What's the difference between a normal user and a system user?

That is not a technical difference but an organizational decision. E.g. it makes sense to show normal users in a login dialog (so that you can click them instead of having to type the user name) but it wouldn't to show system accounts (the UIDs under which daemons and other automatic processes run) there.

Thus a border is defined or rather two ranges for the UIDs for the two groups. In openSUSE the file /etc/login.defs contains these lines:

# Min/max values for automatic uid selection in useradd
#
# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for
# UIDs for dynamically allocated administrative and system accounts.
# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically
# allocated user accounts.
#
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               100
SYS_UID_MAX               499

and

# Min/max values for automatic gid selection in groupadd
#
# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for
# GIDs for dynamically allocated administrative and system groups.
# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically
# allocated groups.
#
GID_MIN                  1000
GID_MAX                 60000
# System accounts
SYS_GID_MIN               100
SYS_GID_MAX               499

The main difference is the purpose of the account, so it's primarily a useful distinction for administrators and auditors. There are a few technical differences — from the adduser documentation:

System users will be created with no aging information in /etc/shadow, and their numeric identifiers are chosen in the SYS_UID_MINSYS_UID_MAX range, defined in /etc/login.defs, instead of UID_MINUID_MAX (and their GID counterparts for the creation of groups).

As far as I can tell (I don't know Puppet), the difference from Puppet's perspective is whether it passes the -r option to adduser.

For a broader perspective, see Is it possible to "hide" an account from /etc/passwd?

Tags:

Users