Puppet users - Apr 2009 - Question about passwords

Hi all,

After reading through all the documentation I can find and reading the
"Pulling Strings with Puppet" book i understand how easy it is to
create and maintain users and groups across all puppet clients, but
how do you define the passwords that go along with those users?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On 2009-Apr-28, at 5:51 PM, josbal wrote:
> After reading through all the documentation I can find and reading the
> "Pulling Strings with Puppet" book i understand how easy it is to
> create and maintain users and groups across all puppet clients, but
> how do you define the passwords that go along with those users?

You can get an example for your particular system by running this as  
root:

     ralsh user username

There''s probably a way to generate the encrypted string without the  
account actually existing first, but I don''t know it.

A related question I have: How do you assign an initial password when  
the account is created, but prevent Puppet from making that the  
password every 30 minutes (should the user want to change it)?

-- 
Rob McBroom
<http://www.skurfer.com/>





--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Wed, Apr 29, 2009 at 5:24 AM, Rob McBroom <mailinglist0@skurfer.com>
wrote:
>
> On 2009-Apr-28, at 5:51 PM, josbal wrote:
>
>> After reading through all the documentation I can find and reading the
>> "Pulling Strings with Puppet" book i understand how easy it
is to
>> create and maintain users and groups across all puppet clients, but
>> how do you define the passwords that go along with those users?
>
>
> You can get an example for your particular system by running this as
> root:
>
>     ralsh user username
Note that to read an existing password hash, you''ll probably need to
be root on most OSes. This is the case at least for OS X.
>
> There''s probably a way to generate the encrypted string without
the
> account actually existing first, but I don''t know it.
>
> A related question I have: How do you assign an initial password when
> the account is created, but prevent Puppet from making that the
> password every 30 minutes (should the user want to change it)?
>
> --
> Rob McBroom
> <http://www.skurfer.com/>
>
>
>
>
>
> >
>


-- 
Nigel Kersten
nigelk@google.com
System Administrator
Google, Inc.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On 4/29/2009 7:24 AM, Rob McBroom wrote:
> A related question I have: How do you assign an initial password when  
> the account is created, but prevent Puppet from making that the  
> password every 30 minutes (should the user want to change it)?
I think the vast majority of people use Puppet to create system 
accounts, not normal user login accounts. In my case, normal user login 
accounts go into Active Directory, and then I use Puppet to maintain 
compatible Kerberos and Winbind settings, plus lists of users allowed to 
log into particular systems as needed (using pam_listfile).

-- 
Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On 2009-Apr-29, at 10:41 AM, Nigel Kersten wrote:
> On Wed, Apr 29, 2009 at 5:24 AM, Rob McBroom  
> <mailinglist0@skurfer.com> wrote:
>>
>> You can get an example for your particular system by running this as
>> root:
>>
>>     ralsh user username
>
> Note that to read an existing password hash, you''ll probably need
to
> be root on most OSes. This is the case at least for OS X.
I probably should have said to run the command "as root". Oh, wait… ;)

-- 
Rob McBroom
<http://www.skurfer.com/>


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Wed, Apr 29, 2009 at 8:26 AM, Rob McBroom <mailinglist0@skurfer.com>
wrote:
>
> On 2009-Apr-29, at 10:41 AM, Nigel Kersten wrote:
>
>> On Wed, Apr 29, 2009 at 5:24 AM, Rob McBroom
>> <mailinglist0@skurfer.com> wrote:
>>>
>>> You can get an example for your particular system by running this
as
>>> root:
>>>
>>>     ralsh user username
>>
>> Note that to read an existing password hash, you''ll probably
need to
>> be root on most OSes. This is the case at least for OS X.
>
> I probably should have said to run the command "as root". Oh,
wait… ;)
hah. I did actually read that, but I didn''t express myself well.

I meant to point out explicitly that on OS X say, if you run this as
non-root, you''ll get a user resource definition back, it just
won''t
contain the password.

ie

nigelk$ ralsh user testuser
user { ''testuser'':
    comment => ''testuser'',
    home => ''/Users/testuser'',
    shell => ''/bin/bash'',
    uid => ''123'',
    gid => ''123'',
    ensure => ''present''
}

nigelk$ sudo ralsh user testuser
user { ''testuser'':
    comment => ''testuser'',
    password => "..........",
    home => ''/Users/testuser'',
    shell => ''/bin/bash'',
    uid => ''123'',
    gid => ''123'',
    ensure => ''present''
}
>
> --
> Rob McBroom
> <http://www.skurfer.com/>
>
>
> >
>


-- 
Nigel Kersten
nigelk@google.com
System Administrator
Google, Inc.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On 2009-Apr-29, at 11:58 AM, Nigel Kersten wrote:
> hah. I did actually read that, but I didn''t express myself well.
>
> I meant to point out explicitly that on OS X say, if you run this as
> non-root, you''ll get a user resource definition back, it just
won''t
> contain the password.
Ah, OK. Actually, I wanted to just use `ralsh user $USER` as an  
example since it would work as written, but I thankfully tested it  
first and ran into exactly what you''re talking about on my desktop  
Mac. `ralsh` doesn''t even run on my Linux puppetmaster as a non-root  
user, but do I really need it to? No.

-- 
Rob McBroom
<http://www.skurfer.com/>


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Wed, Apr 29, 2009 at 12:27 PM, Rob McBroom <mailinglist0@skurfer.com>
wrote:
>
> On 2009-Apr-29, at 11:58 AM, Nigel Kersten wrote:
>
>> hah. I did actually read that, but I didn''t express myself
well.
>>
>> I meant to point out explicitly that on OS X say, if you run this as
>> non-root, you''ll get a user resource definition back, it just
won''t
>> contain the password.
>
> Ah, OK. Actually, I wanted to just use `ralsh user $USER` as an
> example since it would work as written, but I thankfully tested it
> first and ran into exactly what you''re talking about on my desktop
> Mac. `ralsh` doesn''t even run on my Linux puppetmaster as a
non-root
> user, but do I really need it to? No.

Yep. Luke expressed a desire to have as much of ralsh as possible work
when not-root, so I decided to simply not return the password hash in
that case in the Mac user provider.


>
> --
> Rob McBroom
> <http://www.skurfer.com/>
>
>
> >
>


-- 
Nigel Kersten
nigelk@google.com
System Administrator
Google, Inc.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Thanks guys,

This is what i was after. This ralsh thing makes thing alot easier :)

Cheers.

On Apr 30, 5:45 am, Nigel Kersten <nig...@google.com>
wrote:
> On Wed, Apr 29, 2009 at 12:27 PM, Rob McBroom
<mailingli...@skurfer.com> wrote:
>
> > On 2009-Apr-29, at 11:58 AM, Nigel Kersten wrote:
>
> >> hah. I did actually read that, but I didn''t express
myself well.
>
> >> I meant to point out explicitly that on OS X say, if you run this
as
> >> non-root, you''ll get a user resource definition back, it
just won''t
> >> contain the password.
>
> > Ah, OK. Actually, I wanted to just use `ralsh user $USER` as an
> > example since it would work as written, but I thankfully tested it
> > first and ran into exactly what you''re talking about on my
desktop
> > Mac. `ralsh` doesn''t even run on my Linux puppetmaster as a
non-root
> > user, but do I really need it to? No.
>
> Yep. Luke expressed a desire to have as much of ralsh as possible work
> when not-root, so I decided to simply not return the password hash in
> that case in the Mac user provider.
>
>
>
> > --
> > Rob McBroom
> > <http://www.skurfer.com/>
>
> --
> Nigel Kersten
> nig...@google.com
> System Administrator
> Google, Inc.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Further to this...

If a user1 on server1 has uid 502 and in puppet i define user1 to have
uid 500. When i add server1 to puppet, will puppet be able to change
all the file permissions associated with user1? Or will it orphan all
of  user1''s files?

Thanks again.

On Apr 30, 8:19 am, josbal <joshua.bald...@gmail.com>
wrote:
> Thanks guys,
>
> This is what i was after. This ralsh thing makes thing alot easier :)
>
> Cheers.
>
> On Apr 30, 5:45 am, Nigel Kersten <nig...@google.com> wrote:
>
> > On Wed, Apr 29, 2009 at 12:27 PM, Rob McBroom
<mailingli...@skurfer.com> wrote:
>
> > > On 2009-Apr-29, at 11:58 AM, Nigel Kersten wrote:
>
> > >> hah. I did actually read that, but I didn''t express
myself well.
>
> > >> I meant to point out explicitly that on OS X say, if you run
this as
> > >> non-root, you''ll get a user resource definition
back, it just won''t
> > >> contain the password.
>
> > > Ah, OK. Actually, I wanted to just use `ralsh user $USER` as an
> > > example since it would work as written, but I thankfully tested
it
> > > first and ran into exactly what you''re talking about on
my desktop
> > > Mac. `ralsh` doesn''t even run on my Linux puppetmaster
as a non-root
> > > user, but do I really need it to? No.
>
> > Yep. Luke expressed a desire to have as much of ralsh as possible work
> > when not-root, so I decided to simply not return the password hash in
> > that case in the Mac user provider.
>
> > > --
> > > Rob McBroom
> > > <http://www.skurfer.com/>
>
> > --
> > Nigel Kersten
> > nig...@google.com
> > System Administrator
> > Google, Inc.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

2009/4/29 josbal <joshua.baldock@gmail.com>:
>
> Further to this...
>
> If a user1 on server1 has uid 502 and in puppet i define user1 to have
> uid 500. When i add server1 to puppet, will puppet be able to change
> all the file permissions associated with user1? Or will it orphan all
> of  user1''s files?
>
> Thanks again.
>
Orphan any file owned by user1 that isn''t managed by puppet, same goes
for processes

.r''

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Thursday 30 April 2009 00:24:41 Rob McBroom wrote:
> There''s probably a way to generate the encrypted string without
the
> account actually existing first, but I don''t know it.
On Linux:
mkpasswd -m md5
will do it for you.

-- 
Robin <robin@kallisti.net.nz> JabberID:
<eythian@jabber.kallisti.net.nz>
http://www.kallisti.net.nz/blog       |||       http://identi.ca/eythian

PGP Key 0xA99CEB6D = 5957 6D23 8B16 EFAB FEF8  7175 14D3 6485 A99C EB6D

On 2009-Apr-29, at 6:22 PM, josbal wrote:
> If a user1 on server1 has uid 502 and in puppet i define user1 to have
> uid 500. When i add server1 to puppet, will puppet be able to change
> all the file permissions associated with user1? Or will it orphan all
> of  user1''s files?
On many systems, if you change the UID with usermod, it will go into  
the user''s home directory and change ownership of all files there. It  
will not get all files on the system, but it''s something. So, if your  
Puppet client is such a system, and if Puppet is using usermod as the  
back-end provider, it might cover the majority of files.

I imagine you could also come up with an Exec that runs `find` to look  
for the old UID under certain conditions, but it''s probably better to  
do such things by hand since they shouldn''t be common.

-- 
Rob McBroom
<http://www.skurfer.com/>

The magnitude of a problem does not affect its ownership.






--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---