unable to create home directory

[Patrick G.]

Hi,

I am using # puppet-module-ssh

In the yaml file I have:

ssh::keys:

  admin:

    ensure: present

    user: admin

    type: dsa

    key: AAAA...==

But when running puppet agent I get:

Notice: /Stage[main]/Ssh/Ssh_authorized_key[admin]/ensure: created

Debug: Creating /home/admin/.ssh

Error: /Stage[main]/Ssh/Ssh_authorized_key[admin]: Could not evaluate: No such file or directory - /home/admin/.ssh

[Lowe Schmidt]

> Notice: /Stage[main]/Ssh/Ssh_authorized_key[admin]/ensure: created

> Debug: Creating /home/admin/.ssh

> Error: /Stage[main]/Ssh/Ssh_authorized_key[admin]: Could not evaluate: No such file > or directory - /home/admin/.ssh

Well, does the directory /home/admin/.ssh exist? 

--

Lowe Schmidt | +46 723 867 157

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/892b9b3a-30b3-47e5-8c0f-1e52a2309179%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Patrick G.]

Nope …

With new users this should create the directory.

The debug log shows:

Debug: Creating /home/admin/.ssh

But it doesn’t create it.

Gr. Patrick.

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAC-wWcRByycxjrkvWMWrOhX7EiVGLxrsQ7z2zx8m8%3DBt7Wc6Mg%40mail.gmail.com.

[Chad Huneycutt]

That is actually where it is failing. Does /home and /home/admin exist?  Does puppet have permission to create it?

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3BE51F3A-023A-46F8-AF09-881F68CA5E92%40gmail.com.

For more options, visit https://groups.google.com/d/optout.

--
Chad M. Huneycutt

[Patrick G.]

/home does exists but /home/admin doesn’t because it is a new user.

How should I give puppet permission to create this directory?

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOJfo14KifBoF3pF0ZF8R1Ksweg1w_Ywws7vMYyhPrzMs_btPQ%40mail.gmail.com.

[Lowe Schmidt]

Are you creating the user with puppet or do you have something like LDAP or AD that manages users and access for you?

--

Lowe Schmidt | +46 723 867 157

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/9E9CAD75-F49E-4D9F-B237-390FF0F86BDE%40gmail.com.

[jcbollinger]

On Thursday, March 31, 2016 at 7:13:30 AM UTC-5, Patrick G. wrote:

/home does exists but /home/admin doesn’t because it is a new user.

How should I give puppet permission to create this directory?

It's unclear whether you need to give Puppet permission, whether you need to give it an additional resource to manage, or whether you just need to instruct Puppet to manage resources in a different relative order.  I'd rate a permission problem the least likely of those possibilities.

If you expect the new user's home directory to be created as part of the process of creating a new user under Puppet management, then

1. the relevant User resource must be synced before any ssh key attributed to them, and
   
2. that resource's parameters should specify that the user home directory is to be managed.
   

You have not the module you are using well enough for me to distinguish it from the dozens of other SSH modules, but your log excerpt shows it using the standard Ssh_authorized_key resource type.  That type automatically causes the key's associated user to be managed before the key itself if that user is in fact under management as a User resource, so I conclude that either there is no such User in the catalog all (in which case I'm uncertain why you characterize the context as creating a new user) or else that User is not configured as you need it to be.

For example, for this to work properly in conjunction with creating a new user, you might need the relevant User resource to be configured with at least these properties and parameters:

user { 'admin':
  ensure     => 'present',
  uid        => 1, # or whatever
  gid        => 1, # or whatever
  home       => '/home/admin',
  managehome => true
}

Alternatively, if your local user management subsystem does not support managing user home directories directly in concert with creating users, then you might need to manage the home directory explicitly, as a File resource.  In that case you will want to specify a relationship between that File and the User or Ssh::Key that causes the home directory to be managed first.

If you do have a permission problem after all, however, then in order to solve it you need to understand its nature.  Are there mandatory access controls (i.e. SELinux policy) preventing Puppet from doing what it needs to do?  Is /home on a remote file system that squashes root privileges?  Is puppet running as an unprivileged user?  There may be other possibilities.  You can't solve such a problem without knowing in some detail what the problem is.


John

[warron.french]

Isn't .ssh created after the first time a user attempts an SSH outbound connection, not at initial creation of homedirs?

--------------------------
Warron French

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3BE51F3A-023A-46F8-AF09-881F68CA5E92%40gmail.com.

[jcbollinger]

On Thursday, March 31, 2016 at 9:34:04 AM UTC-5, Warron French wrote:

Isn't .ssh created after the first time a user attempts an SSH outbound connection, not at initial creation of homedirs?

Inasmuch as we seem to be talking about OpenSSH or a work-alike, yes, the ssh client creates the .ssh/ directory automatically at need.  In no way does that mean it cannot or should not be created by another mechanism, however.  The directory needs to exist so that Puppet can manage an authorized key entry within.  If it does not already exist at the time of the catalog run, then Puppet needs to create it.  Puppet is trying to do so, but failing.


John

[Mike Hendon]

To create the admin home directory first the ssh key resource should be dependent on an admin user resource. 

[Patrick G.]

I don't need to create the user just /home/<username>/.ssh because the user exist in ldap.
So how do I give access to puppet to create only /home/admin/.ssh

Op vrijdag 1 april 2016 16:32:43 UTC+2 schreef Mike Hendon:

[jcbollinger]

On Friday, April 1, 2016 at 9:32:43 AM UTC-5, Mike Hendon wrote:

To create the admin home directory first the ssh key resource should be dependent on an admin user resource. 

Yes and no.  As I covered in one of my previous responses to this thread, if there is a User['admin'] under management for the target node then Ssh_authorized_keys associated with 'admin' will autorequire that User.  So yes, there must be a relationship, but no, it does not have to be expressed explicitly in any manifest.


John

[jcbollinger]

On Monday, April 4, 2016 at 8:23:11 AM UTC-5, Patrick G. wrote:

I don't need to create the user just /home/<username>/.ssh because the user exist in ldap.
So how do I give access to puppet to create only /home/admin/.ssh

As I wrote earlier, it's unclear whether yours is in fact an access control problem at all, but that seems one of the less likely possibilities.  If it turns out indeed to be the problem, then as, again, I wrote earlier, you need to more precisely identify the nature of the problem before you or we can solve it.  But do read on ....

If you are not managing a User resource for 'admin' -- which not related to whether you use LDAP as an account and credential database -- then yours is a trivial case of the one in which your local user management subsystem does not support managing user home directories.  As I wrote before, in that case you may need to manage the user's home directory explicitly.  And by that, I mean you do need to manage the user home directory (e.g. /home/admin) directly if you cannot otherwise rely on it to be present.  Furthermore, you need to establish a relationship between home directory and key to ensure that the directory is synced first.  For example, something like this:

file { '/home/admin':
  ensure => 'directory',
  user =>   'admin',
  group =>  'admin',
  mode =>   '0750'
}

File['/home/admin'] -> Ssh_authorized_key<| user == 'admin' |>

There's a bit of an issue surrounding where (which class in which module) something like that should go, and I haven't the visibility into your manifest set to make any recommendations about that.  Furthermore, I reiterate that that is an example.  Your specific situation may require a variation on that, or even an altogether different approach that accomplishes the same thing.


John

[Mike Hendon]

In that case just have puppet create the directory if it doesn't already exist and ensure that the ownership is set correctly.

Then have the ssh_authorized_keys resource require the directory resource.