Page MenuHomePhabricator

Prevent puppet from creating local user when they are defined in LDAP
Open, HighPublic

Description

We had a few LDAP rolling upgrades over the past few days. When puppet realize a User type, it apparently detects a provider of the user. When LDAP works, it does not create the user, but whenever LDAP does not, puppet fallbacks to adduser and creates a local user.

An example is the beta cluster which recently had a local 'mwdeploy' user being created by puppet on deployment-rsync01 and deployment-bastion. The process we run (such as scap) ends up altering / creating files with the local UID and whenever LDAP comes back we have a few permissions errors all over the place.

Puppet User supports a 'provider' attribute which can be set to 'ldap'. Bryan suggested to use hiera to set that on labs.

Ref:
https://docs.puppetlabs.com/references/latest/type.html#user-attribute-provider


Version: unspecified
Severity: normal

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:51 AM
bzimport added a project: Cloud-VPS.
bzimport set Reference to bz71480.
bzimport added a subscriber: Unknown Object (MLST).

A second though, maybe the l10nupdate and mwdeploy User definitions in puppet should be given UID/GID that matches the one from LDAP.

(In reply to Antoine "hashar" Musso from comment #1)

A second though, maybe the l10nupdate and mwdeploy User definitions in
puppet should be given UID/GID that matches the one from LDAP.

Renumbering is going to be a pain, but it would less painful to ensure that the gid/uid pairs used in LDAP match the gid/uid pairs found in the production cluster. It's interesting to me that the mwdeploy user and group do not have explicit uid/gid in puppet. I wonder how that actually works in practice across production.

chasemp added a subscriber: chasemp.

Same happens with groups as @thcipriani found out on the beta cluster. A project-deployment-prep local user group ended up shadowing up the LDAP one....

Mentioned in SAL (#wikimedia-releng) [2019-12-13T11:08:27Z] <hashar> deployment-mediawiki07 : removing faulty entry mwdeploy:x:497:498::/var/lib/mwdeploy:/bin/bash in /etc/passwd # T73480

Bstorm added a subscriber: Bstorm.

This likely is really an upstream production puppet issue. That said, switching non-buster VMs to sssd might help.

Mentioned in SAL (#wikimedia-releng) [2021-06-11T14:14:31Z] <hashar> deployment-imagescaler03: delete local mwdeploy user with uid 497 # T73480

Change 699427 had a related patch set uploaded (by Hashar; author: Hashar):

[operations/puppet@production] mwdeploy user is provided by LDAP on WMCS

https://gerrit.wikimedia.org/r/699427