OS X User accounts

[Jason Hatman]

I ran into a snag when I was applying user accounts in OS X.  I found that my accounts were applying and showing up in System Preferences, but I couldn't log into them.  The login screen just shakes at me.  I also tried to "su username" via terminal and it asked for a password but it just said "sorry" and wouldn't accept it.  I decided to take a step back and try something I knew would work.  I have the osx_management module that glarizza put out on forge.  I applied the "add_admin_user" manifest that was predefined.  I'm using 10.8.5, by the way.  That OS was already defined in the manifest.  The Puppet Admin user account shows up but I still can't log into the account using the password "puppet" that was specified in the manifest.  What am I missing here?

Thanks!

[Gary Larizza]

Jason,

Have you checked the logs to see if OS X is giving you an error code - it could be anything from home directories not being present to an incorrect password hash.  You should be able to run `puppet resource user <username>` on existing users to get a Puppet resource that you can use to ensure new users (if you're worried about the hash), but definitely check the logs first to rule out any OS X issues.

On Thu, Feb 6, 2014 at 1:41 PM, Jason Hatman <jason....@gmail.com> wrote:

I ran into a snag when I was applying user accounts in OS X.  I found that my accounts were applying and showing up in System Preferences, but I couldn't log into them.  The login screen just shakes at me.  I also tried to "su username" via terminal and it asked for a password but it just said "sorry" and wouldn't accept it.  I decided to take a step back and try something I knew would work.  I have the osx_management module that glarizza put out on forge.  I applied the "add_admin_user" manifest that was predefined.  I'm using 10.8.5, by the way.  That OS was already defined in the manifest.  The Puppet Admin user account shows up but I still can't log into the account using the password "puppet" that was specified in the manifest.  What am I missing here?

Thanks!

--
You received this message because you are subscribed to the Google Groups "Puppet Enterprise Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pe-users+u...@puppetlabs.com.
Visit this group at http://groups.google.com/a/puppetlabs.com/group/pe-users/.

--

Gary Larizza

Professional Services Engineer

Puppet Labs

[Jason Hatman]

Something is clearly not right with the password that's in the manifest, or something's not right with the way I'm applying it. If I go into System Preferences and change the password to the padmin account to "puppet" (which is what it should already be) then it works fine.  This is also true with my test account that I made myself.  I'm not sure why it doesn't like the password that I put in the manifest.  I obtained it by running "puppet resource user test" (on my test account) and I applied the returned password to the manifest.

[Gary Larizza]

Can you try setting the password in System Preferences, then doing `puppet resource user <username>` to get the value, copy/paste into a manifest, apply it, and see if Puppet makes any changes?  Also, what version of Puppet are you running?

On Thu, Feb 6, 2014 at 2:04 PM, Jason Hatman <jason....@gmail.com> wrote:

Something is clearly not right with the password that's in the manifest, or something's not right with the way I'm applying it. If I go into System Preferences and change the password to the padmin account to "puppet" (which is what it should already be) then it works fine.  This is also true with my test account that I made myself.  I'm not sure why it doesn't like the password that I put in the manifest.  I obtained it by running "puppet resource user test" (on my test account) and I applied the returned password to the manifest.

--

You received this message because you are subscribed to the Google Groups "Puppet Enterprise Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pe-users+u...@puppetlabs.com.
Visit this group at http://groups.google.com/a/puppetlabs.com/group/pe-users/.

[Jason Hatman]

I'm using Puppet 3.4.2.  I created a user account called "testaccount" with the password "password".  Here is the puppet resource user output for it.

 

user { 'testaccount':

  ensure     => 'present',

  comment    => 'testaccount',

  gid        => '20',

  groups     => ['_appserveradm', '_appserverusr', '_lpadmin', 'admin'],

  home       => '/Users/testaccount',

  iterations => '15455',

  password   => '3cade026b9fc2afde8e67def3766f67847a920e4a933a8b56bd42a4ab2ff1068d1e8ce8bfe10ff15aea26b74f81f51f3ca3dae301d89b838b9bd505f0a05c57735ee9ae623ce1a13e1f3aefc43f5438b18c4ae8eab2a3ab9087463ddc3180fc02957fd11f4518bbb878e222620247fac19eb97f9cb6f4ee5714097b86f4b089d',

  salt       => '564de03cbf1cee0e6fe924f80ceb6cd7f812528a48b4cb64689b4eb63035f3a3',

  shell      => '/bin/bash',

  uid        => '503',

} 

I was able to su into that account with the given password. I then created a manifest with the below content.

user { 'testaccount':

  ensure     => 'present',

  comment    => 'testaccount',

  gid        => '20',

  home       => '/Users/testaccount',

  password   => '3cade026b9fc2afde8e67def3766f67847a920e4a933a8b56bd42a4ab2ff1068d1e8ce8bfe10ff15aea26b74f81f51f3ca3dae301d89b838b9bd505f0a05c57735ee9ae623ce1a13e1f3aefc43f5438b18c4ae8eab2a3ab9087463ddc3180fc02957fd11f4518bbb878e222620247fac19eb97f9cb6f4ee5714097b86f4b089d',

  shell      => '/bin/bash',

  uid        => '503',

}

I then applied the manifest with the below results.

sudo puppet apply testaccount.pp

Notice: Compiled catalog for pclienttest6.local in environment production in 0.45 seconds

Notice: Finished catalog run in 15.60 seconds

Here is the puppet resource user output after applying the manifest.

user { 'testaccount':

  ensure     => 'present',

  comment    => 'testaccount',

  gid        => '20',

  groups     => ['_appserveradm', '_appserverusr', '_lpadmin', 'admin'],

  home       => '/Users/testaccount',

  iterations => '15455',

  password   => '3cade026b9fc2afde8e67def3766f67847a920e4a933a8b56bd42a4ab2ff1068d1e8ce8bfe10ff15aea26b74f81f51f3ca3dae301d89b838b9bd505f0a05c57735ee9ae623ce1a13e1f3aefc43f5438b18c4ae8eab2a3ab9087463ddc3180fc02957fd11f4518bbb878e222620247fac19eb97f9cb6f4ee5714097b86f4b089d',

  salt       => '564de03cbf1cee0e6fe924f80ceb6cd7f812528a48b4cb64689b4eb63035f3a3',

  shell      => '/bin/bash',

  uid        => '503',

}

After applying the manifest, I was still able to successfully su into the account with the given password.  However, I then deleted the account altogether and reapplied the same manifest that I pasted above.  The newly created account shows in System Preferences, but I'm refused when i try to su into it.

[Gary Larizza]

At this point, I would grab a copy of /var/db/dslocal/nodes/Default/users/<username>.plist and store it somewhere.  Then, delete the account, use Puppet to create it, and then compare the plist you copied with the new one created to see if there's anything obvious (namely, the passwd key has exactly 8 astrisks - a la this https://github.com/puppetlabs/puppet/blob/master/lib/puppet/provider/user/directoryservice.rb#L623-L625 - , the authentication_authority matches, and so-on.  It's possible that Puppet could be omitting something necessary when we crack open the plist to set the shadowhashdata key, but I can't see behavior changing in the point releases of 10.8.

Do you see this behavior on OTHER 10.8 VMs, or just this one?  Is it reproducible?

 

After applying the manifest, I was still able to successfully su into the account with the given password.  However, I then deleted the account altogether and reapplied the same manifest that I pasted above.  The newly created account shows in System Preferences, but I'm refused when i try to su into it.

--

You received this message because you are subscribed to the Google Groups "Puppet Enterprise Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pe-users+u...@puppetlabs.com.
Visit this group at http://groups.google.com/a/puppetlabs.com/group/pe-users/.

[Jason Hatman]

Thanks for all your help.  I've been applying these accounts through puppet for weeks and I never thought to check whether or not I could actually log into them.  Using the same "testaccount" mentioned above, here's what I tried.  I made the account manually with System Preferences and tested it working.  That plist file is attached as testaccount1.plist.  I then deleted the account with System Preferences and made the account with Puppet.  The account showed in System Preferences, but I could not authenticate to it.  That plist file is attached as testaccount2.plist.  From what I could tell they are mostly the same, or at least they contain the same parts.

[Gary Larizza]

Jason,

You may be running into this:  https://tickets.puppetlabs.com/browse/PUP-1210  (The original is https://projects.puppetlabs.com/issues/22539).  Can you verify this for me please?  Can you successfully ssh into the box with the account (make sure to turn on Remote Login).  If you can, try directly modifying the user plist's 'passwd' key like in the ticket and see if it works for you.

On Fri, Feb 7, 2014 at 6:31 AM, Jason Hatman <jason....@gmail.com> wrote:

Thanks for all your help.  I've been applying these accounts through puppet for weeks and I never thought to check whether or not I could actually log into them.  Using the same "testaccount" mentioned above, here's what I tried.  I made the account manually with System Preferences and tested it working.  That plist file is attached as testaccount1.plist.  I then deleted the account with System Preferences and made the account with Puppet.  The account showed in System Preferences, but I could not authenticate to it.  That plist file is attached as testaccount2.plist.  From what I could tell they are mostly the same, or at least they contain the same parts.

--

You received this message because you are subscribed to the Google Groups "Puppet Enterprise Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pe-users+u...@puppetlabs.com.
Visit this group at http://groups.google.com/a/puppetlabs.com/group/pe-users/.

[Jason Hatman]

It seems like that is the case.  I used a plist editor to manually edit the existing user.plist and create the array that contains ******** instead of just the string, but it didn't fix the issue.  It still didn't work.  I have noticed that user creation works perfectly on my 10.6.8 system.  This password issue occurs on my 10.7.5, 10.8.5, and 10.9.1 systems.

[Andy Parker]

Hi Jason, I'm looking into PUP-1210, which brought me back to this thread. I'm uncertain if everything here and in that bug are related, but I think they might be.

I've got some questions and clarifications inline.

On Thu, Feb 6, 2014 at 6:56 PM, Jason Hatman <jason....@gmail.com> wrote:

I'm using Puppet 3.4.2.  I created a user account called "testaccount" with the password "password".  Here is the puppet resource user output for it.

 

user { 'testaccount':

  ensure     => 'present',

  comment    => 'testaccount',

  gid        => '20',

  groups     => ['_appserveradm', '_appserverusr', '_lpadmin', 'admin'],

  home       => '/Users/testaccount',

  iterations => '15455',

  password   => '3cade026b9fc2afde8e67def3766f67847a920e4a933a8b56bd42a4ab2ff1068d1e8ce8bfe10ff15aea26b74f81f51f3ca3dae301d89b838b9bd505f0a05c57735ee9ae623ce1a13e1f3aefc43f5438b18c4ae8eab2a3ab9087463ddc3180fc02957fd11f4518bbb878e222620247fac19eb97f9cb6f4ee5714097b86f4b089d',

  salt       => '564de03cbf1cee0e6fe924f80ceb6cd7f812528a48b4cb64689b4eb63035f3a3',

  shell      => '/bin/bash',

  uid        => '503',

} 

I was able to su into that account with the given password. I then created a manifest with the below content.

user { 'testaccount':

  ensure     => 'present',

  comment    => 'testaccount',

  gid        => '20',

  home       => '/Users/testaccount',

  password   => '3cade026b9fc2afde8e67def3766f67847a920e4a933a8b56bd42a4ab2ff1068d1e8ce8bfe10ff15aea26b74f81f51f3ca3dae301d89b838b9bd505f0a05c57735ee9ae623ce1a13e1f3aefc43f5438b18c4ae8eab2a3ab9087463ddc3180fc02957fd11f4518bbb878e222620247fac19eb97f9cb6f4ee5714097b86f4b089d',

  shell      => '/bin/bash',

  uid        => '503',

}

This leaves the "groups", "iterations", and "salt" unmanaged. I think key here is the "salt" and "iterations".

I think the issue that you are seeing on 10.8 and 10.9 is because the password system changed from what was used on 10.7. On 10.8 and 9 OS X uses the PBKDF2 algorithm for password hashes. As part of this, the salt and the iterations need to be supplied as well as the hashed password. Applying the manifest above to a system where the user can already log in works out because it doesn't try to change the password, salt, or iterations parameters. However, if you try to change the password (generate a new hashed form) then the iterations and salt need to be specified along with it.

 

I then applied the manifest with the below results.

sudo puppet apply testaccount.pp

Notice: Compiled catalog for pclienttest6.local in environment production in 0.45 seconds

Notice: Finished catalog run in 15.60 seconds

Here is the puppet resource user output after applying the manifest.

user { 'testaccount':

  ensure     => 'present',

  comment    => 'testaccount',

  gid        => '20',

  groups     => ['_appserveradm', '_appserverusr', '_lpadmin', 'admin'],

  home       => '/Users/testaccount',

  iterations => '15455',

  password   => '3cade026b9fc2afde8e67def3766f67847a920e4a933a8b56bd42a4ab2ff1068d1e8ce8bfe10ff15aea26b74f81f51f3ca3dae301d89b838b9bd505f0a05c57735ee9ae623ce1a13e1f3aefc43f5438b18c4ae8eab2a3ab9087463ddc3180fc02957fd11f4518bbb878e222620247fac19eb97f9cb6f4ee5714097b86f4b089d',

  salt       => '564de03cbf1cee0e6fe924f80ceb6cd7f812528a48b4cb64689b4eb63035f3a3',

  shell      => '/bin/bash',

  uid        => '503',

}

After applying the manifest, I was still able to successfully su into the account with the given password.  However, I then deleted the account altogether and reapplied the same manifest that I pasted above.  The newly created account shows in System Preferences, but I'm refused when i try to su into it.

Yes, after deleting the account all of the password information is gone. Applying the shorter manifest (the one missing the salt and iterations) results in an account with incorrect salt and iterations values for the provided password hash. If you inspect the account, it will actually have a salt and iterations value, but I'm not sure where they are coming from. They might be defaults that are put in when the plist file is initially created.

Can you confirm that if you make sure you specify the salt and iterations (such as those reported by "puppet resource user") then you can create a user from scratch?

--
You received this message because you are subscribed to the Google Groups "Puppet Enterprise Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pe-users+u...@puppetlabs.com.
Visit this group at http://groups.google.com/a/puppetlabs.com/group/pe-users/.

--

Andrew Parker

an...@puppetlabs.com

Freenode: zaphod42

Twitter: @aparker42

Software Developer

Join us at PuppetConf 2014, September 23-24 in San Francisco - http://bit.ly/pupconf14

[Jason Hatman]

Thanks for the info. 

Sent from Mailbox for iPhone
—
Jason Hatman
270-790-1139

You received this message because you are subscribed to a topic in the Google Groups "Puppet Enterprise Users" group.
To unsubscribe from this topic, visit https://groups.google.com/a/puppetlabs.com/d/topic/pe-users/tKJQPGciA8U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pe-users+u...@puppetlabs.com.

[Jason Hatman]

I was able to fix this problem by including the salt and iterations values along with the password value.  Thanks to all. Below is my manifest to create a dummy account with username "user" and password "fruit".

class osx_management::fotl_user_account {

  # Create variables for the password, salt, and iterations based on the OS Version. If OS version is not specified, the default value is used.

  # All the password hashes represent the same password - 'fruit'

  $password = $macosx_productversion_major ? {

    '10.7' => 'f2b51324df6fea65b7feaa161f82fc8f3074f04dee02255f7beb81438e861dba12cfedb5319a724dfa3cb275c87b1055c930a84e3e44f544398a73a117d4c79024b71ece',

    '10.8' => 'f7aff05c7a8d8a62943333a61de7ea59db501d88edca259d2576cd59a78ee2cfff4f937dc1abe6914c18dc00d8dca9d13454064ccec833e0387a3c9301cab1fa29cf2f0d38768c22b004e761333744c323da319502ad5171141800e2a9c67b663bb7fbaf6335b956daf734a76e23d97a661ab6fbe3bf1d734612bb1683145cfa',

    '10.9' => '054f327f7573bb85078357a7db8e6ab22572af1a8d321987382c6d8f556ec4f634bb4c8a8f0775e91f881a37ee66857f331631823fbf6a707080d6342297aaa6a978dfce3b2301d5a11722038d332203d639c2444c6bd241aae477587d7bf7e24e138941535eca1fb77dc5371db158bc3f8865a5a6d942253c39ae6f9e2f1fd1',

    default => '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F35C1822158DCEA1F49CE30379E00A307B26E719F06421500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',

}

  $salt = $macosx_productversion_major ? {

     '10.8' => '89fc985dde7736b338af90ecb80693053fab193d51ad914a9c176ae3c0af1f74',

     '10.9' => '90fb66cc3c81c3eb6998137a70d9b6b702200f200fa6653d0a80ea1ad193f78f',

    default => '',

  }

  $iterations = $macosx_productversion_major ? {

     '10.8' => '18691',

     '10.9' => '28328',

    default => '',

  }

  # Do a user declaration and use the variables set above

  user { 'user':

        ensure     => 'present',

        comment    => 'Fruit User',

        gid        => '20',

        groups     => ['admin'],

        home       => '/Users/user',

        password   => $password,

        salt       => $salt,

        iterations => $iterations,

        shell      => '/bin/bash',

        uid        => '501',

  }

}