Page MenuHomePhabricator

Prevent puppet from creating local user when they are defined in LDAP
Open, HighPublic

Description

We had a few LDAP rolling upgrades over the past few days. When puppet realize a User type, it apparently detects a provider of the user. When LDAP works, it does not create the user, but whenever LDAP does not, puppet fallbacks to adduser and creates a local user.

An example is the beta cluster which recently had a local 'mwdeploy' user being created by puppet on deployment-rsync01 and deployment-bastion. The process we run (such as scap) ends up altering / creating files with the local UID and whenever LDAP comes back we have a few permissions errors all over the place.

Puppet User supports a 'provider' attribute which can be set to 'ldap'. Bryan suggested to use hiera to set that on labs.

Ref:
https://docs.puppetlabs.com/references/latest/type.html#user-attribute-provider


Version: unspecified
Severity: normal

Details

Reference
bz71480

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:51 AM
bzimport added a project: Cloud-VPS.
bzimport set Reference to bz71480.
bzimport added a subscriber: Unknown Object (MLST).
hashar created this task.Sep 30 2014, 9:14 PM
hashar added a comment.Oct 1 2014, 1:43 PM

A second though, maybe the l10nupdate and mwdeploy User definitions in puppet should be given UID/GID that matches the one from LDAP.

bd808 added a comment.Oct 1 2014, 3:33 PM

(In reply to Antoine "hashar" Musso from comment #1)

A second though, maybe the l10nupdate and mwdeploy User definitions in
puppet should be given UID/GID that matches the one from LDAP.

Renumbering is going to be a pain, but it would less painful to ensure that the gid/uid pairs used in LDAP match the gid/uid pairs found in the production cluster. It's interesting to me that the mwdeploy user and group do not have explicit uid/gid in puppet. I wonder how that actually works in practice across production.

Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptNov 29 2015, 4:55 AM
chasemp triaged this task as High priority.Nov 30 2015, 5:08 PM
chasemp added a subscriber: chasemp.

Same happens with groups as @thcipriani found out on the beta cluster. A project-deployment-prep local user group ended up shadowing up the LDAP one....

Mentioned in SAL (#wikimedia-releng) [2019-12-13T11:08:27Z] <hashar> deployment-mediawiki07 : removing faulty entry mwdeploy:x:497:498::/var/lib/mwdeploy:/bin/bash in /etc/passwd # T73480

Bstorm added a subscriber: Bstorm.

This likely is really an upstream production puppet issue. That said, switching non-buster VMs to sssd might help.