Hi Tony
Here my investigations for another user:
For our storage user the following happens with puppet:
notice: //Node[default]/netbackup/netbackup::general/users::storage/
User[storage]/groups: groups changed 'log,log' to 'log'
The user storage is not in ldap, but the group log. On ldap I have:
log:*:126:user1,user2,user3,storage,user4
Local I have:
log:x:126:storage
To get the information i always deleted the ldap or files entry in /
etc/nsswitch.conf.
I also have:
only ldap in nsswitch.conf:
# id storage
uid=902(storage) gid=902(storage) groups=126(log),902(storage)
only files in nsswitch.conf:
id storage
uid=902(storage) gid=902(storage) groups=126(log),902(storage)
Do you have any other ideas?
Do you think the problem could arise from that the user storage is not
in ldap?
On Mar 2, 7:50 pm, "Tony G." <tony...@gmail.com> wrote:
> Hi Rene,
>
> I tried to replicate the behavior without luck.
>
> Reading again your email I noticed that you used getent passwd to pull the
> LDAP data, but that does not guarantee you are pulling from LDAP as it
> depends on the order in your nsswitch.conf file.
>
> Here nsswitch.conf has files before ldap(I created locally auser and agroup
> as you)
> $ id auser
> uid=999(auser) gid=999(auser) groups=999(auser),666(agroup)
> $ getent passwd auser
> auser:*:999:999:Some user:/home/auser:/bin/bash
>
> Here ldap is before nsswitch.conf (I created in ldap auser and agroup)
> $ id auser
> uid=999(auser) gid=*888*(auser) groups=*888*(auser),666(agroup)
> $ getent passwd auser
> auser:*:999:*888*:auser test:/home/auser:/bin/bash
>
> So the change you see *changed 'agroup,agroup' to 'agroup' *sounds like
> auser has two agroup groups(with diff gid) and changing to have only one
> agroup. I might be wrong with this, but the issue should be around there.
>
> I've tried to avoid having same groups/users in ldap and locally to avoid
> similar issues.
>
> Hope that helps.
>
>
>
> On Tue, Mar 2, 2010 at 10:13 AM, Rene <rene.zbin...@gmail.com> wrote:
> > Hi Tony
>
> > Thanks for the quick answer.
>
> > Yes the group is defined in the LDAP too with the same GID. And here
> > the definition:
> > �...@user { auser:
> > comment => 'Some user',
> > ensure => present,
> > gid => somegid,
> > uid => 300,
> > groups => 'agroup',
> > home => '/application/home/auser',
> > shell => '/bin/bash',
> > require => [ Group['auser'], Group['agroup'] ],
> > }
>
> > I have no idea what is going wrong.....
>
> > On Mar 2, 4:53 pm, "Tony G." <tony...@gmail.com> wrote:
> > > Hi Rene,
>
> > > Couple of things you might check:
>
> > > Do you have the agroup defined in LDAP too? If so that ldap group might
> > > have a differente gid as the local one.
>
> > > How looks the definition of the user in users::db?
>
> > > On Tue, Mar 2, 2010 at 8:44 AM, Rene <rene.zbin...@gmail.com> wrote:
> > > > On the System we have defined the user auser as:
> > > > /etc/passwd:
> > > > auser:x:300:300:auser User:/application/home/auser:/bin/bash
> > > > /etc/group:
> > > > agroup:x:126:auser
>
> > > > So id auser gives:
> > > > uid=300(auser) gid=300(auser) groups=126(agroup),300(auser)
>
> > > > In the LDAP we have:
> > > > #getent passwd auser
> > > > auser:x:300:300:auser User:/application/home/auser:/bin/bash
> > > > and
> > > > #getent group agroup
> > > > agroup:x:126:auser
>
> > > > Basically the same definition.
>
> > > > Now everytime I run puppet I get:
> > > > notice: //Node[default]/oracle/users::db/User[auser]/groups: groups
> > > > changed 'agroup,agroup' to 'agroup'
> > > > This is really strange.....
>
> > > > Does anybody know what the problem is here. Does Puppet Merge the
> > > > groups from local and ldap?
>
> > > > Any hint is appreciated.
>
> > > > BR, Rene
>
> > > > --
> > > > You received this message because you are subscribed to the Google
> > Groups
> > > > "Puppet Users" group.
> > > > To post to this group, send email to puppet-us...@googlegroups.com.
> > > > To unsubscribe from this group, send email to
> > > > puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com>
> > <puppet-users%2bunsubscr...@googlegroups.com<puppet-users%252bunsubscr...@googlegroups.com>
>
> > > > .
> > > > For more options, visit this group at
> > > >http://groups.google.com/group/puppet-users?hl=en.
>
> > > --
> > > Tony
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-us...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > puppet-users+unsubscr...@googlegroups.com<puppet-users%2bunsubscr...@googlegroups.com>
> > .
> > For more options, visit this group at
> >http://groups.google.com/group/puppet-users?hl=en.
>
> --
> Tony
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
