Puppet users - Aug 2007 - Bug in replace parameter on file types?

Part of my authentication setup is to keep clients'' secrets.tdb for 
Samba/Winbind on the puppetmaster. Since secrets.tdb contains the 
username/password for an Active Directory machine account, it will get 
changed by Winbind periodically, and I don''t want it those changes to 
get reverted by puppet. So I''ve got active-directory-member.pp, last 
modified August 19, with the following contents:

class active-directory-member {
     package {
         [ "winbind", "krb5-config", "libpam-krb5"
]:
             ensure    => installed;
     }
     service { [ "winbind" ]:
         pattern   => "/usr/sbin/winbindd",
         ensure    => running,
         subscribe => [ File["/etc/samba/smb.conf"],
                        File["/var/lib/samba/secrets.tdb"] ];
     }
     file {
         "/etc/samba/smb.conf":
             source => "puppet:///files/apps/samba/smb.conf";
         "/var/lib/samba":
             ensure => directory,
             owner  => root,
             group  => root,
             mode   => 755;
         "/var/lib/samba/secrets.tdb":
             source  => "puppet:///private/secrets.tdb",
             replace => false,
             owner   => root,
             group   => root,
             mode    => 600;
         "/etc/nsswitch.conf":
             source => 
"puppet:///files/apps/active-directory-member/nsswitch.conf";
         "/etc/pam.d/common-account":
             source => 
"puppet:///files/apps/active-directory-member/common-account";
         "/etc/krb5.conf":
             source => 
"puppet:///files/apps/active-directory-member/krb5.conf";
         "/etc/pam.d/common-auth":
             source => 
"puppet:///files/apps/active-directory-member/common-auth";
         "/etc/security/users.conf":
             source => [
                
"puppet:///files/apps/pam_listfile/users.conf.$hostname",
                
"puppet:///files/apps/pam_listfile/users.conf.default"
             ];
     }

     exec {
         "netjoin":
             command => "/usr/bin/net rpc join -U
account%password",
             creates => "/var/lib/samba/secrets.tdb",
             require => File["/etc/samba/smb.conf"];
     }
}

so why would secrets.tdb get overwritten on the 20th, as shown below?

Aug 20 12:10:41 ch204b puppetd[11943]: 
(//ch204b/active-directory-member/File[/var/lib/samba/secrets.tdb]/checksum) 
checksum changed ''{md5}258e2b4b377073fe69c18b20e58eaa12'' to 
''{md5}9656183d2df1d8f0ae25c6461b6ad22c''
Aug 20 12:10:41 ch204b puppetd[11943]: 
(//ch204b/active-directory-member/Service[winbind]) Triggering
''refresh''
from 1 dependencies

The only place replace appears to be mentioned is in pfile/source.rb:

             parentensure = @resource.property(:ensure).retrieve
             if parentensure != :absent and ! @resource.replace?
                 return true
             end

Is something wrong in my manifest, or is this a puppet bug?

-- 
Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University

On Aug 25, 2007, at 5:39 PM, Mike Renfro wrote:
>
> Aug 20 12:10:41 ch204b puppetd[11943]:
> (//ch204b/active-directory-member/File[/var/lib/samba/secrets.tdb]/ 
> checksum)
> checksum changed ''{md5}258e2b4b377073fe69c18b20e58eaa12''
to
> ''{md5}9656183d2df1d8f0ae25c6461b6ad22c''
> Aug 20 12:10:41 ch204b puppetd[11943]:
> (//ch204b/active-directory-member/Service[winbind]) Triggering  
> ''refresh''
> from 1 dependencies
That''s Puppet noticing that the file got replaced, not actually  
replacing it.  If Puppet had replaced it, the log would have come  
from /source or /content.

  --
  What is the sound of Perl?  Is it not the sound of a wall that
  people have stopped banging their heads against?
          --Larry Wall in <1992Aug26.184221.29627@netlabs.com>
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com