Monkeys Typing
2011-Feb-11 19:52 UTC
[Puppet Users] Active Directory join, stages, and AD accounts issues
I have a mostly working set of modules to replace our kickstart and about a dozen scripts. I am having issues with attempting to populate my AD account-owned user folders in the initial puppet run. The machines i am testing with are all CentOS 5.5 so far. I have defined 3 additional stages, Stage [init] -> Stage [pre] -> Stage [main] -> Stage [post] to attempt to fix this to no avail. I have my Samba class defined in pre, with my "make ad prod user folders" class defined in post. I am also managing my ldap.conf, system-auth-ac, nsswitch.conf all in the initial stages. I have an exec in my samba module to join the new servers to the domain, a simple "net ads join -U adminaccount". I see during --test runs, that the joindomain exec is scheduled to run after the smb and krb5 files are puppettized. Then way at the end of my run I see puppet attempting to create my user folders, but it is giving errors stating that the users do not exist. However, as soon as the catalog run finishes, the AD users are indeed recognized by id <username>. A second run of puppet completes with no issues. What am I missing to make sure that the AD user folders class is not attempted before the join has happened? Thanks, Jim Goddard -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nigel Kersten
2011-Feb-11 20:01 UTC
Re: [Puppet Users] Active Directory join, stages, and AD accounts issues
On Fri, Feb 11, 2011 at 11:52 AM, Monkeys Typing <monkeys.typing@gmail.com> wrote:> I have a mostly working set of modules to replace our kickstart and > about a dozen scripts. > > I am having issues with attempting to populate my AD account-owned > user folders in the initial puppet run. The machines i am testing > with are all CentOS 5.5 so far. > > I have defined 3 additional stages, > Stage [init] -> Stage [pre] -> Stage [main] -> Stage [post] > to attempt to fix this to no avail. I have my Samba class defined in > pre, with my "make ad prod user folders" class defined in post. I am > also managing my ldap.conf, system-auth-ac, nsswitch.conf all in the > initial stages. > > I have an exec in my samba module to join the new servers to the > domain, a simple "net ads join -U adminaccount". > > I see during --test runs, that the joindomain exec is scheduled to run > after the smb and krb5 files are puppettized. Then way at the end of > my run I see puppet attempting to create my user folders, but it is > giving errors stating that the users do not exist. However, as soon > as the catalog run finishes, the AD users are indeed recognized by id > <username>. > > A second run of puppet completes with no issues. > > What am I missing to make sure that the AD user folders class is not > attempted before the join has happened?One thing that wasn''t quite clear was whether in the logs you''ve verified that the exec is actually run after the user folders class. ie whether this is a puppet ordering problem, or a lag on the node between joining and the users being accessible.> > Thanks, > > Jim Goddard > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Daniel Pittman
2011-Feb-13 06:16 UTC
Re: [Puppet Users] Active Directory join, stages, and AD accounts issues
On Fri, Feb 11, 2011 at 12:01, Nigel Kersten <nigel@puppetlabs.com> wrote:> On Fri, Feb 11, 2011 at 11:52 AM, Monkeys Typing > <monkeys.typing@gmail.com> wrote:[…]>> I have an exec in my samba module to join the new servers to the >> domain, a simple "net ads join -U adminaccount". >> >> I see during --test runs, that the joindomain exec is scheduled to run >> after the smb and krb5 files are puppettized. Then way at the end of >> my run I see puppet attempting to create my user folders, but it is >> giving errors stating that the users do not exist. However, as soon >> as the catalog run finishes, the AD users are indeed recognized by id >> <username>. >> >> A second run of puppet completes with no issues. >> >> What am I missing to make sure that the AD user folders class is not >> attempted before the join has happened? > > One thing that wasn''t quite clear was whether in the logs you''ve > verified that the exec is actually run after the user folders class. > ie whether this is a puppet ordering problem, or a lag on the node > between joining and the users being accessible....or the puppet agent failing because it cached the user list, and didn''t recheck, which bit me years back but may still be lurking. Can we see the error messages from puppet and, ideally, the bits of the manifest in question? Regards, daniel -- ⎋ Puppet Labs Developer – http://puppetlabs.com ✉ Daniel Pittman <daniel@puppetlabs.com> ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Monkeys Typing
2011-Feb-15 18:17 UTC
[Puppet Users] Re: Active Directory join, stages, and AD accounts issues
On Feb 12, 10:16 pm, Daniel Pittman <dan...@puppetlabs.com> wrote:> On Fri, Feb 11, 2011 at 12:01, Nigel Kersten <ni...@puppetlabs.com> wrote: > > On Fri, Feb 11, 2011 at 11:52 AM, Monkeys Typing > > <monkeys.typ...@gmail.com> wrote:> >> I have an exec in my samba module to join the new servers to the > >> domain, a simple "net ads join -U adminaccount". > > >> I see during --test runs, that the joindomain exec is scheduled to run > >> after the smb and krb5 files are puppettized. Then way at the end of > >> my run I see puppet attempting to create my user folders, but it is > >> giving errors stating that the users do not exist. However, as soon > >> as the catalog run finishes, the AD users are indeed recognized by id > >> <username>. > > >> A second run of puppet completes with no issues. > > >> What am I missing to make sure that the AD user folders class is not > >> attempted before the join has happened? > > > One thing that wasn''t quite clear was whether in the logs you''ve > > verified that the exec is actually run after the user folders class. > > ie whether this is a puppet ordering problem, or a lag on the node > > between joining and the users being accessible. > > ...or the puppet agent failing because it cached the user list, and > didn''t recheck, which bit me years back but may still be lurking. Can > we see the error messages from puppet and, ideally, the bits of the > manifest in question? > > Regards, > daniel > -- > ⎋ Puppet Labs Developer –http://puppetlabs.com > ✉ Daniel Pittman <dan...@puppetlabs.com> > ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 > ♲ Made with 100 percent post-consumer electronsThanks for the suggestions. Here are the logs and relevant portions of the manifests. I have the ldap.conf file set in an even earlier stage, so that doesn''t seem to be the problem. Feb 14 18:40:32 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/ Package[samba]/ensure) created Feb 14 18:40:32 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/ Package[samba]) Scheduling refresh of Exec[joindomain] Feb 14 18:40:32 puppettest02 puppet-agent[2884]: FileBucket adding / etc/krb5.conf as {md5}94be488988fe3690414d521eeb3d07cb Feb 14 18:40:32 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/ File[/etc/krb5.conf]) Filebucketed /etc/krb5.conf to main with sum 94be488988fe3690414d521eeb3d07cb Feb 14 18:40:32 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/ File[/etc/krb5.conf]/content) content changed ''{md5} 94be488988fe3690414d521eeb3d07cb'' to ''{md5} 0673a8a7c9d801b1ee465654f0fb47b8'' Feb 14 18:40:32 puppettest02 puppet-agent[2884]: FileBucket adding / etc/samba/smb.conf as {md5}eb2bea901479ef4f6bd200e86a037e3b Feb 14 18:40:32 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/ File[/etc/samba/smb.conf]) Filebucketed /etc/samba/smb.conf to main with sum eb2bea901479ef4f6bd200e86a037e3b Feb 14 18:40:33 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/ File[/etc/samba/smb.conf]/content) content changed ''{md5} eb2bea901479ef4f6bd200e86a037e3b'' to ''{md5} 3df3f064d8d1c9bfa5950552b43c2ff0'' Feb 14 18:40:33 puppettest02 puppet-agent[2884]: FileBucket adding / etc/nsswitch.conf as {md5}c2bd306b205ad9e81fb02ce6b225d384 Feb 14 18:40:33 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/ File[/etc/nsswitch.conf]) Filebucketed /etc/nsswitch.conf to main with sum c2bd306b205ad9e81fb02ce6b225d384 Feb 14 18:40:33 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/ File[/etc/nsswitch.conf]/content) content changed ''{md5} c2bd306b205ad9e81fb02ce6b225d384'' to ''{md5} d214e24671ee6aede2adb4b651892dfe'' Feb 14 18:40:33 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/ Exec[joindomain]/returns) executed successfully Feb 14 18:40:33 puppettest02 puppet-agent[2884]: (/Stage[pre]/Samba/ Exec[joindomain]) Triggered ''refresh'' from 1 events … Feb 14 18:50:15 puppettest02 puppet-agent[2884]: (/Stage[post]/ Makeadprod/File[/home/CORP]/ensure) created Feb 14 18:50:15 puppettest02 puppet-agent[2884]: (/Stage[post]/ Makeadprod/File[/home/CORP/abba]/ensure) change from absent to directory failed: Could not set ''directory on ensure: Could not find user abba at /etc/puppet/modules/makeadprod/manifests/init.pp:344 # /etc/puppet/modules/samba/manifests/init.pp class samba { include "ntp" package { samba: ensure => latest, notify => Exec["joindomain"], # require => Class["localusers"], } file { "/etc/samba/smb.conf": owner => "root", group => "root", mode => 644, source => "puppet:///modules/samba/smb.conf", require => Package["samba"], } file { "/etc/krb5.conf": owner => "root", group => "root", mode => 644, source => "puppet:///modules/samba/krb5.conf.$dc_location", require => Package["samba"], } file { "/etc/nsswitch.conf": owner => "root", group => "root", mode => 644, source => "puppet:///modules/samba/nsswitch.conf", require => [ Package["samba"], Class ["ldapconf"] ], } exec { "joindomain" : path => "/usr/bin:/usr/sbin", command => $ad_joined ? { "true" => "/bin/true", "false" => "net ads join -U <domainaccount%password>", }, require => [ Package["samba"], Class["ntp"], File["/etc/ krb5.conf"], File["/etc/samba/smb.conf"], File["/etc/ nsswitch.conf"], ], } } # /etc/puppet/modules/makeadprod/manifests/init.pp class makeadprod { include "samba" include "localusers" file { "/home/CORP": owner => "root", group => "root", mode => 644, ensure => directory, } file { "/home/CORP/abba": owner => "abba", group => "Ops", mode => 640, ensure => directory, recurse => true, purge => false, source => "puppet:///modules/makeadprod/abba", require => [ Class["samba"], Exec["joindomain"], File["/home/ CORP"] ], #require => [ Class["samba"], File["/home/CORP"] ], } ... The rest of the manifest just creates the user directories, installs their keys, etc. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.