Jira (PUP-6285) Puppet fails to restore a group key value for Mac OS X

3 views
Skip to first unread message

David M. St. Pierre (JIRA)

unread,
May 10, 2016, 1:04:03 PM5/10/16
to puppe...@googlegroups.com
David M. St. Pierre created an issue
 
Puppet / Bug PUP-6285
Puppet fails to restore a group key value for Mac OS X
Issue Type: Bug Bug
Affects Versions: PUP 4.4.2
Assignee: Unassigned
Attachments: puppetrun.txt
Created: 2016/05/10 10:03 AM
Environment:

Latest version of puppetserver running on Ubuntu 14.04 LTS with PuppetDB in monolithic install
Puppet agent on Mac OS X Yosemite 10.10.5 installed from puppet-agent-1.4.2-1-osx10.10.dmg
Priority: Normal Normal
Reporter: David M. St. Pierre

On the Mac using System Preferences Users & Groups, created a new Administrative user named testadmin

Then ran $ sudo -i puppet resource user testadmin and got the following output

  user { 'testadmin':
 
    ensure     => 'present',
 
    comment    => 'Test Administrator',
 
    gid        => '20',
 
    groups     => ['_appserveradm', '_appserverusr', '_lpadmin', 'admin', 'com.apple.sharepoint.group.2'],
 
    home       => '/Users/testadmin',
 
    iterations => '20120',
 
    password   => '75e29e8646edcbef84d736f8848397385acb7dab511be3dae0a21ceaeda2022222eabb6dc24fb21b81564a1bcf2bba75947830f11f1c71582242fa9e92f71c1e586c054ef333d3f78c1ffd25bbc2a6269a0e3b0a1b03976c88068e9dc2405aa862f2378bb183d6ff9f0bd81e024db1babe29ebaa838aa850fddfa34ed152ec78',
 
    salt       => 'b922ab2d6c2afbf6bb1bd0fa27b6e08768e8b90cdb15d4362216a0bd897f1d20',
 
    shell      => '/bin/bash',
 
    uid        => '503',
 
  }

This was entered into site.pp for the particular Mac node.

At this point, using System Preferences Users & Groups, deleted the user testadmin while preserving the home directory /Users/testadmin

Then on the Mac ran $ sudo -i puppet agent --test --debug --trace > puppetrun.txt 2>&1

The user testadmin was only incompletely restored. The group name com.apple.sharepoint.group.2 cause an error that also prevented password, salt, and iterations from being reset correctly. If I remove the group name com.apple.sharepoint.group.2 from the manifest site.pp, the user testadmin restores correctly with the correct password.

The file puppetrun.txt is attached.

Also note, the patches to the files plist.rb and directoryservice.rb from ticket PUP-6159 were taken from github and applied to the Mac node, which is why password, salt, and iterations restore correctly. Otherwise, the test of deleting a Mac user and restoring its groups would have been confounded by that known issue.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.13#64028-sha1:b7939e9)
Atlassian logo

David M. St. Pierre (JIRA)

unread,
May 10, 2016, 2:03:04 PM5/10/16
to puppe...@googlegroups.com
David M. St. Pierre updated an issue
Change By: David M. St. Pierre
Priority: Normal Major

David M. St. Pierre (JIRA)

unread,
May 11, 2016, 10:56:02 AM5/11/16
to puppe...@googlegroups.com
David M. St. Pierre commented on Bug PUP-6285
 
Re: Puppet fails to restore a group key value for Mac OS X

Further investigation showed that the user testadmin was the only member of the Group com.apple.sharepoint.group.2. When the user was deleted, the Group com.apple.sharepoint.group.2 was also deleted. Thus when Puppet got to the merge step at:

Debug: Executing: '/usr/bin/dscl . -merge /Groups/com.apple.sharepoint.group.2 GroupMembership testadmin'

the step failed because it couldn't merge into a missing group. When the missing group was manually recreated at the command line with

dscl . -create /Groups/com.apple.sharepoint.group.2

then sudo puppet agent --test --debug ran without errors and sudo puppet resource user testadmin showed the complete list of groups correctly.

OS X creates a unique Group com.apple.sharepoint.group.x where x is an integer starting at 1 for each local Administrator account. As noted above, the group must exist before merging the Administrator account back into it. If the group exists, running the command

dscl . -create /Groups/com.apple.sharepoint.group.2 (or any x) exits without complaint.

I have not tested the case of an local Administrator being demoted to a Standard user and having Puppet restore them back. I do know that when that happens, the puppet resource user command shows the groups => attribute to be missing. So I imagine, but haven't confirmed, that we'll get the same error at the merge step for com.apple.sharepoint.group.x.

David M. St. Pierre (JIRA)

unread,
May 11, 2016, 4:23:06 PM5/11/16
to puppe...@googlegroups.com

It appears that a solution to this problem is how you write the manifest. Ensure the group is present with no members before defining the user resource using the following Puppet code:

  group { 'com.apple.sharepoint.group.2':
 
    ensure      => 'present',
 
    auth_membership => 'true',
 
    members     => [],
 
  }
 
 
 
  user { 'testadmin':
 
    ensure     => 'present',
 
    comment    => 'Test Administrator',
 
    gid        => '20',
 
    groups     => ['_appserveradm', '_appserverusr', '_lpadmin', 'admin', 'com.apple.sharepoint.group.2'],
 
    membership => 'inclusive',
 
    home       => '/Users/testadmin',
 
    iterations => '20120',
 
    password   => '75e29e8646edcbef84d736f8848397385acb7dab511be3dae0a21ceaeda2022222eabb6dc24fb21b81564a1bcf2bba75947830f11f1c71582242fa9e92f71c1e586c054ef333d3f78c1ffd25bbc2a6269a0e3b0a1b03976c88068e9dc2405aa862f2378bb183d6ff9f0bd81e024db1babe29ebaa838aa850fddfa34ed152ec78',
 
    salt       => 'b922ab2d6c2afbf6bb1bd0fa27b6e08768e8b90cdb15d4362216a0bd897f1d20',
 
    shell      => '/bin/bash',
 
    uid        => '503',
 
  }

Emptying the group membership prevents multiple UIDs from appearing in /Groups/com.apple.sharepoint.group.2 GroupMembers with repeated runs of the Puppet agent.

sudo dscl . read /Groups/com.apple.sharepoint.group.2 GroupMembers lists only one UID

sudo dscl . read /Groups/com.apple.sharepoint.group.2 GroupsMembership lists only the user testadmin.

This is the best I can come up with for the moment. I am open to suggestions from the Puppet Team.

William Hopper (JIRA)

unread,
May 12, 2016, 4:47:04 PM5/12/16
to puppe...@googlegroups.com

Thanks a bunch for the investigative work, David M. St. Pierre! We're aware of a few issues with OSX groups, but we haven't tracked down the scope of the problems yet. I'm willing to bet one of PUP-5334 or PUP-1744 is involved, or at least related.

Moses Mendoza (JIRA)

unread,
Sep 22, 2016, 3:26:04 PM9/22/16
to puppe...@googlegroups.com
Moses Mendoza updated an issue
 
Change By: Moses Mendoza
Labels: manage-user-group
This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Atlassian logo

Sean McDonald (JIRA)

unread,
May 16, 2017, 7:06:02 PM5/16/17
to puppe...@googlegroups.com
Sean McDonald updated an issue
Change By: Sean McDonald
Labels: manage-user-group  triaged

Geoff Nichols (JIRA)

unread,
Mar 24, 2018, 9:02:02 PM3/24/18
to puppe...@googlegroups.com
Geoff Nichols updated an issue
Change By: Geoff Nichols
Labels: macos manage-user-group type_and_provider
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Branan Riley (JIRA)

unread,
May 10, 2018, 9:11:01 PM5/10/18
to puppe...@googlegroups.com
Branan Riley updated an issue
Change By: Branan Riley
Labels: macos manage-user- group macos triaged type_and_provider user

Matthew Sa (Jira)

unread,
Mar 9, 2023, 3:14:03 PM3/9/23
to puppe...@googlegroups.com
Matthew Sa updated an issue
Change By: Matthew Sa
On the Mac using System Preferences Users & Groups, created a new Administrative user named _testadmin_

Then ran *_$ sudo -i puppet resource user testadmin_* and got the following output
{code:puppet}
  user { 'testadmin':
    ensure     => 'present',
    comment    => 'Test Administrator',
    gid        => '20',
    groups     => ['_appserveradm', '_appserverusr', '_lpadmin', 'admin', 'com.apple.sharepoint.group.2'],
    home       => '/Users/testadmin',
    iterations => '20120',
    password   => '75e29e8646edcbef84d736f8848397385acb7dab511be3dae0a21ceaeda2022222eabb6dc24fb21b81564a1bcf2bba75947830f11f1c71582242fa9e92f71c1e586c054ef333d3f78c1ffd25bbc2a6269a0e3b0a1b03976c88068e9dc2405aa862f2378bb183d6ff9f0bd81e024db1babe29ebaa838aa850fddfa34ed152ec78',
    salt       => 'b922ab2d6c2afbf6bb1bd0fa27b6e08768e8b90cdb15d4362216a0bd897f1d20',
    shell      => '/bin/bash',
    uid        => '503',
  }
{code}
This was entered into _site.pp_ for the particular Mac node.

At this point, using System Preferences Users & Groups, deleted the user _testadmin_ while preserving the home directory _/Users/testadmin_

Then on the Mac ran *_$ sudo -i puppet agent --test --debug --trace > puppetrun.txt 2>&1_*

The user _testadmin_ was only incompletely restored. The group name _com.apple.sharepoint.group.2_ cause an error that also prevented _password_ {_}password{_} , _salt_ {_}salt{_} , and _iterations_ from being reset correctly. If I remove the group name _com.apple.sharepoint.group.2_ from the manifest _site {_}site . pp_ pp{_} , the user _testadmin_ restores correctly with the correct password.

The file _puppetrun.txt_ is attached.

Also note, the patches to the files _plist.rb_ and _directoryservice.rb_ from ticket PUP-6159 were taken from github and applied to the Mac node, which is why _password_ {_}password{_} , _salt_ {_}salt{_} , and _iterations_ restore correctly. Otherwise, the test of deleting a Mac user and restoring its groups would have been confounded by that known issue.

_________

Further investigation showed that the user _testadmin_ was the only member of the Group {_}com.apple.sharepoint.group.2{_}. When the user was deleted, the Group _com.apple.sharepoint.group.2_ was also deleted. Thus when Puppet got to the _merge_ step at:


{{Debug: Executing: '/usr/bin/dscl . -merge /Groups/com.apple.sharepoint.group.2 GroupMembership testadmin' }}

the step failed because it couldn't merge into a missing group. When the missing group was manually recreated at the command line with

{{dscl . -create /Groups/com.apple.sharepoint.group.2}}

then {{sudo puppet agent --test --debug}} ran without errors and {{sudo puppet resource user testadmin}} showed the complete list of groups correctly.

OS X creates a unique Group _com.apple.sharepoint.group.x_ where _x_ is an integer starting at 1 for each local Administrator account. As noted above, the group must exist before merging the Administrator account back into it. If the group exists, running the command

{{dscl . -create /Groups/com.apple.sharepoint.group.2}} (or any {_}x{_}) exits without complaint.

I have not tested the case of an local Administrator being demoted to a Standard user and having Puppet restore them back. I do know that when that happens, the _puppet resource user_ command shows the _groups =>_ attribute to be missing. So I imagine, but haven't confirmed, that we'll get the same error at the merge step for {_}com.apple.sharepoint.group.x{_}.

__________

 
This message was sent by Atlassian Jira (v8.20.11#820011-sha1:0629dd8)
Atlassian logo

Matthew Sa (Jira)

unread,
Mar 9, 2023, 3:14:03 PM3/9/23
to puppe...@googlegroups.com
Matthew Sa updated an issue
On the Mac using System Preferences Users & Groups, created a new Administrative user named _testadmin_

Then ran *_$ sudo -i puppet resource user testadmin_* and got the following output
{code:puppet}  user { 'testadmin':
    ensure     => 'present',
    comment    => 'Test Administrator',
    gid        => '20',
    groups     => ['_appserveradm', '_appserverusr', '_lpadmin', 'admin', 'com.apple.sharepoint.group.2'],
    home       => '/Users/testadmin',
    iterations => '20120',
    password   => '75e29e8646edcbef84d736f8848397385acb7dab511be3dae0a21ceaeda2022222eabb6dc24fb21b81564a1bcf2bba75947830f11f1c71582242fa9e92f71c1e586c054ef333d3f78c1ffd25bbc2a6269a0e3b0a1b03976c88068e9dc2405aa862f2378bb183d6ff9f0bd81e024db1babe29ebaa838aa850fddfa34ed152ec78',
    salt       => 'b922ab2d6c2afbf6bb1bd0fa27b6e08768e8b90cdb15d4362216a0bd897f1d20',
    shell      => '/bin/bash',
    uid        => '503',
  }
{code}
This was entered into _site.pp_ for the particular Mac node.

At this point, using System Preferences Users & Groups, deleted the user _testadmin_ while preserving the home directory _/Users/testadmin_

Then on the Mac ran *_$ sudo -i puppet agent --test --debug --trace > puppetrun.txt 2>&1_*

The user _testadmin_ was only incompletely restored. The group name _com.apple.sharepoint.group.2_ cause an error that also prevented {_}password{_}, {_}salt{_}, and _iterations_ from being reset correctly. If I remove the group name _com.apple.sharepoint.group.2_ from the manifest {_}site.pp{_}, the user _testadmin_ restores correctly with the correct password.


The file _puppetrun.txt_ is attached.

Also note, the patches to the files _plist.rb_ and _directoryservice.rb_ from ticket PUP-6159 were taken from github and applied to the Mac node, which is why {_}password{_}, {_}salt{_}, and _iterations_ restore correctly. Otherwise, the test of deleting a Mac user and restoring its groups would have been confounded by that known issue.


_________

Further investigation showed that the user _testadmin_ was the only member of the Group {_}com.apple.sharepoint.group.2{_}. When the user was deleted, the Group _com.apple.sharepoint.group.2_ was also deleted. Thus when Puppet got to the _merge_ step at:

{{Debug: Executing: '/usr/bin/dscl . -merge /Groups/com.apple.sharepoint.group.2 GroupMembership testadmin' }}

the step failed because it couldn't merge into a missing group. When the missing group was manually recreated at the command line with

{{dscl . -create /Groups/com.apple.sharepoint.group.2}}

then {{sudo puppet agent --test --debug}} ran without errors and {{sudo puppet resource user testadmin}} showed the complete list of groups correctly.

OS X creates a unique Group _com.apple.sharepoint.group.x_ where _x_ is an integer starting at 1 for each local Administrator account. As noted above, the group must exist before merging the Administrator account back into it. If the group exists, running the command

{{dscl . -create /Groups/com.apple.sharepoint.group.2}} (or any {_}x{_}) exits without complaint.

I have not tested the case of an local Administrator being demoted to a Standard user and having Puppet restore them back. I do know that when that happens, the _puppet resource user_ command shows the _groups =>_ attribute to be missing. So I imagine, but haven't confirmed, that we'll get the same error at the merge step for {_}com.apple.sharepoint.group.x{_}.

__________

It appears that a solution to this problem is how you write the manifest. Ensure the   _group_ is present with no members before defining the _user_ resource using the following Puppet code:


 
|group { 'com.apple.sharepoint.group.2':|
|ensure => 'present',|
|auth_membership => 'true',|
|members => [],|
|}|
| |
|user { 'testadmin':|
|ensure => 'present',|
|comment => 'Test Administrator',|
|gid => '20',|
|groups => ['_appserveradm', '_appserverusr', '_lpadmin', 'admin', 'com.apple.sharepoint.group.2'],|
|membership => 'inclusive',|

|home => '/Users/testadmin',|
|iterations => '20120',|
|password => '75e29e8646edcbef84d736f8848397385acb7dab511be3dae0a21ceaeda2022222eabb6dc24fb21b81564a1bcf2bba75947830f11f1c71582242fa9e92f71c1e586c054ef333d3f78c1ffd25bbc2a6269a0e3b0a1b03976c88068e9dc2405aa862f2378bb183d6ff9f0bd81e024db1babe29ebaa838aa850fddfa34ed152ec78',|
|salt => 'b922ab2d6c2afbf6bb1bd0fa27b6e08768e8b90cdb15d4362216a0bd897f1d20',|
|shell => '/bin/bash',|
|uid => '503',|
|}|

 

Emptying the group membership prevents multiple UIDs from appearing in _/Groups/com.apple.sharepoint.group.2 GroupMembers_ with repeated runs of the Puppet agent.


{{sudo dscl . read /Groups/com.apple.sharepoint.group.2 GroupMembers}} lists only one UID

{{sudo dscl . read /Groups/com.apple.sharepoint.group.2 GroupsMembership}} lists only the user {_}testadmin{_}.


This is the best I can come up with for the moment. I am open to suggestions from the Puppet Team.

Matthew Sa (Jira)

unread,
Mar 9, 2023, 3:16:01 PM3/9/23
to puppe...@googlegroups.com
Matthew Sa updated an issue
Change By: Matthew Sa
Reporter: David M. St. Pierre William Hopper
Reply all
Reply to author
Forward
0 new messages