Hi Tony Here my investigations for another user:
For our storage user the following happens with puppet: notice: //Node[default]/netbackup/netbackup::general/users::storage/ User[storage]/groups: groups changed 'log,log' to 'log' The user storage is not in ldap, but the group log. On ldap I have: log:*:126:user1,user2,user3,storage,user4 Local I have: log:x:126:storage To get the information i always deleted the ldap or files entry in / etc/nsswitch.conf. I also have: only ldap in nsswitch.conf: # id storage uid=902(storage) gid=902(storage) groups=126(log),902(storage) only files in nsswitch.conf: id storage uid=902(storage) gid=902(storage) groups=126(log),902(storage) Do you have any other ideas? Do you think the problem could arise from that the user storage is not in ldap? On Mar 2, 7:50 pm, "Tony G." <tony...@gmail.com> wrote: > Hi Rene, > > I tried to replicate the behavior without luck. > > Reading again your email I noticed that you used getent passwd to pull the > LDAP data, but that does not guarantee you are pulling from LDAP as it > depends on the order in your nsswitch.conf file. > > Here nsswitch.conf has files before ldap(I created locally auser and agroup > as you) > $ id auser > uid=999(auser) gid=999(auser) groups=999(auser),666(agroup) > $ getent passwd auser > auser:*:999:999:Some user:/home/auser:/bin/bash > > Here ldap is before nsswitch.conf (I created in ldap auser and agroup) > $ id auser > uid=999(auser) gid=*888*(auser) groups=*888*(auser),666(agroup) > $ getent passwd auser > auser:*:999:*888*:auser test:/home/auser:/bin/bash > > So the change you see *changed 'agroup,agroup' to 'agroup' *sounds like > auser has two agroup groups(with diff gid) and changing to have only one > agroup. I might be wrong with this, but the issue should be around there. > > I've tried to avoid having same groups/users in ldap and locally to avoid > similar issues. > > Hope that helps. > > > > On Tue, Mar 2, 2010 at 10:13 AM, Rene <rene.zbin...@gmail.com> wrote: > > Hi Tony > > > Thanks for the quick answer. > > > Yes the group is defined in the LDAP too with the same GID. And here > > the definition: > > �...@user { auser: > > comment => 'Some user', > > ensure => present, > > gid => somegid, > > uid => 300, > > groups => 'agroup', > > home => '/application/home/auser', > > shell => '/bin/bash', > > require => [ Group['auser'], Group['agroup'] ], > > } > > > I have no idea what is going wrong..... > > > On Mar 2, 4:53 pm, "Tony G." <tony...@gmail.com> wrote: > > > Hi Rene, > > > > Couple of things you might check: > > > > Do you have the agroup defined in LDAP too? If so that ldap group might > > > have a differente gid as the local one. > > > > How looks the definition of the user in users::db? > > > > On Tue, Mar 2, 2010 at 8:44 AM, Rene <rene.zbin...@gmail.com> wrote: > > > > On the System we have defined the user auser as: > > > > /etc/passwd: > > > > auser:x:300:300:auser User:/application/home/auser:/bin/bash > > > > /etc/group: > > > > agroup:x:126:auser > > > > > So id auser gives: > > > > uid=300(auser) gid=300(auser) groups=126(agroup),300(auser) > > > > > In the LDAP we have: > > > > #getent passwd auser > > > > auser:x:300:300:auser User:/application/home/auser:/bin/bash > > > > and > > > > #getent group agroup > > > > agroup:x:126:auser > > > > > Basically the same definition. > > > > > Now everytime I run puppet I get: > > > > notice: //Node[default]/oracle/users::db/User[auser]/groups: groups > > > > changed 'agroup,agroup' to 'agroup' > > > > This is really strange..... > > > > > Does anybody know what the problem is here. Does Puppet Merge the > > > > groups from local and ldap? > > > > > Any hint is appreciated. > > > > > BR, Rene > > > > > -- > > > > You received this message because you are subscribed to the Google > > Groups > > > > "Puppet Users" group. > > > > To post to this group, send email to puppet-us...@googlegroups.com. > > > > To unsubscribe from this group, send email to > > > > puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> > > <puppet-users%2bunsubscr...@googlegroups.com<puppet-users%252bunsubscr...@googlegroups.com> > > > > > . > > > > For more options, visit this group at > > > >http://groups.google.com/group/puppet-users?hl=en. > > > > -- > > > Tony > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-us...@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com> > > . > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en. > > -- > Tony -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.