FAQ
Hi, I am new to this and I discovered a manifest in an old post that should
change passwords. It runs fine, but the password does not change. I am
wondering how this would work since it would need to change the shadow.

Thanks


define change_passwd($user,$passwd) {
exec { "/usr/bin/puppet apply -v -e \'user { \"${user}\": password
=> \"${passwd}\" }\'":
onlyif => "/bin/grep -c ^${user}: /etc/shadow"
}
}

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/TZ868p26GtAJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Peter Brown at Nov 30, 2012 at 6:19 am
    Hi.

    I have stopped using puppet to manage users. (I now use FreeIPA for
    authentication and authorization)
    I used to use the password field in the user resource to do this It needs
    an encrypted password though.
    It worked fine for what I needed at the time.
    So if you can get the password from the shadow file on one server you can
    use that to set the passwords on all your other servers.
    It should be pretty easy to use Heira to store them.



    On 30 November 2012 15:14, illectronic wrote:

    Hi, I am new to this and I discovered a manifest in an old post that
    should change passwords. It runs fine, but the password does not change. I
    am wondering how this would work since it would need to change the shadow.

    Thanks


    define change_passwd($user,$passwd) {
    exec { "/usr/bin/puppet apply -v -e \'user { \"${user}\": password
    => \"${passwd}\" }\'":
    onlyif => "/bin/grep -c ^${user}: /etc/shadow"
    }
    }

    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/puppet-users/-/TZ868p26GtAJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • O at Nov 30, 2012 at 3:08 pm
    Thanks for the suggestion, but I would like to stick to see if I can get
    that script working correctly first before using an additional management
    software.
    On Friday, November 30, 2012 1:19:08 AM UTC-5, Pete wrote:

    Hi.

    I have stopped using puppet to manage users. (I now use FreeIPA for
    authentication and authorization)
    I used to use the password field in the user resource to do this It needs
    an encrypted password though.
    It worked fine for what I needed at the time.
    So if you can get the password from the shadow file on one server you can
    use that to set the passwords on all your other servers.
    It should be pretty easy to use Heira to store them.




    On 30 November 2012 15:14, illectronic <theo...@gmail.com <javascript:>>wrote:
    Hi, I am new to this and I discovered a manifest in an old post that
    should change passwords. It runs fine, but the password does not change. I
    am wondering how this would work since it would need to change the shadow.

    Thanks


    define change_passwd($user,$passwd) {
    exec { "/usr/bin/puppet apply -v -e \'user { \"${user}\": password
    => \"${passwd}\" }\'":
    onlyif => "/bin/grep -c ^${user}: /etc/shadow"
    }
    }

    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/puppet-users/-/TZ868p26GtAJ.
    To post to this group, send email to puppet...@googlegroups.com<javascript:>
    .
    To unsubscribe from this group, send email to
    puppet-users...@googlegroups.com <javascript:>.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/4Yzal_7bn9QJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jcbollinger at Nov 30, 2012 at 2:32 pm

    On Thursday, November 29, 2012 11:14:57 PM UTC-6, O wrote:
    Hi, I am new to this and I discovered a manifest in an old post that
    should change passwords. It runs fine, but the password does not change. I
    am wondering how this would work since it would need to change the shadow.
    The Puppet agent needs to run as a privileged user (typically root) in
    order to do a lot of the things it does, including managing system users.
    Yes, on systems that use shadow passwords, Puppet needs to modify
    /etc/shadow to manage passwords. So?

    As to the details, the Puppet agent adapts to the system on which it is
    running, and uses the appropriate system tools for most of the tasks it
    wants to perform. For example, to manage users on RedHat-family systems it
    uses useradd, userdel, usermod, and/or chage, as appropriate.

    For users in particular there is a wide variety of management toolsets in
    use on different OS flavors. Not all of them provide the same features,
    and in particular, not all of them support managing user passwords.
    Therefore, whether Puppet can manage passwords on a particular client
    depends on the client.

    Most of this is documented in the Puppet type reference:
    http://docs.puppetlabs.com/references/3.0.latest/type.html#user.


    Thanks


    define change_passwd($user,$passwd) {
    exec { "/usr/bin/puppet apply -v -e \'user { \"${user}\": password
    => \"${passwd}\" }\'":
    onlyif => "/bin/grep -c ^${user}: /etc/shadow"
    }
    }

    That's awfully convoluted. Why are you using in Exec to run "puppet apply"
    from within a Puppet run, instead of just declaring the wanted resource
    directly? That's not to say that the code is wrong or inappropriate. I
    think I can infer the purpose, but if *you* don't understand what it
    declares and why, then you cannot be sure whether it is appropriate or
    not. And that's before we even get to the structure of the wrapper
    definition.

    Pete is right that the User type's 'password' parameter requires a hash
    instead of a plaintext password. Except for Windows clients. And be aware
    that it requires the hash to be the correct type for the target system,
    which may be SHA1, SHA512, MD5, or possibly even something else. If your
    machines are homogeneous then that's not too big a problem, but if not then
    you may have a trickier problem.


    John

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/fqalfU103W4J.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • O at Nov 30, 2012 at 5:02 pm
    You are right. I found a simpler way of doing it using puppet's built in
    "user" reference with shadow-lib installed. The only thing is, puppet
    doesn't seem to be able to create an md5 hash for you so you need to create
    a test user with the same password and use that value for password =>
    'hashgoeshere'


    On Friday, November 30, 2012 9:32:06 AM UTC-5, jcbollinger wrote:


    On Thursday, November 29, 2012 11:14:57 PM UTC-6, O wrote:

    Hi, I am new to this and I discovered a manifest in an old post that
    should change passwords. It runs fine, but the password does not change. I
    am wondering how this would work since it would need to change the shadow.
    The Puppet agent needs to run as a privileged user (typically root) in
    order to do a lot of the things it does, including managing system users.
    Yes, on systems that use shadow passwords, Puppet needs to modify
    /etc/shadow to manage passwords. So?

    As to the details, the Puppet agent adapts to the system on which it is
    running, and uses the appropriate system tools for most of the tasks it
    wants to perform. For example, to manage users on RedHat-family systems it
    uses useradd, userdel, usermod, and/or chage, as appropriate.

    For users in particular there is a wide variety of management toolsets in
    use on different OS flavors. Not all of them provide the same features,
    and in particular, not all of them support managing user passwords.
    Therefore, whether Puppet can manage passwords on a particular client
    depends on the client.

    Most of this is documented in the Puppet type reference:
    http://docs.puppetlabs.com/references/3.0.latest/type.html#user.


    Thanks


    define change_passwd($user,$passwd) {
    exec { "/usr/bin/puppet apply -v -e \'user { \"${user}\": password
    => \"${passwd}\" }\'":
    onlyif => "/bin/grep -c ^${user}: /etc/shadow"
    }
    }

    That's awfully convoluted. Why are you using in Exec to run "puppet
    apply" from within a Puppet run, instead of just declaring the wanted
    resource directly? That's not to say that the code is wrong or
    inappropriate. I think I can infer the purpose, but if *you* don't
    understand what it declares and why, then you cannot be sure whether it is
    appropriate or not. And that's before we even get to the structure of the
    wrapper definition.

    Pete is right that the User type's 'password' parameter requires a hash
    instead of a plaintext password. Except for Windows clients. And be aware
    that it requires the hash to be the correct type for the target system,
    which may be SHA1, SHA512, MD5, or possibly even something else. If your
    machines are homogeneous then that's not too big a problem, but if not then
    you may have a trickier problem.


    John
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/4kUS6WG0iHcJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Brian Jolly at Nov 30, 2012 at 6:55 pm
    I've been using the openssl command line tool to generate the hash for my
    puppet users:
    openssl passwd -1

    It's still a manual process to get the hash, but works pretty good for a
    small number of users.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Phips at Dec 4, 2012 at 10:52 am

    On Friday, November 30, 2012 4:40:34 PM UTC, O wrote:

    You are right. I found a simpler way of doing it using puppet's built in
    "user" reference with shadow-lib installed. The only thing is, puppet
    doesn't seem to be able to create an md5 hash for you so you need to create
    a test user with the same password and use that value for password =>
    'hashgoeshere'

    Use 'grub-md5-crypt' from a Linux box. Simples.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/MvvuUC9OYRsJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jcbollinger at Dec 4, 2012 at 2:42 pm

    On Tuesday, December 4, 2012 4:52:45 AM UTC-6, Phips wrote:
    On Friday, November 30, 2012 4:40:34 PM UTC, O wrote:

    You are right. I found a simpler way of doing it using puppet's built in
    "user" reference with shadow-lib installed. The only thing is, puppet
    doesn't seem to be able to create an md5 hash for you so you need to create
    a test user with the same password and use that value for password =>
    'hashgoeshere'

    Use 'grub-md5-crypt' from a Linux box. Simples.

    As long as you need MD5 hashes, and your system has that program, then
    that's great. I repeat, however, that it is essential to create the
    correct type of hash for your target systems. MD5 used to be
    near-universal for Linux, but newer releases tend to prefer other hashes,
    and other types of machines may have even more differing requirements.


    John

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/5UNAK7upi6sJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedNov 30, '12 at 6:06a
activeDec 4, '12 at 2:42p
posts8
users5
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase