So I can reproduce the behavior, and I'm not sure why it's happening. The way puppet is supposed to behave is that if you try to manage the password, but the provider does not support the manages_password feature, then the provider should not be suitable, so puppet should never try to use that provider and apply the resource "half-way". I would expect puppet to fail that resource, since it can't enforce the correct desired state.
Note puppet supports runtime feature detection, because a user may want to install the ruby-libshadow dependency in the same run that they are trying to manage a user's password. We don't want puppet to take 2 runs to converge.
That said, something is clearly not right.
|