Jira (PUP-11159) User password management with `useradd` provider fails silently

[Luchian Nemes (Jira)]

Luchian Nemes created an issue

Puppet / PUP-11159 User password management with `useradd` provider fails silently Issue Type: Bug Assignee: Unassigned Created: 2021/07/05 7:12 AM Priority: Normal Reporter: Luchian Nemes Docs indeed mention in https://puppet.com/docs/puppet/6/types/user.html#user-provider-openbsd that ruby-shadow needs to be installed in order to manage user passwords, but Puppet should give at least a warning that it couldn't manage the user password instead of silently continuing (creates a user without any password successfully when a password was provided in manifest). Useful output: # Bundled gem ➜ bundle exec puppet resource user test1 ensure=present password=pass1 Warning: /User[test1]: Ssh_authorized_key type is not available. Cannot purge SSH keys. Notice: /User[test1]/ensure: created user { 'test1': ensure => 'present', provider => 'useradd', } ➜ bundle exec puppet resource user test1 ensure=present password=pass2 Warning: /User[test1]: Ssh_authorized_key type is not available. Cannot purge SSH keys. user { 'test1': ensure => 'present', provider => 'useradd', }   # Latest Puppet gem build ➜ gem install puppet Fetching puppet-7.8.0.gem Successfully installed puppet-7.8.0 Parsing documentation for puppet-7.8.0 Installing ri documentation for puppet-7.8.0 Done installing documentation for puppet after 14 seconds 1 gem installed ➜ puppet resource user test2 ensure=present password=pass Warning: /User[test2]: Ssh_authorized_key type is not available. Cannot purge SSH keys. Notice: /User[test2]/ensure: created user { 'test2': ensure => 'present', provider => 'useradd', } ➜ puppet resource user test2 ensure=present password=pass2 Warning: /User[test2]: Ssh_authorized_key type is not available. Cannot purge SSH keys. user { 'test2': ensure => 'present', provider => 'useradd', } ➜ puppet --version 7.8.0 ➜ bundle exec puppet --version 6.24.0   # Bundled ruby with ruby-shadow installed ➜ bundle exec puppet resource user shadow ensure=present password=pass Warning: /User[shadow]: Ssh_authorized_key type is not available. Cannot purge SSH keys. Notice: /User[shadow]/ensure: created user { 'shadow': ensure => 'present', password => 'pass', provider => 'useradd', } ➜ bundle exec puppet resource user shadow ensure=present password=pass2 Warning: /User[shadow]: Ssh_authorized_key type is not available. Cannot purge SSH keys. Notice: /User[shadow]/password: changed [redacted] to [redacted] user { 'shadow': ensure => 'present', password => 'pass2', provider => 'useradd', }   # Latest AIO nightly build ➜ puppet resource user shadow ensure=present password=pass Notice: /User[shadow]/ensure: created user { 'shadow': ensure => 'present', password => 'pass', provider => 'useradd', } ➜ puppet resource user shadow ensure=present password=pass1 Notice: /User[shadow]/password: changed [redacted] to [redacted] user { 'shadow': ensure => 'present', password => 'pass1', provider => 'useradd', } We should try to keep same behaviour between gem and AIO versions or at least avoid confusing mismatches like this one. We have a debug message lost in the river that tells-ish us about this: ➜ bundle exec puppet resource user testdebug ensure=present password=pass --debug ... Debug: Could not find library 'shadow' required to enable feature 'libshadow' ... Debug: Finishing transaction 12080 Debug: Storing state Debug: Pruned old state cache entries in 0.00 seconds Debug: Stored state in 0.00 seconds user { 'testdebug': ensure => 'present', provider => 'useradd', } Add Comment

This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)