[Puppet Users] Manage a specific users shadow file entry

On Thursday, December 20, 2012 11:04:47 PM UTC, Jagga Soorma wrote:

Hi Guys,

I am new to puppet and trying to figure out what is the best way to manage
a password for a specific user in the /etc/shadow file. Most of my users
are being authenticated to kerberos but there is a need to set a local
password for this one account. What would be the best method to do this
via puppet? I have built my own rpm's in the past using the chpasswd
command but that seems like a lot more work to build a rpm everytime the
password changes. Was hoping there was a easier/better way to do this via
puppet.

Thanks,
-J

On Thursday, December 20, 2012 3:37:30 PM UTC-8, Keiran Sweet wrote:

Hi There,
The user provider allows you to manage the value of the password hash in
the shadow file.

You can see all the options available for this provider via 'puppet
describe user'.

An example would be something like:

user { username:
ensure => present,
password => 'password_hash_here',
}

To quote the puppet documentation:
**password** - The user's password, in whatever encrypted format the
local system requires.

To get all this working as you want, you may need to ensure that your
operating systems authentication configuration (ie, PAM) checks for
authentication in the right order, ie, local passwords, then kerberos, and
you should test this carefully to make sure you dont get undesired results.

Hope this helps,

K

On Thursday, December 20, 2012 3:48:19 PM UTC-8, Jagga Soorma wrote:

Thanks for your response Keiran. I am trying to use just that resource
but can't seem to get it to work. Here is what my class looks like:

class oracle_password {
user { 'oracle':
ensure => 'present',
password => '$1$etSqP2ht$3sjFIsw7q7Vxs5qc5sju//'
}
}

[[email protected] home]# grep -i oracle /etc/shadow
[[email protected] home]#

Now once this resource is applied my assumption is there should be a
/etc/shadow file entry for the oracle account but that never happens:

[[email protected] home]# puppet agent -t
Info: Retrieving plugin
Info: Caching catalog for testrhel.gene.com
Info: Applying configuration version '1356045773'
/Stage[main]/Oracle_password/User[oracle]/password: created password
Finished catalog run in 0.99 seconds
[[email protected] home]#

[[email protected] home]# grep -i oracle /etc/shadow
[[email protected] home]#

Sorry but you might receive a similar message twice. Forgot to reply to
this post.

Thanks,
-J

On Thursday, December 20, 2012 3:49:18 PM UTC-8, Jagga Soorma wrote:

Also, is there maybe a way to ensure a specific entry in a file. In this
case, can you ensure there is a entry for the oracle user in the
/etc/shadow file with manually giving it all the entries including the
password hash.

Thanks,
-J

On Thursday, December 20, 2012 11:48:19 PM UTC, Jagga Soorma wrote:

Thanks for your response Keiran. I am trying to use just that resource
but can't seem to get it to work. Here is what my class looks like:

class oracle_password {
user { 'oracle':
ensure => 'present',
password => '$1$etSqP2ht$3sjFIsw7q7Vxs5qc5sju//'
}
}

[[email protected] home]# grep -i oracle /etc/shadow
[[email protected] home]#

Now once this resource is applied my assumption is there should be a
/etc/shadow file entry for the oracle account but that never happens:

[[email protected] home]# puppet agent -t
Info: Retrieving plugin
Info: Caching catalog for testrhel.gene.com
Info: Applying configuration version '1356045773'
/Stage[main]/Oracle_password/User[oracle]/password: created password
Finished catalog run in 0.99 seconds
[[email protected] home]#

[[email protected] home]# grep -i oracle /etc/shadow
[[email protected] home]#

Sorry but you might receive a similar message twice. Forgot to reply to
this post.

Thanks,
-J

On Dec 21, 2012, at 1:02 AM, Keiran Sweet wrote:

All,
The root cause of this issue was that on RHEL the 'usermod -p "<string>" username' command returns zero in the event that a user exists in the passwd file even if they dont have a corresponding entry in the shadow file. The knock on effect of this is that the user provider assumes that the update to the password hash has been actioned and reports accordingly, when in fact the usermod command does nothing and exits with zero.

This configuration may occur if a user is added to the passwd file outside of the usual user administration tools without running pwconv, or if the environment uses krb5 for authentication in which you may find users defined in the passwd file without shadow entries.

K


On Thursday, December 20, 2012 11:48:19 PM UTC, Jagga Soorma wrote:
Thanks for your response Keiran. I am trying to use just that resource but can't seem to get it to work. Here is what my class looks like:

class oracle_password {
user { 'oracle':
ensure => 'present',
password => '$1$etSqP2ht$3sjFIsw7q7Vxs5qc5sju//'
}
}

[[email protected] home]# grep -i oracle /etc/shadow
[[email protected] home]#

Now once this resource is applied my assumption is there should be a /etc/shadow file entry for the oracle account but that never happens:

[[email protected] home]# puppet agent -t
Info: Retrieving plugin
Info: Caching catalog for testrhel.gene.com
Info: Applying configuration version '1356045773'
/Stage[main]/Oracle_password/User[oracle]/password: created password
Finished catalog run in 0.99 seconds
[[email protected] home]#

[[email protected] home]# grep -i oracle /etc/shadow
[[email protected] home]#

Sorry but you might receive a similar message twice. Forgot to reply to this post.

Thanks,
-J

On Thursday, December 20, 2012 3:37:30 PM UTC-8, Keiran Sweet wrote:
Hi There,
The user provider allows you to manage the value of the password hash in the shadow file.

You can see all the options available for this provider via 'puppet describe user'.

An example would be something like:

user { username:
ensure => present,
password => 'password_hash_here',
}

To quote the puppet documentation:
**password** - The user's password, in whatever encrypted format the local system requires.

To get all this working as you want, you may need to ensure that your operating systems authentication configuration (ie, PAM) checks for authentication in the right order, ie, local passwords, then kerberos, and you should test this carefully to make sure you dont get undesired results.

Hope this helps,

K


On Thursday, December 20, 2012 11:04:47 PM UTC, Jagga Soorma wrote:
Hi Guys,

I am new to puppet and trying to figure out what is the best way to manage a password for a specific user in the /etc/shadow file. Most of my users are being authenticated to kerberos but there is a need to set a local password for this one account. What would be the best method to do this via puppet? I have built my own rpm's in the past using the chpasswd command but that seems like a lot more work to build a rpm everytime the password changes. Was hoping there was a easier/better way to do this via puppet.

Thanks,
-J
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/cEnql0ha_WIJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to [email protected].
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.