Issue #7442 has been updated by derek olsen.
As a side not this is not specific to 2.7.X as the same behavior is seen in
2.6.8.
The problem stems from the fact that if password aging is disabled for a user
on solaris there is no artifact in the shadow file that indicates that. The
lack of any number in the fifth field of the shadow line means password aging
is disabled. It would seem that for solaris when the provider parses the
shadow entry and compares the fields to what's requested in the manifest the
handling for password aging should have an additional bit of logic. If the
5th field in the shadow entry is empty/null and the manifest requests
"password_max_age => "-1" then nothing should be done.
This manifest will get applied during every puppet run.
<pre>
user { "filbert":
password_max_age => "-1",
}
</pre>
First I verify that password aging is currently not set for the user. This can
be done with the passwd command or by looking at the shadow file.
<pre>
passwd -s filbert
filbert LK
grep filber /etc/shadow
filbert:*LK*:::::::
</pre>
Then apply the manifest which shouldn't do anything as password aging is
already disabled.
<pre>
puppet apply pastest.pp
notice: /Stage[main]//User[filbert]/password_max_age: password_max_age changed
'' to '-1'
notice: Finished catalog run in 0.16 seconds
puppet apply pastest.pp
notice: /Stage[main]//User[filbert]/password_max_age: password_max_age changed
'' to '-1'
notice: Finished catalog run in 0.16 seconds
</pre>
I'd be happy to provide any further info/clarifications if required.
Thanks. Derek.
----------------------------------------
Bug #7442: User provided password age bug on Solaris with 2.7.0.rc2
https://projects.puppetlabs.com/issues/7442
Author: Gary Law
Status: Accepted
Priority: Normal
Assignee:
Category:
Target version:
Affected Puppet version:
Keywords:
Branch:
Hi
Applying the following:-
<pre>
user { 'puppet':
ensure => 'present',
comment => 'Puppet',
gid => '52',
home => '/var/lib/puppet',
password => '!!',
password_max_age => '-1',
password_min_age => '-1',
shell => '/bin/true',
uid => '52',
}
</pre>
(known good on Darwin and CentOS) fails on Solaris:
<pre>
$ sudo puppet apply /etc/puppet/manifests/site.pp
glaw@sv01:~ $ sudo puppet apply /etc/puppet/manifests/site.pp
prtconf: devinfo facility not available
err: /Stage[main]/Puppet/User[puppet]/password_min_age: change from to -1
failed: Could not set password_min_age on user[puppet]: Execution of
'/usr/bin/passwd -n -1 puppet' returned 6: passwd: Invalid argument to option -n
Invalid argument to option
notice: /Stage[main]/Puppet/User[puppet]/password_max_age: password_max_age
changed '' to '-1'
notice: Class[Puppet]: Dependency User[puppet] has failures: true
warning: Class[Puppet]: Skipping because of failed dependencies
notice: Stage[main]: Dependency User[puppet] has failures: true
warning: Stage[main]: Skipping because of failed dependencies
notice: Finished catalog run in 0.13 seconds
glaw@sv01:~ $
</pre>
I *think* that the correct command for passwd in this case would be
/usr/bin/passwd -x -1 puppet
But in any event the provider doesn't seem to report on it, so even setting
this correctly by hand doesn't cause puppet to apply the config without error:
<pre>
$ sudo puppet resource user puppet
prtconf: devinfo facility not available
user { 'puppet':
ensure => 'present',
comment => 'Puppet',
gid => '52',
home => '/var/lib/puppet',
password => '!!',
shell => '/bin/true',
uid => '52',
}
</pre>
Gary
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
