On Thursday, November 29, 2012 11:14:57 PM UTC-6, O wrote: > > Hi, I am new to this and I discovered a manifest in an old post that > should change passwords. It runs fine, but the password does not change. I > am wondering how this would work since it would need to change the shadow. > >
The Puppet agent needs to run as a privileged user (typically root) in order to do a lot of the things it does, including managing system users. Yes, on systems that use shadow passwords, Puppet needs to modify /etc/shadow to manage passwords. So? As to the details, the Puppet agent adapts to the system on which it is running, and uses the appropriate system tools for most of the tasks it wants to perform. For example, to manage users on RedHat-family systems it uses useradd, userdel, usermod, and/or chage, as appropriate. For users in particular there is a wide variety of management toolsets in use on different OS flavors. Not all of them provide the same features, and in particular, not all of them support managing user passwords. Therefore, whether Puppet can manage passwords on a particular client depends on the client. Most of this is documented in the Puppet type reference: http://docs.puppetlabs.com/references/3.0.latest/type.html#user. > Thanks > > > define change_passwd($user,$passwd) { > exec { "/usr/bin/puppet apply -v -e \'user { \"${user}\": password > => \"${passwd}\" }\'": > onlyif => "/bin/grep -c ^${user}: /etc/shadow" > } > } > That's awfully convoluted. Why are you using in Exec to run "puppet apply" from within a Puppet run, instead of just declaring the wanted resource directly? That's not to say that the code is wrong or inappropriate. I think I can infer the purpose, but if *you* don't understand what it declares and why, then you cannot be sure whether it is appropriate or not. And that's before we even get to the structure of the wrapper definition. Pete is right that the User type's 'password' parameter requires a hash instead of a plaintext password. Except for Windows clients. And be aware that it requires the hash to be the correct type for the target system, which may be SHA1, SHA512, MD5, or possibly even something else. If your machines are homogeneous then that's not too big a problem, but if not then you may have a trickier problem. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/fqalfU103W4J. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
