john eckhardt
2012-Jan-13 17:22 UTC
[Puppet Users] Windows User Management - Hashed Passwords in Manifest
With a manifest like, which contains the cleartext password, I have no
trouble.
class win-users {
user { ''testuser'': ensure =>
''present'', groups =>
[''Administrators'', ''Users''], password =>
''P4ssW0rd'' }
}
With this manifest, that contains (I believe the encrypted password),
I fail as seen below.
Anyone have experience or tips around hashed password to configure
windows users?
class win-users {
user { ''testuser'': ensure =>
''present'', groups =>
[''Administrators'', ''Users''], password =>
''cc27822e173cfef6c584c84aa7581941'' }
}
C:\Ruby187\bin>puppet agent --test
info: Caching catalog for ip-0a746724.ec2.internal
info: Applying configuration version ''1326475038''
err: /Stage[main]/Win-users/User[testuser]/password: change from [old
password h
ash redacted] to [new password hash redacted] failed: SetPassword
OLE error code:800708C5 in Active Directory
The password does not meet the password policy requirements.
Check the min
imum password length, password complexity and password history
requirements.
HRESULT error code:0x80020009
Exception occurred.
notice: Finished catalog run in 7.16 seconds
PS - I hashed this password with the tool on
http://nediam.com.mx/winhashes/index.php
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Josh Cooper
2012-Jan-13 19:20 UTC
Re: [Puppet Users] Windows User Management - Hashed Passwords in Manifest
Hi John, On Fri, Jan 13, 2012 at 9:22 AM, john eckhardt <johnefuego@gmail.com> wrote:> Anyone have experience or tips around hashed password to configure > windows users? > > class win-users { > user { ''testuser'': ensure => ''present'', groups => > [''Administrators'', ''Users''], password => > ''cc27822e173cfef6c584c84aa7581941'' } > } >Setting the password using an LM or NT hash is not supported frankly because AFAIK Windows doesn''t expose APIs for setting the password in this format (excluding tools like chntpw). Part of the issue is that knowing the hash is equivalent to knowing your password[1]. One way of dealing with this would be to encrypt the cleartext password with the agent''s public key, add it to the manifest, and then have the windows user provider on the agent decrypt with its private key, then call ADSI SetPassword. With that said, it''s not something that is supported today. Josh [1] http://oss.coresecurity.com/pshtoolkit/doc/index.html -- Josh Cooper Developer, Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.