Description
Some way or another, a clean Debain install + Puppet agent run causes users to be added before Puppet gets a chance to change the adduser configuration to limit the max system uid at 500 (via ocf/groups.sh). When the package that creates that group is installed, adduser then complains that the user exists and is not a system user (since it was created at the default range going up to 999), causing the package installation to fail.
Seen with: ocfletsencrypt, systemd-coredump (created by sysusers.d / systemd-sysusers - this happens on first boot, way before Puppet gets a chance to do anything)
Another note: it seems that Puppet user resource also ignores adduser.conf, since I tested manually deleting one of the problematic users and rerunning Puppet, which just then recreated it with the same problematic uid, despite adduser.conf definitely being modified at this point.
I think the best solution here is to clear out an area in the uid/gid space in LDAP for local users that is above 1000, so we can keep the standard defaults in early system provisioning and not need to add dependencies on ocf everywhere in Puppet (and things that ignore adduser.conf aren't affected). Another option is to define a ocf::user resource with the dependency (and make it respect adduser.conf)