Hi, I am sure this subject has come up before. I did not find anything on Google that comes close to what I am trying to do. I would like to manage different groups on multiple nodes using puppet and do not know of a good way to do it. Does anyone have an idea of how I can accomplish this? Any help will be appreciated. Thanks, Mouncef _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On 29 May , 2007, at 13:34, Mouncef Belcaid wrote:> Hi, > > I am sure this subject has come up before. I did not find anything > on Google that comes close to what I am trying to do. > > I would like to manage different groups on multiple nodes using > puppet and do not know of a good way to do it. Does anyone have an > idea of how I can accomplish this?Do you mean UNIX groups? How is it you would like to manage them — that is — what would you like Puppet to do? Usually, people use the Puppet "group" and "user" resource types to make sure that particular groups and users exist. Is that what you're looking for? _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
Yes, UNIX/Linux groups. The issue with the group/user resources is that you cannot manage existing groups/users. What I would like to do is add local/NIS/LDAP users to an existing local group without overwriting the /etc/group file. On 5/29/07, Benjamin C. Kite <ben@reductivelabs.com> wrote:> > > On 29 May , 2007, at 13:34, Mouncef Belcaid wrote: > > > Hi, > > > > I am sure this subject has come up before. I did not find anything > > on Google that comes close to what I am trying to do. > > > > I would like to manage different groups on multiple nodes using > > puppet and do not know of a good way to do it. Does anyone have an > > idea of how I can accomplish this? > > Do you mean UNIX groups? How is it you would like to manage them — > that is — what would you like Puppet to do? > > Usually, people use the Puppet "group" and "user" resource types to > make sure that particular groups and users exist. Is that what > you''re looking for? > > > > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >_______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
Sorry, I forgot to CC the list. ---------- Forwarded message ---------- From: Mouncef Belcaid <lists@belcaid.com> Date: May 29, 2007 3:45 PM Subject: Re: [Puppet-users] Group management To: Puppet User Discussion <puppet-users@madstop.com> Yes, UNIX/Linux groups. The issue with the group/user resources is that you cannot manage existing groups/users. What I would like to do is add local/NIS/LDAP users to an existing local group without overwriting the /etc/group file. On 5/29/07, Benjamin C. Kite <ben@reductivelabs.com> wrote:> > > On 29 May , 2007, at 13:34, Mouncef Belcaid wrote: > > > Hi, > > > > I am sure this subject has come up before. I did not find anything > > on Google that comes close to what I am trying to do. > > > > I would like to manage different groups on multiple nodes using > > puppet and do not know of a good way to do it. Does anyone have an > > idea of how I can accomplish this? > > Do you mean UNIX groups? How is it you would like to manage them — > that is — what would you like Puppet to do? > > Usually, people use the Puppet "group" and "user" resource types to > make sure that particular groups and users exist. Is that what > you''re looking for? > > > > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >_______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On May 29, 2007, at 4:45 PM, Mouncef Belcaid wrote:> Yes, UNIX/Linux groups. > > The issue with the group/user resources is that you cannot manage > existing groups/users. What I would like to do is add local/NIS/ > LDAP users to an existing local group without overwriting the /etc/ > group file.This is a problem with usermod, isn''t it? That is, Puppet can manage local users and groups just fine as long as everyone is local, but usermod (which Puppet uses) doesn''t want to modify the group file when it''s interacting with NIS users. That''s the problem you''re talking about, right? usermod is the only CLI way I know of to add users to an existing group (or remove them). If you want this feature, you''ll have to write a provider that knows how to read and write /etc/group separately, so that you can skip the use of usermod entirely. -- I don''t want the world, I just want your half. --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Tue, May 29, 2007 at 06:02:10PM -0500, Luke Kanies wrote:> On May 29, 2007, at 4:45 PM, Mouncef Belcaid wrote: > > > Yes, UNIX/Linux groups. > > > > The issue with the group/user resources is that you cannot manage > > existing groups/users. What I would like to do is add local/NIS/ > > LDAP users to an existing local group without overwriting the /etc/ > > group file. > > This is a problem with usermod, isn''t it? That is, Puppet can manage > local users and groups just fine as long as everyone is local, but > usermod (which Puppet uses) doesn''t want to modify the group file > when it''s interacting with NIS users. That''s the problem you''re > talking about, right? > > usermod is the only CLI way I know of to add users to an existing > group (or remove them). If you want this feature, you''ll have to > write a provider that knows how to read and write /etc/group > separately, so that you can skip the use of usermod entirely.Fedora/RHEL (also debian I think) has libuser that provides lgroupmod/lusermod which might work better in this case, never tried them though. Kostas
I was thinking about using groupmod instead. I just need to assign a list of users to a specific group. For example: groupmod -A "user1,user2,user3" trusted (to add users to the trusted group) and groupmod -R "user1,user2,user3" trusted (to remove them) I thought I would check with the list before writing a provider, in case there is an easier way. On 5/29/07, Luke Kanies <luke@madstop.com> wrote:> > On May 29, 2007, at 4:45 PM, Mouncef Belcaid wrote: > > > Yes, UNIX/Linux groups. > > > > The issue with the group/user resources is that you cannot manage > > existing groups/users. What I would like to do is add local/NIS/ > > LDAP users to an existing local group without overwriting the /etc/ > > group file. > > This is a problem with usermod, isn''t it? That is, Puppet can manage > local users and groups just fine as long as everyone is local, but > usermod (which Puppet uses) doesn''t want to modify the group file > when it''s interacting with NIS users. That''s the problem you''re > talking about, right? > > usermod is the only CLI way I know of to add users to an existing > group (or remove them). If you want this feature, you''ll have to > write a provider that knows how to read and write /etc/group > separately, so that you can skip the use of usermod entirely. > > -- > I don''t want the world, I just want your half. > --------------------------------------------------------------------- > Luke Kanies | http://reductivelabs.com | http://madstop.com > > > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >_______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On May 29, 2007, at 7:36 PM, Kostas Georgiou wrote:> Fedora/RHEL (also debian I think) has libuser that provides > lgroupmod/lusermod which might work better in this case, never > tried them though.Do those modify ldap, or what? The problem in this case is that usermod pukes if the user is in nis, even if the group is a local group. Do these tools solve that problem? I can''t seem to find much about them, other than a uselessly terse man page. -- A person''s maturity consists in having found again the seriousness one had as a child, at play. --Friedrich Nietzsche --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On May 29, 2007, at 9:15 PM, Mouncef Belcaid wrote:> I was thinking about using groupmod instead. I just need to assign > a list of users to a specific group. For example: > groupmod -A "user1,user2,user3" trusted (to add users to the > trusted group) > and > groupmod -R "user1,user2,user3" trusted (to remove them) > > I thought I would check with the list before writing a provider, in > case there is an easier way.What platform are you on? My Debian groupmod doesn''t support -A or - R, according to the man page. If this is all you need to do, I recommend making a subclass of the useradd provider, changing the ''groups'' and ''groups='' methods to use groupmod instead. You''ll need to make sure you get the current list and compare them, always setting the values so that you don''t lose group members (e.g., if you''re adding ''a'' and ''b,c'' is the current member list, make sure the final result is ''a,b,c'', not just ''a''). -- Should I say "I believe in physics", or "I know that physics is true"? -- Ludwig Wittgenstein, On Certainty, 602. --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Tue, May 29, 2007 at 10:03:54PM -0500, Luke Kanies wrote:> On May 29, 2007, at 7:36 PM, Kostas Georgiou wrote: > > > Fedora/RHEL (also debian I think) has libuser that provides > > lgroupmod/lusermod which might work better in this case, never > > tried them though. > > Do those modify ldap, or what?They can be configured to modify ldap or shadow.> The problem in this case is that usermod pukes if the user is in nis, > even if the group is a local group. Do these tools solve that problem? > > I can''t seem to find much about them, other than a uselessly terse > man page.I haven''t used them at all either and the docs aren''t great, but a quick check shows that it works with a nis user and a local group. # usermod -a -G wheel georgiou usermod: georgiou not found in /etc/passwd # lgroupmod -M georgiou wheel # Kostas
I''m running SuSE Linux Enterprise server/desktop 9 and 10. Thanks for the suggestion Luke. I will go ahead and try it out. On 5/30/07, Luke Kanies <luke@madstop.com > wrote:> > On May 29, 2007, at 9:15 PM, Mouncef Belcaid wrote: > > > I was thinking about using groupmod instead. I just need to assign > > a list of users to a specific group. For example: > > groupmod -A "user1,user2,user3" trusted (to add users to the > > trusted group) > > and > > groupmod -R "user1,user2,user3" trusted (to remove them) > > > > I thought I would check with the list before writing a provider, in > > case there is an easier way. > > What platform are you on? My Debian groupmod doesn''t support -A or - > R, according to the man page. > > If this is all you need to do, I recommend making a subclass of the > useradd provider, changing the ''groups'' and ''groups='' methods to use > groupmod instead. You''ll need to make sure you get the current list > and compare them, always setting the values so that you don''t lose > group members (e.g., if you''re adding ''a'' and ''b,c'' is the current > member list, make sure the final result is ''a,b,c'', not just ''a''). > > -- > Should I say "I believe in physics", or "I know that physics is true"? > -- Ludwig Wittgenstein, On Certainty, 602. > --------------------------------------------------------------------- > Luke Kanies | http://reductivelabs.com | http://madstop.com > > > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >_______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On May 30, 2007, at 2:18 PM, Kostas Georgiou wrote:> I haven''t used them at all either and the docs aren''t great, but a > quick > check shows that it works with a nis user and a local group. > # usermod -a -G wheel georgiou > usermod: georgiou not found in /etc/passwd > # lgroupmod -M georgiou wheel > #It shouldn''t be hard to make a provider for them, then. I''ll leave that as an exercise to the reader. :) -- This book fills a much-needed gap. -- Moses Hadas --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
gpasswd can also be used. Adam Kosmin Luke Kanies wrote:> usermod is the only CLI way I know of to add users to an existing > group (or remove them). If you want this feature, you''ll have to > write a provider that knows how to read and write /etc/group > separately, so that you can skip the use of usermod entirely. > > -- > I don''t want the world, I just want your half. > --------------------------------------------------------------------- > Luke Kanies | http://reductivelabs.com | http://madstop.com > > > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >