I''m trying to set puppet up to manage users and groups on an OpenBSD Samba server, but puppet doesn''t want to handle group names with spaces. I know this horribly ugly, but compatibility with windows clients seems to demand groups like "Domain Users" and "Domain Computers", and puppet chokes on them even though the underlying OS handles them at least well enough to allow Samba to work. err: //basenode/virt_all_users/User[testser]/groups: change from test,Domain Users,admin to Domain Users,admin failed: Invalid value Domain Users,admin: Groups must be comma-separated I''ve tried removing the ''verify :groups, "Groups must be comma-separated"'' check; when I do this puppet claims to set the groups correctly, but the change is not actually performed. Has anybody else run into this problem and have either a fix for puppet or a workaround that allows you to avoid the groups with spaces entirely? -Ryan
> Has anybody else run into this problem and have either a fix for puppet > or a workaround that allows you to avoid the groups with spaces > entirely? >There is no hard requirement that you have spaces in your unix group names. Samba can do a groupmapping from a standard unix group to an ntgroup name: net rpc groupmap add unixgroup=users ntgroup="Domain Users" should do the job, but it''s a long time since I''ve bothered.
On Mon, Jun 11, 2007 at 09:59:24PM +1200, Daniel Lawson wrote:> There is no hard requirement that you have spaces in your unix group > names. Samba can do a groupmapping from a standard unix group to an > ntgroup name: > > net rpc groupmap add unixgroup=users ntgroup="Domain Users"This works, thanks. I''m glad it''s not necessary to muddy the puppet code to deal with this ugliness. In fact, I discovered that with LDAP, Samba actually does the mapping based on the gid of the unix group and gidNumber of the ldap group, so you don''t need the ''net rpc'' command at all. I also discovered a further problem on OpenBSD: the -G option to usermod doesn''t behave the way puppet expects, membership => minimum works, membership => inclusive does not. This should be fixed in OpenBSD, I''ll report back when that''s done. -Ryan -- Ryan T. McBride, CISSP - mcbride@countersiege.com Countersiege Systems Corporation - http://www.countersiege.com PGP key fingerprint = 5A63 31A0 B2E0 4A64 3D16 C474 99A7 BEFE F9BA A8E0
On Jun 12, 2007, at 7:33 PM, Ryan McBride wrote:> > This works, thanks. I''m glad it''s not necessary to muddy the puppet > code > to deal with this ugliness. > > In fact, I discovered that with LDAP, Samba actually does the mapping > based on the gid of the unix group and gidNumber of the ldap group, so > you don''t need the ''net rpc'' command at all.Great, glad to hear it.> I also discovered a further problem on OpenBSD: the -G option to > usermod > doesn''t behave the way puppet expects, membership => minimum works, > membership => inclusive does not. This should be fixed in OpenBSD, > I''ll > report back when that''s done.Would you be willing to create an OpenBSD page on the wiki describing this, and then link it from the Platforms page[1]? This is exactly the kind of thing I''d like other users to be able to see easily -- what they need to know when running Puppet on their specific platform. Thanks. 1 - https://reductivelabs.com/trac/puppet/wiki/StablePlatforms -- Wear the old coat and buy the new book. -- Austin Phelps --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com