>>
>> Hi everyone,
>>
>> We have been using Puppet to manage Windows workstations at work and it 
>> has been able to manage most of our machines' configurations smoothly. 
>> However, I stumbled upon a problem when trying to reset the password for a 
>> local user. The problem is that Puppet is resetting the password every time 
>> it runs. Is there a way to avoid that?
>>
>
>
> Do you mean that Puppet is performing a password change even though the 
> password is already as specified, or that Puppet having already changed the 
> password once and the user having subsequently changed to something else, 
> Puppet changes the password back to the one specified in the manifest?
>
>  
>
>>
>> The manifest I am writing is very simple, and this problem occurrs even 
>> when I try to specify the password in plain-text inside the manifest 
>> (actually, from what I read Puppet isn't able to reset Windows passwords 
>> using a hash yet). The manifest I am writing looks like this:
>>
>>     user { 'Administrator':
>>         ensure => 'present',
>>         password => 'newpassword'
>>     }
>>
>> Do you guys have any idea about what may be causing Puppet to reset the 
>> password every time it is executed?
>>
>>
>
> Yes.  Two things, linked to the two alternative interpretations of your 
> problem statement:
>
>    1. At a fundamental level, declarations in a Puppet manifest express 
>    the desired state of one or more resources on the target system.  With 
> only 
>    one minor caveat, on every run Puppet attempts to ensure that every 
>    resource referenced in the catalog it is applying is in a state consistent 
>    with that described in the catalog.  In particular, if there is a User 
>    resource with its password property set, then Puppet will attempt on 
>    every run to ensure that the specified user has the specified password.
>    2. As you remarked, Puppet can manage Windows passwords only as 
>    cleartext.  This is because Windows itself provides no other way to do so. 
>  
>    There is no way to directly examine or set any encrypted or hashed form of 
>    a user password.  If you see Puppet setting the password to the same value 
>    it already has, that's because Puppet can't tell whether it needs to set 
>    the password or not.  The only way it could make that determination is to 
>    attempt to authenticate as the specified user, with the specified 
> password. 
>    I'm not positive that Puppet does not, in fact, do that, but myself, I 
>    certainly wouldn't want it to do.
>
> So it boils down to two things: (1) what you think your manifest means may 
> be different from what it actually does mean, and (2) limitations of 
> Windows.
>
>
> John
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/9a3179fd-bfb0-4934-a9d3-bcd0d659348c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to