Active Directory join, stages, and AD accounts issues

[Monkeys Typing]

I have a mostly working set of modules to replace our kickstart and
about a dozen scripts.

I am having issues with attempting to populate my AD account-owned
user folders in the initial puppet run. The machines i am testing
with are all CentOS 5.5 so far.

I have defined 3 additional stages,
Stage [init] -> Stage [pre] -> Stage [main] -> Stage [post]
to attempt to fix this to no avail. I have my Samba class defined in
pre, with my "make ad prod user folders" class defined in post. I am
also managing my ldap.conf, system-auth-ac, nsswitch.conf all in the
initial stages.

I have an exec in my samba module to join the new servers to the
domain, a simple "net ads join -U adminaccount".

I see during --test runs, that the joindomain exec is scheduled to run
after the smb and krb5 files are puppettized. Then way at the end of
my run I see puppet attempting to create my user folders, but it is
giving errors stating that the users do not exist. However, as soon
as the catalog run finishes, the AD users are indeed recognized by id
<username>.

A second run of puppet completes with no issues.

What am I missing to make sure that the AD user folders class is not
attempted before the join has happened?

Thanks,

Jim Goddard

[Nigel Kersten]

One thing that wasn't quite clear was whether in the logs you've
verified that the exec is actually run after the user folders class.
ie whether this is a puppet ordering problem, or a lag on the node
between joining and the users being accessible.

>
> Thanks,
>
> Jim Goddard
>
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>
>

[Daniel Pittman]

On Fri, Feb 11, 2011 at 12:01, Nigel Kersten <ni...@puppetlabs.com> wrote:
> On Fri, Feb 11, 2011 at 11:52 AM, Monkeys Typing
> <monkeys...@gmail.com> wrote:

[…]

>> I have an exec in my samba module to join the new servers to the

>> domain, a simple "net ads join -U adminaccount".
>>
>> I see during --test runs, that the joindomain exec is scheduled to run
>> after the smb and krb5 files are puppettized.  Then way at the end of
>> my run I see puppet attempting to create my user folders, but it is
>> giving errors stating that the users do not exist.  However, as soon
>> as the catalog run finishes, the AD users are indeed recognized by id
>> <username>.
>>
>> A second run of puppet completes with no issues.
>>
>> What am I missing to make sure that the AD user folders class is not
>> attempted before the join has happened?
>
> One thing that wasn't quite clear was whether in the logs you've
> verified that the exec is actually run after the user folders class.
> ie whether this is a puppet ordering problem, or a lag on the node
> between joining and the users being accessible.

...or the puppet agent failing because it cached the user list, and
didn't recheck, which bit me years back but may still be lurking. Can
we see the error messages from puppet and, ideally, the bits of the
manifest in question?

Regards,
daniel
--
⎋ Puppet Labs Developer – http://puppetlabs.com
✉ Daniel Pittman <dan...@puppetlabs.com>
✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775
♲ Made with 100 percent post-consumer electrons

[Monkeys Typing]

Thanks for the suggestions. Here are the logs and relevant portions
of the manifests. I have the ldap.conf file set in an even earlier
stage, so that doesn't seem to be the problem.

Feb 14 18:40:32 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/
Package[samba]/ensure) created
Feb 14 18:40:32 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/
Package[samba]) Scheduling refresh of Exec[joindomain]
Feb 14 18:40:32 puppettest02 puppet-agent[2884]: FileBucket adding /
etc/krb5.conf as {md5}94be488988fe3690414d521eeb3d07cb
Feb 14 18:40:32 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/
File[/etc/krb5.conf]) Filebucketed /etc/krb5.conf to main with sum
94be488988fe3690414d521eeb3d07cb
Feb 14 18:40:32 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/
File[/etc/krb5.conf]/content) content changed '{md5}
94be488988fe3690414d521eeb3d07cb' to '{md5}
0673a8a7c9d801b1ee465654f0fb47b8'
Feb 14 18:40:32 puppettest02 puppet-agent[2884]: FileBucket adding /
etc/samba/smb.conf as {md5}eb2bea901479ef4f6bd200e86a037e3b
Feb 14 18:40:32 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/
File[/etc/samba/smb.conf]) Filebucketed /etc/samba/smb.conf to main
with sum eb2bea901479ef4f6bd200e86a037e3b
Feb 14 18:40:33 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/
File[/etc/samba/smb.conf]/content) content changed '{md5}
eb2bea901479ef4f6bd200e86a037e3b' to '{md5}
3df3f064d8d1c9bfa5950552b43c2ff0'
Feb 14 18:40:33 puppettest02 puppet-agent[2884]: FileBucket adding /
etc/nsswitch.conf as {md5}c2bd306b205ad9e81fb02ce6b225d384
Feb 14 18:40:33 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/
File[/etc/nsswitch.conf]) Filebucketed /etc/nsswitch.conf to main with
sum c2bd306b205ad9e81fb02ce6b225d384
Feb 14 18:40:33 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/
File[/etc/nsswitch.conf]/content) content changed '{md5}
c2bd306b205ad9e81fb02ce6b225d384' to '{md5}
d214e24671ee6aede2adb4b651892dfe'
Feb 14 18:40:33 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/
Exec[joindomain]/returns) executed successfully
Feb 14 18:40:33 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/
Exec[joindomain]) Triggered 'refresh' from 1 events

…

Feb 14 18:50:15 puppettest02 puppet-agent[2884]: (/Stage[post]/
Makeadprod/File[/home/CORP]/ensure) created
Feb 14 18:50:15 puppettest02 puppet-agent[2884]: (/Stage[post]/
Makeadprod/File[/home/CORP/abba]/ensure) change from absent to
directory failed: Could not set 'directory on ensure: Could not find
user abba at /etc/puppet/modules/makeadprod/manifests/init.pp:344

# /etc/puppet/modules/samba/manifests/init.pp

class samba {

include "ntp"

package { samba:
ensure => latest,
notify => Exec["joindomain"],
# require => Class["localusers"],
}

file { "/etc/samba/smb.conf":
owner => "root",
group => "root",
mode => 644,
source => "puppet:///modules/samba/smb.conf",
require => Package["samba"],
}

file { "/etc/krb5.conf":
owner => "root",
group => "root",
mode => 644,
source => "puppet:///modules/samba/krb5.conf.$dc_location",
require => Package["samba"],
}

file { "/etc/nsswitch.conf":
owner => "root",
group => "root",
mode => 644,
source => "puppet:///modules/samba/nsswitch.conf",
require => [ Package["samba"], Class ["ldapconf"] ],
}

exec { "joindomain" :
path => "/usr/bin:/usr/sbin",
command => $ad_joined ? {
"true" => "/bin/true",
"false" => "net ads join -U <domainaccount%password>",
},
require => [ Package["samba"], Class["ntp"], File["/etc/
krb5.conf"], File["/etc/samba/smb.conf"], File["/etc/
nsswitch.conf"], ],
}
}

# /etc/puppet/modules/makeadprod/manifests/init.pp

class makeadprod {

include "samba"
include "localusers"

file { "/home/CORP":
owner => "root",
group => "root",
mode => 644,
ensure => directory,
}

file { "/home/CORP/abba":
owner => "abba",
group => "Ops",
mode => 640,
ensure => directory,
recurse => true,
purge => false,
source => "puppet:///modules/makeadprod/abba",
require => [ Class["samba"], Exec["joindomain"], File["/home/
CORP"] ],
#require => [ Class["samba"], File["/home/CORP"] ],
}
... The rest of the manifest just creates the user directories,
installs their keys, etc.

[Austin Smith]

Did you ever find a fix for this?  I think it may be a puppet issue caching the user list on catalog initiation - I put a 3 minute sleep behind the net ads join exec and it still errored, but a successive run immediately populates the users properly.

Thanks,

Austin