I am using Puppet to configure Ubuntu machines as LDAP clients, which
makes a variety of external users available to my machines, and then
attempting to create home directories with SSH keys for some of those
users that I have just 'added'. (At this point we are not sharing/
automounting /home.)
The basic order of action is this:
- install libnss-ldapd, which depends on/starts nscd/nslcd
- install ldap-auth-config & various config files
- run auth-client-config, which sets up the PAM config files to
include LDAP users (1)
- restart nscd (2)
- create homedirs for LDAP users
If I run these steps manually, at point (1) I can get results from
'getent passwd' that include LDAP users, but I can't su to an LDAP
user. If I then restart nscd — it's not enough to just invalidate the
cache — I can then su.
I have a carefully constructed set of require/notify resources which
causes all the right actions to happen, but every time I run Puppet
(puppetd --test), I get told the user does not exist:
err: //homedirs/Homedirectory[example]/File[/home/example]/ensure:
change from absent to directory failed: Could not set directory on
ensure: Could not find user example at /etc/puppet/modules/homedirs/
manifests/init.pp:37
At this point though, I *can* su to the example user. If I then run
puppet again, it sometimes fails on a second time through, but oddly
always works by the third.
At point (2) I have a Service resource to restart nscd, and have even
caused it to Exec a sleep of up to 15 seconds afterwards - no change.
This leads me to wonder if the state of the users that exist is
calculated/cached at the beginning of puppet's run, and won't be
updated during, if something happens to change the state. Is this
likely, and if so, what could I do to work around it?
Thanks
Craig
