The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:

Feature #8081

Need user provider to work with NIS

Added by Andreas Kuntzagk about 4 years ago. Updated almost 3 years ago.

Status:Needs More InformationStart date:06/24/2011
Priority:NormalDue date:
Assignee:Andreas Kuntzagk% Done:

0%

Category:-
Target version:-
Affected Puppet version:2.6.8 Branch:
Keywords:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com


Description

have this resource definition:

ssh_authorized_key { "nagios@login2":
key   => [REDACTED]
user    => "nagios",
type    => "ssh-dss",
require => Service['nis'],
}

This nagios user comes from NIS, yp.conf and nsswitch.conf are handled by puppet and configured before the key. I still get an “User does not exist”.

daemon.log:
...
Jun 17 14:00:57 node016 puppet-agent[1109]: (/Stage[main]/All/File[/localhome/nagios/]/ensure) created
Jun 17 14:12:53 node016 puppet-agent[1109]: (/Stage[main]//Ssh_authorized_key[root@node002]/ensure) created
Jun 17 14:15:14 node016 puppet-agent[1109]: (/Stage[main]//File[/etc/idmapd.conf]/content) content changed '{md5}3e94f238294cc61b047e7ae50115dffc' to '{md5}6d9c69f38eca81ab0f879c2771d5d543'
Jun 17 14:15:14 node016 puppet-agent[1109]: (/Stage[main]//Service[idmapd]/ensure) ensure changed 'stopped' to 'running'
Jun 17 14:15:14 node016 puppet-agent[1109]: (/Stage[main]//Service[idmapd]) Triggered 'refresh' from 1 events
Jun 17 14:15:41 node016 puppet-agent[1109]: (/Stage[main]/All/File[/etc/yp.conf]/ensure) defined content as '{md5}9c23d37f431c0788c212d3c0ab8a48af'
Jun 17 14:15:58 node016 puppet-agent[1109]: (/Stage[main]/All/All::Append_if_no_such_line[sudoers_nagios_smartctl]/Exec[/bin/echo 'nagios ALL=(root) NOPASSWD: /usr/sbin/smartctl' >> '/etc/sudoers']/returns) executed su
ccessfully
Jun 17 14:17:03 node016 puppet-agent[1109]: (/Stage[main]//Package[nis]/ensure) ensure changed 'purged' to 'latest'
Jun 17 14:17:39 node016 puppet-agent[1109]: (/Stage[main]/All/File[/etc/nsswitch.conf]/content) content changed '{md5}295c15c4bdac80e50b37689ef08f359c' to '{md5}250a1851aec43bcc5f73e8a01b2141bd'
Jun 17 14:17:43 node016 puppet-agent[1109]: (/Stage[main]/All/Service[nis]) Triggered 'refresh' from 4 events
Jun 17 14:17:50 node016 puppet-agent[1109]: (/Stage[main]//Ssh_authorized_key[nagios@login2]/ensure) created
Jun 17 14:17:50 node016 puppet-agent[1109]: (/Stage[main]//Ssh_authorized_key[nagios@login2]) Could not evaluate: User 'nagios' does not exist
Jun 17 14:18:06 node016 puppet-agent[1109]: (/Whit[last]) Dependency Ssh_authorized_key[nagios@login2] has failures: true
... 

This is the info I got on ML:

Its just using the Ruby Etc library to do the lookup according to puppet/util/posix.rb. Which won’t match NIS accounts.

History

#1 Updated by Andreas Kuntzagk about 4 years ago

  • Affected Puppet version set to 2.6.8

#2 Updated by James Turnbull about 4 years ago

  • Status changed from Unreviewed to Needs Decision
  • Assignee set to Nigel Kersten

#3 Updated by Nigel Kersten about 3 years ago

  • Assignee changed from Nigel Kersten to eric sorenson

#4 Updated by eric sorenson almost 3 years ago

  • Status changed from Needs Decision to Needs More Information
  • Assignee changed from eric sorenson to Andreas Kuntzagk

I don’t think this requires code changes in Puppet. I’ve certainly used puppet to configure user-owned home directories and dot-files when the users were not in /etc/passwd, though I used ldap rather than NIS. The thing I found though, was that changing nsswitch.conf and restarting nscd introduced a race in puppet, where the init.d restarts would return back to puppet before the service was actually working, causing exactly this error.

If this is still an issue for you, can you see if something like this is going on with NIS by adding a restart => /usr/local/bin/myrestartscript attribute on the Service[nis] resource which calls out to the real restart script and does a little sleep/retry loop on id nagios ?

Also available in: Atom PDF