Jira (PUP-2928) Puppet tries to update the group for user when he is listed as its member twice.

[Moses Mendoza (JIRA)]

Moses Mendoza commented on PUP-2928

Re: Puppet tries to update the group for user when he is listed as its member twice. This ticket has not been updated in some time and is now closed due to inactivity. If any viewer/watcher feels this is inaccurate, please re-open this ticket. Add Comment

This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)

[Ed Marshall (JIRA)]

Ed Marshall commented on PUP-2928

Re: Puppet tries to update the group for user when he is listed as its member twice.

The freshly-installed configuration of /etc/nsswitch.conf on Fedora 26 is: {{ passwd: sss files systemd group: sss files systemd }} Singular queries against this return correct (singular) results: {{ $ getent group wheel wheel:x:10:someuser }} But requests for the entire table return results from both sssd and the raw files directly (I assume because sssd won't necessarily have a complete cache of all possible user/group data sources): {{ $ getent group | fgrep wheel wheel:x:10:someuser wheel:x:10:someuser }} In the original Trac ticket, it seemed as though the solution of treating the results of a getent table scan as a set was accepted as the right approach, but then this got lost in the shuffle with the move to JIRA. (Having not looked at the code behind this, could targeted queries for individual lookups be made, letting any nscd/sssd-style caching do the heavy lifting? Rather than scanning the entire result table, which could potentially be quite large in some environments?) Perhaps this is worth revisiting?

Add Comment

This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db)

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-2928

Puppet tries to update the group for user when he is listed as its member twice.

Change By: Josh Cooper When a user is found in several nss group backends ralsh shows it as being included into a group more than once and puppet continually tries to remove the user from that group. To clarify: I have a following resource in my manifest: <pre> {code:puppet} user { 'tomcat7':   groups  => 'ssl-user', } </pre> {code} Until recently everything was just fine but lately the following actions began to appear: <pre> {noformat} notice: /Stage[main]/Tomcat/User[tomcat7]/groups: groups changed 'ssl-user,ssl-user' to 'ssl-user' </pre> {noformat} The reason for that behaviour turned out to be the following line in /etc/nsswitch.conf: <pre> {noformat} root@susegrp1:~# cat /etc/nsswitch.conf  | grep group group:         files ldap compat </pre> {noformat} When I remove the line everything returns back to normal way. Here is the output of actual state of resource on the system and as seen by puppet: <pre> {noformat} root@susegrp1:~# id tomcat7 uid=108(tomcat7) gid=114(tomcat7) groups=301(ssl-user),114(tomcat7) root@susegrp1:~# getent group | grep ssl-user ssl-user:x:301:tomcat7 ssl-user:x:301:tomcat7 root@susegrp1:~# ralsh user tomcat7 warning: User tomcat7 found in both useradd and useradd; skipping the useradd version user { 'tomcat7':   ensure           => 'present',   gid              => '114',   groups           => ['ssl-user', 'ssl-user'],   home             => '/usr/share/tomcat7',   password         => '*',   password_max_age => '99999',   password_min_age => '0',   shell            => '/bin/false',   uid              => '108', } </pre> {noformat} I've reproduced this on puppet version 2.7.11-13 and not tested others.

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-2928 Puppet tries to update the group for user when he is listed as its member twice.

Change By: Josh Cooper Team: Platform Core

Add Comment

[Joe B (JIRA)]

Joe B commented on PUP-2928

Re: Puppet tries to update the group for user when he is listed as its member twice. Ed Marshall's fix works for me on my puppet clients. Who knew that a single uniq could solve a problem that has existed for the last 6 years.

Add Comment

This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574)

[Jon Pugh (JIRA)]

Jon Pugh commented on PUP-2928

Re: Puppet tries to update the group for user when he is listed as its member twice.

This is also an issue for me. I think the description could also be stated as "puppet user resource does not always correctly honour the membership => 'minimum' attribute". If the worry is backwards compatibility (I personally don't see any concern though) then possibly offer an alternate value eg.  membership => 'unique_minimum' Whilst the file_line fix Ed Marshall suggested might work it is clearly an undesirable and fragile hack implemented only due to necessity as this ticket has not been addressed.

Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Jon Pugh (JIRA)]

Jon Pugh updated an issue

Puppet / PUP-2928

Puppet tries to update the group for user when he is listed as its member twice.

Change By: Jon Pugh Affects Version/s: PUP 5.3.3

Add Comment

[Jarret Lavallee (JIRA)]

Jarret Lavallee commented on PUP-2928

Re: Puppet tries to update the group for user when he is listed as its member twice. This issue looks to be fixed in PUP-7685 in Puppet 5.4.0+. https://github.com/puppetlabs/puppet/commit/7f0c88fa0d8c35f6207498af9574f2a2ecb5742c Branan Riley Should this be closed as a duplicate?

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper commented on PUP-2928

Re: Puppet tries to update the group for user when he is listed as its member twice.

This is a duplicate of PUP-7685, closing

Add Comment