On the System we have defined the user auser as: /etc/passwd: auser:x:300:300:auser User:/application/home/auser:/bin/bash /etc/group: agroup:x:126:auser So id auser gives: uid=300(auser) gid=300(auser) groups=126(agroup),300(auser) In the LDAP we have: #getent passwd auser auser:x:300:300:auser User:/application/home/auser:/bin/bash and #getent group agroup agroup:x:126:auser Basically the same definition. Now everytime I run puppet I get: notice: //Node[default]/oracle/users::db/User[auser]/groups: groups changed ''agroup,agroup'' to ''agroup'' This is really strange..... Does anybody know what the problem is here. Does Puppet Merge the groups from local and ldap? Any hint is appreciated. BR, Rene -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi Rene, Couple of things you might check: Do you have the agroup defined in LDAP too? If so that ldap group might have a differente gid as the local one. How looks the definition of the user in users::db? On Tue, Mar 2, 2010 at 8:44 AM, Rene <rene.zbinden@gmail.com> wrote:> On the System we have defined the user auser as: > /etc/passwd: > auser:x:300:300:auser User:/application/home/auser:/bin/bash > /etc/group: > agroup:x:126:auser > > So id auser gives: > uid=300(auser) gid=300(auser) groups=126(agroup),300(auser) > > In the LDAP we have: > #getent passwd auser > auser:x:300:300:auser User:/application/home/auser:/bin/bash > and > #getent group agroup > agroup:x:126:auser > > Basically the same definition. > > Now everytime I run puppet I get: > notice: //Node[default]/oracle/users::db/User[auser]/groups: groups > changed ''agroup,agroup'' to ''agroup'' > This is really strange..... > > Does anybody know what the problem is here. Does Puppet Merge the > groups from local and ldap? > > Any hint is appreciated. > > BR, Rene > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- Tony -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi Tony
Thanks for the quick answer.
Yes the group is defined in the LDAP too with the same GID. And here
the definition:
@user { auser:
comment => ''Some user'',
ensure => present,
gid => somegid,
uid => 300,
groups => ''agroup'',
home => ''/application/home/auser'',
shell => ''/bin/bash'',
require => [ Group[''auser''],
Group[''agroup''] ],
}
I have no idea what is going wrong.....
On Mar 2, 4:53 pm, "Tony G." <tony...@gmail.com>
wrote:> Hi Rene,
>
> Couple of things you might check:
>
> Do you have the agroup defined in LDAP too? If so that ldap group might
> have a differente gid as the local one.
>
> How looks the definition of the user in users::db?
>
>
>
> On Tue, Mar 2, 2010 at 8:44 AM, Rene <rene.zbin...@gmail.com> wrote:
> > On the System we have defined the user auser as:
> > /etc/passwd:
> > auser:x:300:300:auser User:/application/home/auser:/bin/bash
> > /etc/group:
> > agroup:x:126:auser
>
> > So id auser gives:
> > uid=300(auser) gid=300(auser) groups=126(agroup),300(auser)
>
> > In the LDAP we have:
> > #getent passwd auser
> > auser:x:300:300:auser User:/application/home/auser:/bin/bash
> > and
> > #getent group agroup
> > agroup:x:126:auser
>
> > Basically the same definition.
>
> > Now everytime I run puppet I get:
> > notice: //Node[default]/oracle/users::db/User[auser]/groups: groups
> > changed ''agroup,agroup'' to
''agroup''
> > This is really strange.....
>
> > Does anybody know what the problem is here. Does Puppet Merge the
> > groups from local and ldap?
>
> > Any hint is appreciated.
>
> > BR, Rene
>
> > --
> > You received this message because you are subscribed to the Google
Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> >
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> > .
> > For more options, visit this group at
> >http://groups.google.com/group/puppet-users?hl=en.
>
> --
> Tony
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Hi Rene, I tried to replicate the behavior without luck. Reading again your email I noticed that you used getent passwd to pull the LDAP data, but that does not guarantee you are pulling from LDAP as it depends on the order in your nsswitch.conf file. Here nsswitch.conf has files before ldap(I created locally auser and agroup as you) $ id auser uid=999(auser) gid=999(auser) groups=999(auser),666(agroup) $ getent passwd auser auser:*:999:999:Some user:/home/auser:/bin/bash Here ldap is before nsswitch.conf (I created in ldap auser and agroup) $ id auser uid=999(auser) gid=*888*(auser) groups=*888*(auser),666(agroup) $ getent passwd auser auser:*:999:*888*:auser test:/home/auser:/bin/bash So the change you see *changed ''agroup,agroup'' to ''agroup'' *sounds like auser has two agroup groups(with diff gid) and changing to have only one agroup. I might be wrong with this, but the issue should be around there. I''ve tried to avoid having same groups/users in ldap and locally to avoid similar issues. Hope that helps. On Tue, Mar 2, 2010 at 10:13 AM, Rene <rene.zbinden@gmail.com> wrote:> Hi Tony > > Thanks for the quick answer. > > Yes the group is defined in the LDAP too with the same GID. And here > the definition: > @user { auser: > comment => ''Some user'', > ensure => present, > gid => somegid, > uid => 300, > groups => ''agroup'', > home => ''/application/home/auser'', > shell => ''/bin/bash'', > require => [ Group[''auser''], Group[''agroup''] ], > } > > I have no idea what is going wrong..... > > > On Mar 2, 4:53 pm, "Tony G." <tony...@gmail.com> wrote: > > Hi Rene, > > > > Couple of things you might check: > > > > Do you have the agroup defined in LDAP too? If so that ldap group might > > have a differente gid as the local one. > > > > How looks the definition of the user in users::db? > > > > > > > > On Tue, Mar 2, 2010 at 8:44 AM, Rene <rene.zbin...@gmail.com> wrote: > > > On the System we have defined the user auser as: > > > /etc/passwd: > > > auser:x:300:300:auser User:/application/home/auser:/bin/bash > > > /etc/group: > > > agroup:x:126:auser > > > > > So id auser gives: > > > uid=300(auser) gid=300(auser) groups=126(agroup),300(auser) > > > > > In the LDAP we have: > > > #getent passwd auser > > > auser:x:300:300:auser User:/application/home/auser:/bin/bash > > > and > > > #getent group agroup > > > agroup:x:126:auser > > > > > Basically the same definition. > > > > > Now everytime I run puppet I get: > > > notice: //Node[default]/oracle/users::db/User[auser]/groups: groups > > > changed ''agroup,agroup'' to ''agroup'' > > > This is really strange..... > > > > > Does anybody know what the problem is here. Does Puppet Merge the > > > groups from local and ldap? > > > > > Any hint is appreciated. > > > > > BR, Rene > > > > > -- > > > You received this message because you are subscribed to the Google > Groups > > > "Puppet Users" group. > > > To post to this group, send email to puppet-users@googlegroups.com. > > > To unsubscribe from this group, send email to > > > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > <puppet-users%2Bunsubscribe@googlegroups.com<puppet-users%252Bunsubscribe@googlegroups.com> > > > > > . > > > For more options, visit this group at > > >http://groups.google.com/group/puppet-users?hl=en. > > > > -- > > Tony > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- Tony -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi Tony Here my investigations for another user: For our storage user the following happens with puppet: notice: //Node[default]/netbackup/netbackup::general/users::storage/ User[storage]/groups: groups changed ''log,log'' to ''log'' The user storage is not in ldap, but the group log. On ldap I have: log:*:126:user1,user2,user3,storage,user4 Local I have: log:x:126:storage To get the information i always deleted the ldap or files entry in / etc/nsswitch.conf. I also have: only ldap in nsswitch.conf: # id storage uid=902(storage) gid=902(storage) groups=126(log),902(storage) only files in nsswitch.conf: id storage uid=902(storage) gid=902(storage) groups=126(log),902(storage) Do you have any other ideas? Do you think the problem could arise from that the user storage is not in ldap? On Mar 2, 7:50 pm, "Tony G." <tony...@gmail.com> wrote:> Hi Rene, > > I tried to replicate the behavior without luck. > > Reading again your email I noticed that you used getent passwd to pull the > LDAP data, but that does not guarantee you are pulling from LDAP as it > depends on the order in your nsswitch.conf file. > > Here nsswitch.conf has files before ldap(I created locally auser and agroup > as you) > $ id auser > uid=999(auser) gid=999(auser) groups=999(auser),666(agroup) > $ getent passwd auser > auser:*:999:999:Some user:/home/auser:/bin/bash > > Here ldap is before nsswitch.conf (I created in ldap auser and agroup) > $ id auser > uid=999(auser) gid=*888*(auser) groups=*888*(auser),666(agroup) > $ getent passwd auser > auser:*:999:*888*:auser test:/home/auser:/bin/bash > > So the change you see *changed ''agroup,agroup'' to ''agroup'' *sounds like > auser has two agroup groups(with diff gid) and changing to have only one > agroup. I might be wrong with this, but the issue should be around there. > > I''ve tried to avoid having same groups/users in ldap and locally to avoid > similar issues. > > Hope that helps. > > > > On Tue, Mar 2, 2010 at 10:13 AM, Rene <rene.zbin...@gmail.com> wrote: > > Hi Tony > > > Thanks for the quick answer. > > > Yes the group is defined in the LDAP too with the same GID. And here > > the definition: > > @user { auser: > > comment => ''Some user'', > > ensure => present, > > gid => somegid, > > uid => 300, > > groups => ''agroup'', > > home => ''/application/home/auser'', > > shell => ''/bin/bash'', > > require => [ Group[''auser''], Group[''agroup''] ], > > } > > > I have no idea what is going wrong..... > > > On Mar 2, 4:53 pm, "Tony G." <tony...@gmail.com> wrote: > > > Hi Rene, > > > > Couple of things you might check: > > > > Do you have the agroup defined in LDAP too? If so that ldap group might > > > have a differente gid as the local one. > > > > How looks the definition of the user in users::db? > > > > On Tue, Mar 2, 2010 at 8:44 AM, Rene <rene.zbin...@gmail.com> wrote: > > > > On the System we have defined the user auser as: > > > > /etc/passwd: > > > > auser:x:300:300:auser User:/application/home/auser:/bin/bash > > > > /etc/group: > > > > agroup:x:126:auser > > > > > So id auser gives: > > > > uid=300(auser) gid=300(auser) groups=126(agroup),300(auser) > > > > > In the LDAP we have: > > > > #getent passwd auser > > > > auser:x:300:300:auser User:/application/home/auser:/bin/bash > > > > and > > > > #getent group agroup > > > > agroup:x:126:auser > > > > > Basically the same definition. > > > > > Now everytime I run puppet I get: > > > > notice: //Node[default]/oracle/users::db/User[auser]/groups: groups > > > > changed ''agroup,agroup'' to ''agroup'' > > > > This is really strange..... > > > > > Does anybody know what the problem is here. Does Puppet Merge the > > > > groups from local and ldap? > > > > > Any hint is appreciated. > > > > > BR, Rene > > > > > -- > > > > You received this message because you are subscribed to the Google > > Groups > > > > "Puppet Users" group. > > > > To post to this group, send email to puppet-users@googlegroups.com. > > > > To unsubscribe from this group, send email to > > > > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > > <puppet-users%2Bunsubscribe@googlegroups.com<puppet-users%252Bunsubscribe@googlegroups.com> > > > > > . > > > > For more options, visit this group at > > > >http://groups.google.com/group/puppet-users?hl=en. > > > > -- > > > Tony > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > > . > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en. > > -- > Tony-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi Rene, I don''t think there is a problem if the user is not in ldap. Run the puppetd with --debug so you can see what command is being issued before that notice is posted, that might give you a clue of what''s doing puppet. On Thu, Mar 4, 2010 at 1:15 AM, Rene <rene.zbinden@gmail.com> wrote:> Hi Tony > > Here my investigations for another user: > > For our storage user the following happens with puppet: > notice: //Node[default]/netbackup/netbackup::general/users::storage/ > User[storage]/groups: groups changed ''log,log'' to ''log'' > > The user storage is not in ldap, but the group log. On ldap I have: > log:*:126:user1,user2,user3,storage,user4 > > Local I have: > log:x:126:storage > > To get the information i always deleted the ldap or files entry in / > etc/nsswitch.conf. > > I also have: > only ldap in nsswitch.conf: > # id storage > uid=902(storage) gid=902(storage) groups=126(log),902(storage) > only files in nsswitch.conf: > id storage > uid=902(storage) gid=902(storage) groups=126(log),902(storage) > > Do you have any other ideas? > > Do you think the problem could arise from that the user storage is not > in ldap? > > On Mar 2, 7:50 pm, "Tony G." <tony...@gmail.com> wrote: > > Hi Rene, > > > > I tried to replicate the behavior without luck. > > > > Reading again your email I noticed that you used getent passwd to pull > the > > LDAP data, but that does not guarantee you are pulling from LDAP as it > > depends on the order in your nsswitch.conf file. > > > > Here nsswitch.conf has files before ldap(I created locally auser and > agroup > > as you) > > $ id auser > > uid=999(auser) gid=999(auser) groups=999(auser),666(agroup) > > $ getent passwd auser > > auser:*:999:999:Some user:/home/auser:/bin/bash > > > > Here ldap is before nsswitch.conf (I created in ldap auser and agroup) > > $ id auser > > uid=999(auser) gid=*888*(auser) groups=*888*(auser),666(agroup) > > $ getent passwd auser > > auser:*:999:*888*:auser test:/home/auser:/bin/bash > > > > So the change you see *changed ''agroup,agroup'' to ''agroup'' *sounds like > > auser has two agroup groups(with diff gid) and changing to have only one > > agroup. I might be wrong with this, but the issue should be around > there. > > > > I''ve tried to avoid having same groups/users in ldap and locally to avoid > > similar issues. > > > > Hope that helps. > > > > > > > > On Tue, Mar 2, 2010 at 10:13 AM, Rene <rene.zbin...@gmail.com> wrote: > > > Hi Tony > > > > > Thanks for the quick answer. > > > > > Yes the group is defined in the LDAP too with the same GID. And here > > > the definition: > > > @user { auser: > > > comment => ''Some user'', > > > ensure => present, > > > gid => somegid, > > > uid => 300, > > > groups => ''agroup'', > > > home => ''/application/home/auser'', > > > shell => ''/bin/bash'', > > > require => [ Group[''auser''], Group[''agroup''] ], > > > } > > > > > I have no idea what is going wrong..... > > > > > On Mar 2, 4:53 pm, "Tony G." <tony...@gmail.com> wrote: > > > > Hi Rene, > > > > > > Couple of things you might check: > > > > > > Do you have the agroup defined in LDAP too? If so that ldap group > might > > > > have a differente gid as the local one. > > > > > > How looks the definition of the user in users::db? > > > > > > On Tue, Mar 2, 2010 at 8:44 AM, Rene <rene.zbin...@gmail.com> wrote: > > > > > On the System we have defined the user auser as: > > > > > /etc/passwd: > > > > > auser:x:300:300:auser User:/application/home/auser:/bin/bash > > > > > /etc/group: > > > > > agroup:x:126:auser > > > > > > > So id auser gives: > > > > > uid=300(auser) gid=300(auser) groups=126(agroup),300(auser) > > > > > > > In the LDAP we have: > > > > > #getent passwd auser > > > > > auser:x:300:300:auser User:/application/home/auser:/bin/bash > > > > > and > > > > > #getent group agroup > > > > > agroup:x:126:auser > > > > > > > Basically the same definition. > > > > > > > Now everytime I run puppet I get: > > > > > notice: //Node[default]/oracle/users::db/User[auser]/groups: groups > > > > > changed ''agroup,agroup'' to ''agroup'' > > > > > This is really strange..... > > > > > > > Does anybody know what the problem is here. Does Puppet Merge the > > > > > groups from local and ldap? > > > > > > > Any hint is appreciated. > > > > > > > BR, Rene > > > > > > > -- > > > > > You received this message because you are subscribed to the Google > > > Groups > > > > > "Puppet Users" group. > > > > > To post to this group, send email to puppet-users@googlegroups.com > . > > > > > To unsubscribe from this group, send email to > > > > > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > <puppet-users%2Bunsubscribe@googlegroups.com<puppet-users%252Bunsubscribe@googlegroups.com> > > > > > <puppet-users%2Bunsubscribe@googlegroups.com<puppet-users%252Bunsubscribe@googlegroups.com> > <puppet-users%252Bunsubscribe@googlegroups.com<puppet-users%25252Bunsubscribe@googlegroups.com> > > > > > > > > > . > > > > > For more options, visit this group at > > > > >http://groups.google.com/group/puppet-users?hl=en. > > > > > > -- > > > > Tony > > > > > -- > > > You received this message because you are subscribed to the Google > Groups > > > "Puppet Users" group. > > > To post to this group, send email to puppet-users@googlegroups.com. > > > To unsubscribe from this group, send email to > > > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > <puppet-users%2Bunsubscribe@googlegroups.com<puppet-users%252Bunsubscribe@googlegroups.com> > > > > > . > > > For more options, visit this group at > > >http://groups.google.com/group/puppet-users?hl=en. > > > > -- > > Tony > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- Tony -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.