treydock
2011-Sep-01 01:09 UTC
[Puppet Users] File resource "owner" not found, only during automatic puppet runs
I have a file resource defined to be owned by a group that is accessible via samba/winbind (AD based group), but every time Puppet runs automatically (every 30 min) the run fails with this error , (sensitive information removed) (/Stage[main]//Node[node1.tld]/Apache::Vhost[vhost1]/File[/var/www/ vhost1/html]) Could not evaluate: Could not find group org-www at /etc/ puppet/modules/apache/manifests/definitions/vhost.pp:52 When I manually run "puppetd --test --debug -v" there is no failure. Also the group is visible on the system and all works just fine. It only fails during the automatic Puppet runs. I also have another host, with an almost identical setup , assigning AD based groups to file resources, and it doesn''t have this problem. Using Puppet 2.6.9, on CentOS 6. Thanks - Trey -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
jcbollinger
2011-Sep-01 13:03 UTC
[Puppet Users] Re: File resource "owner" not found, only during automatic puppet runs
On Aug 31, 8:09 pm, treydock <treyd...@gmail.com> wrote:> I have a file resource defined to be owned by a group that is > accessible via samba/winbind (AD based group), but every time Puppet > runs automatically (every 30 min) the run fails with this error , > (sensitive information removed) > > (/Stage[main]//Node[node1.tld]/Apache::Vhost[vhost1]/File[/var/www/ > vhost1/html]) Could not evaluate: Could not find group org-www at /etc/ > puppet/modules/apache/manifests/definitions/vhost.pp:52 > > When I manually run "puppetd --test --debug -v" there is no failure. > Also the group is visible on the system and all works just fine. It > only fails during the automatic Puppet runs. I also have another > host, with an almost identical setup , assigning AD based groups to > file resources, and it doesn''t have this problem. Using Puppet 2.6.9, > on CentOS 6.It looks like the Puppet agent is unable to connect to the domain to retrieve group information. In all likelihood this is an issue with the environment in which the agent runs or the user (root) as whom it runs, perhaps in conjunction with winbind configuration specifics. You could try to duplicate it from the command line by doing something like ''env -i PATH="/bin:/sbin:/usr/bin:/usr/sbin" puppetd --test -- debug -v'' to ensure that it runs with a minimal environment. Not being familiar with the details of using samba/winbind as a user and group resolution service, I''m not sure what specifically to recommend you check in that area. Duplicating the problem from the command line should give you a leg up, though. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
treydock
2011-Sep-01 14:30 UTC
[Puppet Users] Re: File resource "owner" not found, only during automatic puppet runs
On Sep 1, 8:03 am, jcbollinger <John.Bollin...@stJude.org> wrote:> On Aug 31, 8:09 pm, treydock <treyd...@gmail.com> wrote: > > > I have a file resource defined to be owned by a group that is > > accessible via samba/winbind (AD based group), but every time Puppet > > runs automatically (every 30 min) the run fails with this error , > > (sensitive information removed) > > > (/Stage[main]//Node[node1.tld]/Apache::Vhost[vhost1]/File[/var/www/ > > vhost1/html]) Could not evaluate: Could not find group org-www at /etc/ > > puppet/modules/apache/manifests/definitions/vhost.pp:52 > > > When I manually run "puppetd --test --debug -v" there is no failure. > > Also the group is visible on the system and all works just fine. It > > only fails during the automatic Puppet runs. I also have another > > host, with an almost identical setup , assigning AD based groups to > > file resources, and it doesn''t have this problem. Using Puppet 2.6.9, > > on CentOS 6. > > It looks like the Puppet agent is unable to connect to the domain to > retrieve group information. In all likelihood this is an issue with > the environment in which the agent runs or the user (root) as whom it > runs, perhaps in conjunction with winbind configuration specifics. > You could try to duplicate it from the command line by doing something > like ''env -i PATH="/bin:/sbin:/usr/bin:/usr/sbin" puppetd --test -- > debug -v'' to ensure that it runs with a minimal environment. > > Not being familiar with the details of using samba/winbind as a user > and group resolution service, I''m not sure what specifically to > recommend you check in that area. Duplicating the problem from the > command line should give you a leg up, though. > > JohnThanks for the suggestion. I run puppet manually as you suggested, and still no errors. Even stranger is sometime last night the errors stopped occurring. From the time I activated the samba module, till last night it failed like clockwork, every 30 minutes. Now the automatic puppet runs seem to be working just fine. My understanding of the internals of how Winbind/Samba store and cache AD account information is a bit lacking, but could this be that it just took time for the groups/users to get cached? Authentication and all other functions relying on these groups worked just fine from the beginnining. Here are some of the relavent lines from my smb.conf... winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind expand groups = 3 winbind separator = + Thanks - Trey -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Craig White
2011-Sep-01 15:23 UTC
Re: [Puppet Users] Re: File resource "owner" not found, only during automatic puppet runs
On Sep 1, 2011, at 7:30 AM, treydock wrote:> My understanding of the internals of how Winbind/Samba store and cache > AD account information is a bit lacking, but could this be that it > just took time for the groups/users to get cached? Authentication and > all other functions relying on these groups worked just fine from the > beginnining.---- just a word of warning - nscd (name server caching daemon) is known to cause problems with winbindd and samba.org has long since strongly recommended not to run it if you are obtain user/group/host info from winbindd. You can probably see the contents at any given time by using tdbdump utility from samba packaging to dump winbind.tdb (should be in /var/cache/samba on your RH/CentOS) - I think... I am using Ubuntu which doesn''t seem to automatically install tdb utilities and I don''t use winbindd at all. Craig -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
jcbollinger
2011-Sep-01 21:12 UTC
[Puppet Users] Re: File resource "owner" not found, only during automatic puppet runs
On Sep 1, 9:30 am, treydock <treyd...@gmail.com> wrote: [...]> Thanks for the suggestion. I run puppet manually as you suggested, > and still no errors. Even stranger is sometime last night the errors > stopped occurring. From the time I activated the samba module, till > last night it failed like clockwork, every 30 minutes. Now the > automatic puppet runs seem to be working just fine.Yay?> My understanding of the internals of how Winbind/Samba store and cache > AD account information is a bit lacking, but could this be that it > just took time for the groups/users to get cached? Authentication and > all other functions relying on these groups worked just fine from the > beginnining.Craig may be onto something with respect to nscd. The Samba team''s opinion of it notwithstanding, you should be aware that by default it provides both a positive and a negative cache. That is, it remembers lookup *failures* so as to (attempt to) improve performance on failing lookups as well. There may also be specific unfortunate interactions with winbind, but I couldn''t tell you what. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.