Puppet users - Aug 2008 - Setting file ownership with winbind groups - bug?

Hi All,

When using winbind with "winbind enum groups = no" parameter set (as 
recommended and necessary in large domains), the following code fails with 
"Could not find group AdSourcedGroup".

file {"/file": group => AdSourcedGroup}

As expected, turning the group enumeration fixes things (but slows 
everything down to a crawl - our AD domain has a serious number of 
groups!).

I suspect this is actually a ruby problem (or feature?): from the winbind 
docs "If the winbind enum groups parameter is false, calls to the 
getgrent() system call will not return any data. ". However given I can 
still run "chown user:AdSourceGroup /file" without problem this call
is
obviously not necessary to actually set the ownership?

I traced puppet''s execution for this as far as "get_posix_field in
util/posix.rb" but from there on it was getting a bit tricky to figure out 
what was going on.

So - is this a bug/feature request, or should it be considered a problem 
with winbind instead? I would hazard a guess that puppet is doing some 
possibly uneccessary extra checks on groups before issuing a chown? This 
may be a case were "eafp" is a better approach than "lbyl",
to borrow a
python idiom?

I''m running puppet 0.24.1, facter 1.3.8 & ruby 1.8.5.

-ross


-- 
Ross McKerchar
Systems Analyst, Sophos

Tel: 01235 559933
Web: http://www.sophos.com
Sophos - security and control


Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.

Company Reg No 2096520. VAT Reg No GB 348 3873 20.


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Aug 8, 2008, at 9:01 AM, Ross.McKerchar@sophos.com wrote:
>
> Hi All,
>
> When using winbind with "winbind enum groups = no" parameter set
(as
> recommended and necessary in large domains), the following code  
> fails with
> "Could not find group AdSourcedGroup".
>
> file {"/file": group => AdSourcedGroup}
>
> As expected, turning the group enumeration fixes things (but slows
> everything down to a crawl - our AD domain has a serious number of
> groups!).
>
> I suspect this is actually a ruby problem (or feature?): from the  
> winbind
> docs "If the winbind enum groups parameter is false, calls to the
> getgrent() system call will not return any data. ". However given I  
> can
> still run "chown user:AdSourceGroup /file" without problem this
call
> is
> obviously not necessary to actually set the ownership?
>
> I traced puppet''s execution for this as far as
"get_posix_field in
> util/posix.rb" but from there on it was getting a bit tricky to  
> figure out
> what was going on.
>
> So - is this a bug/feature request, or should it be considered a  
> problem
> with winbind instead? I would hazard a guess that puppet is doing some
> possibly uneccessary extra checks on groups before issuing a chown?  
> This
> may be a case were "eafp" is a better approach than
"lbyl", to
> borrow a
> python idiom?
>
> I''m running puppet 0.24.1, facter 1.3.8 & ruby 1.8.5.
This is probably something like a Puppet bug, but it''s harder to say  
with that version of Puppet.  We''ve gone through different variations  
of how we retrieve group information because of various bugs in  
different libc implementations.

You might try more recent versions of Puppet, but you might also try  
with Nigel''s fix for the slow group performance.  You should be able  
to track the ticket down without much effort.

-- 
Don''t hit at all if it is honorably possible to avoid hitting; but
never hit soft! -- Theodore Roosevelt
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Luke Kanies <luke@madstop.com> wrote on 16/08/2008
22:53:30:
> On Aug 8, 2008, at 9:01 AM, Ross.McKerchar@sophos.com wrote:
> >
> > When using winbind with "winbind enum groups = no" parameter
set (as
> > recommended and necessary in large domains), the following code 
> > fails with
> > "Could not find group AdSourcedGroup".
> >
> > file {"/file": group => AdSourcedGroup}
> 
> This is probably something like a Puppet bug, but it''s harder to
say
> with that version of Puppet.  We''ve gone through different
variations
> of how we retrieve group information because of various bugs in 
> different libc implementations.
> 
> You might try more recent versions of Puppet, but you might also try 
> with Nigel''s fix for the slow group performance.  You should be
able
> to track the ticket down without much effort.
I''m now running 0.24.5 & still have the same problem. I also tried
Nigel''s
fix @ 
http://github.com/nigelkersten/puppet/tree/c1a6adb84ecdcc1c2a2657b4d603c96ae3282125/lib/puppet/provider/nameservice/directoryservice.rb
but it didn''t help me.

I guess the next step is to file a bug report - what''s the procedure
for
this?

-ross


-- 
Ross McKerchar
Systems Analyst, Sophos

Tel: 01235 559933
Web: http://www.sophos.com
Sophos - security and control

Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.

Company Reg No 2096520. VAT Reg No GB 348 3873 20.


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Ross.McKerchar@sophos.com wrote:
> I''m now running 0.24.5 & still have the same problem. I also
tried
> Nigel''s fix @
>
http://github.com/nigelkersten/puppet/tree/c1a6adb84ecdcc1c2a2657b4d603c96ae3282125/lib/puppet/provider/nameservice/directoryservice.rb
> but it didn''t help me.
> 
> I guess the next step is to file a bug report - what''s the
procedure for
> this?
> 
Ross

Try:

http://projects.reductivelabs.com/projects/puppet/issues/new

Thanks

James Turnbull

-- 
Author of:
* Pulling Strings with Puppet
(http://www.amazon.com/gp/product/1590599780/)
* Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)
* Hardening Linux
(http://www.amazon.com/gp/product/1590594444/)

puppet-users@googlegroups.com wrote on 18/09/2008 23:10:33:
> Try:
> 
> http://projects.reductivelabs.com/projects/puppet/issues/new
Thanks James: Bug filed at 
http://projects.reductivelabs.com/issues/show/1583 

-- 
Ross McKerchar
Systems Analyst, Sophos

Tel: 01235 559933
Web: http://www.sophos.com
Sophos - security and control

Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.

Company Reg No 2096520. VAT Reg No GB 348 3873 20.


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---