Jira (PUP-1913) Puppet user resource should respect the forcelocal option

[Bob Vincent (JIRA)]

Bob Vincent updated an issue

Puppet / PUP-1913 Puppet user resource should respect the forcelocal option Change By: Bob Vincent Summary: Puppet user resource should  read only from local databases  respect the forcelocal option Currently, the puppet user type uses `getent` to get information about user resources. The problem with this is that `getent` will also report information from LDAP and other remote user management services that are configured in nsswitch.conf,  which are not actually managed by Puppet. This can cause Puppet to think   and will report that  a user  is in a local group, or  exists even when it does  not  exist *locally* (as an entry  in  /etc/passwd and/or  a  local group, when the opposite is true.  directory in /home/$username) - This is especially problematic since we user the useradd suite of commands to actually manage the settings, which of course affect local users/groups only.   - Puppet  uses luseradd/etc in an LDAP environment, but should switch to useradd/etc when "forcelocal" is true. Puppet 's user type should have some way of examining /modifying  only local users and groups , to check if something  when the forcelocal option  is  currently  true /present/etc . Add Comment

This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc)

[Sean Millichamp (JIRA)]

Sean Millichamp commented on PUP-1913

Re: Puppet user resource should respect the forcelocal option Unless I am misunderstanding something, user enumeration via the provider instances method (used by the resource type for purging, for example) is invoked at a point where the forcelocal option won't be seen/honored, even if set as a global resource default. So, focusing on forcelocal really misses a large part of this. The real fix needs to be in instances and how the users are enumerated.

Add Comment

[Kylo Ginsberg (JIRA)]

Kylo Ginsberg updated an issue

Puppet / PUP-1913

Puppet user resource should respect the forcelocal option

Change By: Kylo Ginsberg Scrum Team: Client Platform

Add Comment

This message was sent by Atlassian JIRA (v6.4.13#64028-sha1:b7939e9)

[Kylo Ginsberg (JIRA)]

Kylo Ginsberg updated an issue

Puppet / PUP-1913 Puppet user resource should respect the forcelocal option

Change By: Kylo Ginsberg Sprint: Client 2016-04-20 (Bigga Bugs)

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-1913 Puppet user resource should respect the forcelocal option

Change By: Josh Cooper

Sprint: Client 2016-04-20 (Bigga Bugs)

Add Comment

[Agustin (JIRA)]

Agustin commented on PUP-1913

Re: Puppet user resource should respect the forcelocal option I am seeing some strange behavior when using forge module kyleanderson/consul for instance. I have authenticaion via pam with ldap. The module creates ok the local user, but when it runs again and all subsequent runs, take 60 more seconds than before. It used to take 4 secs the whole run, but as the consul module tries to eval the User consul, it seems it searches in my entire ldap and takes 60 seconds more. I put on my site.pp to default to User { forcelocal => true } but no luck. It still wastes 60 seconds on User. Package: 1.75 Last run: 1467731830 User: 51.14 Config retrieval: 6.60 Total: 61.44 Version: Config: 1467731750 Puppet: 4.5.2 How can i help? Cheers!

Add Comment

[Moses Mendoza (JIRA)]

Moses Mendoza updated an issue

Puppet / PUP-1913

Puppet user resource should respect the forcelocal option

Change By: Moses Mendoza Labels: customer  manage-user-group  redmine

Add Comment

This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)

[Geoff Nichols (JIRA)]

Geoff Nichols updated an issue

Puppet / PUP-1913 Puppet user resource should respect the forcelocal option

Change By: Geoff Nichols Fix Version/s: PUP 5.y

Add Comment

[Geoff Nichols (JIRA)]

Geoff Nichols updated an issue

Puppet / PUP-1913 Puppet user resource should respect the forcelocal option

Change By: Geoff Nichols Sprint: Agent Grooming

Add Comment

[Geoff Nichols (JIRA)]

Geoff Nichols updated an issue

Puppet / PUP-1913 Puppet user resource should respect the forcelocal option

Change By: Geoff Nichols Sprint: Agent Grooming  On-Deck

Add Comment

[Geoff Nichols (JIRA)]

[John Duarte (JIRA)]

John Duarte updated an issue

Puppet / PUP-1913 Puppet user resource should respect the forcelocal option

Change By: John Duarte Labels: customer manage-user-group redmine  triaged

Add Comment

[Moses Mendoza (JIRA)]

Moses Mendoza updated an issue

Puppet / PUP-1913 Puppet user resource should respect the forcelocal option

Change By: Moses Mendoza

Labels: customer manage-user-group redmine  triaged

Add Comment

[Halim Wijaya (JIRA)]

Halim Wijaya updated an issue

Puppet / PUP-1913 Puppet user resource should respect the forcelocal option

Change By: Halim Wijaya CS Priority: Needs Priority

Add Comment

This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db)

[Owen Rodabaugh (JIRA)]

Owen Rodabaugh commented on PUP-1913

Re: Puppet user resource should respect the forcelocal option We reviewed this in CS Triage and have concerns on expanding the provider to handle forcelocal on OSs which do not offer the luseradd commands which forcelocal relies on. This would require the provider to manipulate the etc/shadow, etc/passwd, etc/user, etc/group which is very risky. Forcelocal does work on distributions with the luser* commands. We've seen other cases(SLES pulling in an OpenSUSE package) where users were able to add the libuser package to get this to work. Instead we would recommend updating the documentation to more clearly spell this out and also maybe elevating the debug message about forcelocal to warning level so that the reasons behind this not working are more clear.

Add Comment

[Owen Rodabaugh (JIRA)]

Owen Rodabaugh updated an issue

Puppet / PUP-1913

Puppet user resource should respect the forcelocal option

Change By: Owen Rodabaugh CS Priority: Needs Priority Reviewed

Add Comment

[Adam Bottchen (JIRA)]

Adam Bottchen commented on PUP-1913

Re: Puppet user resource should respect the forcelocal option Karthikeyan Kanagaraj The resource you outlined: user { 'oracle': ensure => present, uid => '100000', gid => '1002', groups => 'dba', expiry => absent, allowdupe => true, home => '/app/oracle', forcelocal => true, shell => '/usr/bin/ksh', } is instructing Puppet to add the oracle user to the supplementary group "dba" and to set an infinite expiration. Unfortunately the lusermod command does not support adding users to supplementary groups or setting account expiry dates, only useradd supports those commands. In order to update the user provider to handle those cases, we would need the OS supplied tools to support them.

Add Comment

[Geoff Nichols (JIRA)]

Geoff Nichols updated an issue

Puppet / PUP-1913

Puppet user resource should respect the forcelocal option

Change By: Geoff Nichols Labels: customer ldap manage-user-group redmine type_and_provider

Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Stefan Förster (JIRA)]

Stefan Förster commented on PUP-1913

Re: Puppet user resource should respect the forcelocal option With forcelocal => true adding a user with expiry => absent will not only trigger usage of the "wrong" commands, but also a usage error on CentOS 6: Notice: /Stage[main]/Access/Access::Account[testuser]/File[/etc/ssh/authorized_keys.sftp.d/testuser]/ensure: defined content as '{md5}f67ab78e2b49dfcd6a5d4cc9b69749e8' Debug: /Stage[main]/Access/Access::Account[testuser]/File[/etc/ssh/authorized_keys.sftp.d/testuser]: The container Access::Account[testuser] will propagate my refresh event Debug: Executing: '/usr/sbin/luseradd -c F-I Fonddurchschau (bayn, production) -g sftp -d /home/testuser -p !! -s /sbin/nologin -u 18048 testuser' Debug: Executing: '/usr/sbin/usermod -G testuser' Debug: Executing: '/usr/sbin/lusermod -e testuser' Error: Could not set expiry on user[testuser]: Execution of '/usr/sbin/lusermod -e testuser' returned 1: Error parsing arguments: unknown option. Usage: lusermod [-imLU?] [-i|--interactive] [-c|--gecos STRING] [-d|--directory STRING] [-m|--movedirectory] [-s|--shell STRING] [-u|--uid NUM] [-g|--gid NUM] [-l|--login STRING] [-P|--plainpassword STRING] [-p|--password STRING] [-L|--lock] [-U|--unlock] [--commonname=STRING] [--givenname=STRING] [--surname=STRING] [--roomnumber=STRING] [--telephonenumber=STRING] [--homephone=STRING] [-?|--help] [--usage] [OPTION...] user Error: /Stage[main]/Access/Access::Account[testuser]/User[testuser]/ensure: change from 'absent' to 'present' failed: Could not set expiry on user[testuser]: Execution of '/usr/sbin/lusermod -e testuser' returned 1: Error parsing arguments: unknown option. Usage: lusermod [-imLU?] [-i|--interactive] [-c|--gecos STRING] [-d|--directory STRING] [-m|--movedirectory] [-s|--shell STRING] [-u|--uid NUM] [-g|--gid NUM] [-l|--login STRING] [-P|--plainpassword STRING] [-p|--password STRING] [-L|--lock] [-U|--unlock] [--commonname=STRING] [--givenname=STRING]

Add Comment

[Branan Riley (JIRA)]

Branan Riley updated an issue

Puppet / PUP-1913

Puppet user resource should respect the forcelocal option

Change By: Branan Riley Labels: customer ldap manage-user-group redmine triaged type_and_provider user

Add Comment

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-1913

Re: Puppet user resource should respect the forcelocal option Can this be closed now that PUP-8470, PUP-9195, PUP-10169 have been implemented?

Add Comment

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-1913

Re: Puppet user resource should respect the forcelocal option

The functionality described in this ticket was implemented (see PUP-8470, PUP-9195, PUP-10169), so I'm closing this ticket. Please reopen if something is missing.

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-1913

Puppet user resource should respect the forcelocal option

Change By: Josh Cooper Fix Version/s: PUP 5.y

Add Comment