What's the difference between a normal user and a system user?
That is not a technical difference but an organizational decision. E.g. it makes sense to show normal users in a login dialog (so that you can click them instead of having to type the user name) but it wouldn't to show system accounts (the UIDs under which daemons and other automatic processes run) there.
Thus a border is defined or rather two ranges for the UIDs for the two groups. In openSUSE the file /etc/login.defs contains these lines:
# Min/max values for automatic uid selection in useradd # # SYS_UID_MIN to SYS_UID_MAX inclusive is the range for # UIDs for dynamically allocated administrative and system accounts. # UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically # allocated user accounts. # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 100 SYS_UID_MAX 499
and
# Min/max values for automatic gid selection in groupadd # # SYS_GID_MIN to SYS_GID_MAX inclusive is the range for # GIDs for dynamically allocated administrative and system groups. # GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically # allocated groups. # GID_MIN 1000 GID_MAX 60000 # System accounts SYS_GID_MIN 100 SYS_GID_MAX 499
The main difference is the purpose of the account, so it's primarily a useful distinction for administrators and auditors. There are a few technical differences — from the adduser documentation:
System users will be created with no aging information in
/etc/shadow, and their numeric identifiers are chosen in theSYS_UID_MIN–SYS_UID_MAXrange, defined in/etc/login.defs, instead ofUID_MIN–UID_MAX(and their GID counterparts for the creation of groups).
As far as I can tell (I don't know Puppet), the difference from Puppet's perspective is whether it passes the -r option to adduser.
For a broader perspective, see Is it possible to "hide" an account from /etc/passwd?