The proxyagent password in this region was the usual one (https://phabricator.wikimedia.org/diffusion/LPRI/browse/master/hieradata/common.yaml$125) prefixed with lt- for reasons I'm forgetting. This was done in https://gerrit.wikimedia.org/r/c/labs/private/+/288615 but the file is no longer in use.
It might be easiest just to update the password in codfw1dev's LDAP to remove the prefix.
This password goes into /etc/ldap.yaml etc. on the instances and is used by e.g. /usr/sbin/ssh-key-ldap-lookup. Also shows up in ldap_default_authtok in /etc/sssd/sssd.conf
In addition, I've found /etc/ldap.conf (note: distinct from /etc/ldap.yaml and /etc/ldap/ldap.conf) with a reference to ldap://ldap-ro.eqiad.wikimedia.org:389
Description
Description
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | aborrero | T217891 CloudVPS: rework codfw deployments | |||
| Resolved | None | T229441 CloudVPS: codfw1dev: missing bits | |||
| Resolved | Andrew | T242697 Fix LDAP config on codfw1dev instances |
Event Timeline
Comment Actions
After updating ldap_default_authtok in /etc/sssd/sssd.conf and password in /etc/ldap.yaml to include the prefix, and restarting sssd, my instance works a little more normally:
alex@alex-laptop:~$ ssh puppetmaster-codfw1dev-01.cloudinfra-codfw1dev.codfw1dev.cloud Creating directory '/home/labtestkrenair'. Linux puppetmaster-codfw1dev-01 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 Debian GNU/Linux 10 (buster) The last Puppet run was at Tue Jan 14 00:57:51 UTC 2020 (11 minutes ago). Puppet is disabled. https://phabricator.wikimedia.org/T242697 Last puppet commit: (a83f55682f) Daniel Zahn - codesearch: fix parameters of apt::package_from:component labtestkrenair@puppetmaster-codfw1dev-01:~$
Comment Actions
https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/566351/
https://gerrit.wikimedia.org/r/566353 (not sure this is actually in use but anyway)
and the LDAP password change done by Andrew. thanks