You are right. I found a simpler way of doing it using puppet's built in "user" reference with shadow-lib installed. The only thing is, puppet doesn't seem to be able to create an md5 hash for you so you need to create a test user with the same password and use that value for password => 'hashgoeshere'
On Friday, November 30, 2012 9:32:06 AM UTC-5, jcbollinger wrote: > > > > On Thursday, November 29, 2012 11:14:57 PM UTC-6, O wrote: >> >> Hi, I am new to this and I discovered a manifest in an old post that >> should change passwords. It runs fine, but the password does not change. I >> am wondering how this would work since it would need to change the shadow. >> >> > > The Puppet agent needs to run as a privileged user (typically root) in > order to do a lot of the things it does, including managing system users. > Yes, on systems that use shadow passwords, Puppet needs to modify > /etc/shadow to manage passwords. So? > > As to the details, the Puppet agent adapts to the system on which it is > running, and uses the appropriate system tools for most of the tasks it > wants to perform. For example, to manage users on RedHat-family systems it > uses useradd, userdel, usermod, and/or chage, as appropriate. > > For users in particular there is a wide variety of management toolsets in > use on different OS flavors. Not all of them provide the same features, > and in particular, not all of them support managing user passwords. > Therefore, whether Puppet can manage passwords on a particular client > depends on the client. > > Most of this is documented in the Puppet type reference: > http://docs.puppetlabs.com/references/3.0.latest/type.html#user. > > > >> Thanks >> >> >> define change_passwd($user,$passwd) { >> exec { "/usr/bin/puppet apply -v -e \'user { \"${user}\": password >> => \"${passwd}\" }\'": >> onlyif => "/bin/grep -c ^${user}: /etc/shadow" >> } >> } >> > > > That's awfully convoluted. Why are you using in Exec to run "puppet > apply" from within a Puppet run, instead of just declaring the wanted > resource directly? That's not to say that the code is wrong or > inappropriate. I think I can infer the purpose, but if *you* don't > understand what it declares and why, then you cannot be sure whether it is > appropriate or not. And that's before we even get to the structure of the > wrapper definition. > > Pete is right that the User type's 'password' parameter requires a hash > instead of a plaintext password. Except for Windows clients. And be aware > that it requires the hash to be the correct type for the target system, > which may be SHA1, SHA512, MD5, or possibly even something else. If your > machines are homogeneous then that's not too big a problem, but if not then > you may have a trickier problem. > > > John > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/4kUS6WG0iHcJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
