On Wed, Nov 26, 2008 at 12:37 PM, benjamin <[EMAIL PROTECTED]> wrote: > >> Why are you doing this? This kind of situation usually indicates a >> need to adjust one's mindset in order to work within the Puppet model >> rather than fighting against it. > > you caught me. i'm writing .ssh directory and authorized_keys files > for a few users to multiple servers. i guess i would use the > ssh_authorized_key type if i were drinking the puppet coolaid. (trying > to !). but i'm hesitant to do this because all user access is auth > against AD via pam and krb5. hence user home folders will only be > present on the servers the user accesses. since a user directory is > either present or not present without puppet server involvement there > isn't anything to tie to.
Oh! This is a fun one! Do the home directories get created when the user first logs in, then? That's actually how we do it. We then use pam to run a script at logon that populates their authorized_keys file from LDAP. This works reasonably well. Here are a couple other approaches: * If you are tolerant of seeing "errors" in your Puppet logs, you could go ahead and define the keys; Puppet won't put them in place if the directories aren't there. I don't advocate this approach, but it is one I've seen used. * If the users are *allowed* to log in to the servers in question, and the directory would be created on first login, go ahead an pre-populate it with Puppet instead. It doesn't cause any harm and saves you some headaches since you won't be fighting your tools. Seriously, what are you trying to save here? * This is only a vaguely formed idea, but you could populate a set of <username>_homedir_exists custom facts that basically check if the home directory exists. Then you could declare all of these ssh_authorized_key resources dependent on those facts... I haven't totally thought that through, but it could work. --Paul --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
