Jira (PUP-9688) User resource sets password on every puppet agent run (Windows)

10 views
Skip to first unread message

Patrick Grant (JIRA)

unread,
Apr 29, 2019, 6:26:02 AM4/29/19
to puppe...@googlegroups.com
Patrick Grant created an issue
 
Puppet / Bug PUP-9688
User resource sets password on every puppet agent run (Windows)
Issue Type: Bug Bug
Affects Versions: PUP 5.5.10
Assignee: Unassigned
Created: 2019/04/29 3:25 AM
Priority: Normal Normal
Reporter: Patrick Grant

*Puppet Version: 5.5.10
*Puppet Server Version: 5.3.7
OS Name/Version: WIndows Server 2016

When using the following simple code to set the Administrator password on Windows:

$adminpassword = 'slkdhfl@#$slkW223' 
 
 
if $adminpassword { 
    user { 'Administrator': 
    ensure => present, 
    password => $adminpassword, 
    } 
}

The above sets the password correctly but if 

Deny access to this computer from the network

local group policy has been configured for members of the Administrator group, the password will get applied on every puppet agent run.

This has been reproduced locally on my Windows 2016 box where Deny access to this computer from the network has been set for the admin group, using the above code and puppet apply.

Desired Behavior: Corrective change for the password happens on the first puppet only.

Actual Behavior: Corrective change for the password gets made on every puppet run.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Philip Olsen (JIRA)

unread,
Apr 29, 2019, 9:59:02 AM4/29/19
to puppe...@googlegroups.com
Philip Olsen commented on Bug PUP-9688
 
Re: User resource sets password on every puppet agent run (Windows)

https://github.com/puppetlabs/puppet/blob/f19c5674ccd95ce28bd54ed21db5b9bf02bc547b/lib/puppet/util/windows/user.rb 

Could the issue lie in the error returned by lines 62-77 in the above?

Perhaps just needs to cleanly handle the error code relevant when a user is denied logon rights from the network?

Philip Olsen (JIRA)

unread,
Apr 30, 2019, 1:04:01 AM4/30/19
to puppe...@googlegroups.com
Philip Olsen commented on Bug PUP-9688

I have done some further testing and believe the issue is based on the login type passed into the LogonUserW within the windows user.rb code here:
https://github.com/puppetlabs/puppet/blob/f19c5674ccd95ce28bd54ed21db5b9bf02bc547b/lib/puppet/util/windows/user.rb

At lines 85-89, the value of fLOGON32_LOGON_NETWORK is 3 which is a LOGON32_LOGON_NETWORK type (see below). This fails if the user is not allowed network logon rights (by design). As a fix, could we update the code to attempt a LOGON32_LOGON_INTERACTIVE if the initial LOGON32_LOGON_NETWORK fails? It would essentially just need an additional if statement to be built in here but I don't have the ruby coding skills to implement it myself. Perhaps someone more skilled in ruby could implement?

FFI::MemoryPointer.new(:handle, 1) do |token_pointer|
if LogonUserW(wide_string(name), wide_string('.'), password.nil? ? FFI::Pointer::NULL : wide_string(password),
fLOGON32_LOGON_NETWORK, fLOGON32_PROVIDER_DEFAULT, token_pointer) == FFI::WIN32_FALSE
raise Puppet::Util::Windows::Error.new(_("Failed to logon user %

Unknown macro: {name}

") %

Unknown macro: { name}

)
end

Mihai Buzgau (JIRA)

unread,
Apr 30, 2019, 4:01:02 AM4/30/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
 
Change By: Mihai Buzgau
Sprint: PR - Triage

Mihai Buzgau (JIRA)

unread,
Apr 30, 2019, 4:01:04 AM4/30/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Team: Platform OS Puppet Romania

Mihai Buzgau (JIRA)

unread,
May 2, 2019, 5:29:02 AM5/2/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Story Points: 3

Mihai Buzgau (JIRA)

unread,
May 2, 2019, 5:29:04 AM5/2/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: PR - Triage 2019-05-15

Alexandru Popa (JIRA)

unread,
May 9, 2019, 8:38:03 AM5/9/19
to puppe...@googlegroups.com
Alexandru Popa assigned an issue to Alexandru Popa
Change By: Alexandru Popa
Assignee: Alexandru Popa

Mihai Buzgau (JIRA)

unread,
May 15, 2019, 5:29:10 AM5/15/19
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: PR - 2019-05-15 , PR - 2019-05-29

Alexandru Popa (JIRA)

unread,
May 29, 2019, 4:35:03 AM5/29/19
to puppe...@googlegroups.com
Alexandru Popa updated an issue

When a local group policy is configured to deny network logon's, the manifests that needs to be applied on the node are applied at every puppet run instead of only applying it once.

This is issue is raised because puppet first tries to logon with credentials with the function LogonUserW using the network parameter.

 

Fix: The user resource will try to logon using function LogonUserW using fLOGON32_LOGON_NETWORK , if this returns false, the user resource tries to logon using fLOGON32_LOGON_INTERACTIVE to prevent applying the manifests at every agent run.
Change By: Alexandru Popa
Release Notes Summary: Fix: Corrective change for the password happens on the first puppet only instead of every puppet run.

Oana Tanasoiu (JIRA)

unread,
Jun 10, 2019, 3:18:03 AM6/10/19
to puppe...@googlegroups.com
Oana Tanasoiu updated an issue
Change By: Oana Tanasoiu
Fix Version/s: PUP 6.5.0

Heston Hoffman (JIRA)

unread,
Jun 11, 2019, 6:35:03 PM6/11/19
to puppe...@googlegroups.com
Heston Hoffman updated an issue
Change By: Heston Hoffman
Labels: resolved-issue-added

Gheorghe Popescu (JIRA)

unread,
Jul 3, 2019, 4:48:02 AM7/3/19
to puppe...@googlegroups.com
Gheorghe Popescu updated an issue
Change By: Gheorghe Popescu
Fix Version/s: PUP 6.4.3
Fix Version/s: PUP 6.0.10
Fix Version/s: PUP 5.5.15

Austin Boyd (JIRA)

unread,
Dec 12, 2019, 9:10:04 AM12/12/19
to puppe...@googlegroups.com
Austin Boyd updated an issue
Change By: Austin Boyd
Zendesk Ticket IDs: 34608
Zendesk Ticket Count: 1
Reply all
Reply to author
Forward
0 new messages