On Apr 23, 2010, at 7:15 AM, CraftyTech wrote: > On Apr 23, 7:24 am, Daniel Pittman <dan...@rimspace.net> wrote: >> CraftyTech <hmmed...@gmail.com> writes: >>> I'm new to puppet, and I'd like to know: Is there a formal best practices >>> guide for syncing { /etc/passwd, shadow, group, hosts} across clients from >>> the master? >> >> You will probably find the most common "best practice" answer to this is >> "don't do it that way": the risks probably outweigh the cost, and using a >> proper system like LDAP, NIS, or puppet user bits is probably less painful. >> >>> For instance; is it a better practice to make a hard link to these files and >>> share the link, as opposed to just sharing the files directly via a target >>> in fileserver.conf? >> >> I would, simply because you reduce the list of exposed files that way. >> >> Daniel >> >> By "would" I mean "would deploy LDAP, but if you insist", of course. >> -- >> ✣ Daniel Pittman ✉ dan...@rimspace.net ☎ +61 401 155 >> 707 >> ♽ made with 100 percent post-consumer electrons >> > Thanks for the quick reply. I should have been more specific in my > question: We do use ldap/DNS in our environment; I wanted to use > puppet for syncing the { /etc/passwd, shadow, group, hosts} for the > purposes of service accounts only, and not users in general. Also the > host file would be helpful in case there are hosts names that need to > be hard coded. I suppose I can create a class that creates the users > for the service accounts and propagate it that way... My thought > process was that if I have a hand-full of service accounts that need > to be present in all hosts, and certain hosts that need to be hard- > coded in the hosts file, that I would just share the previously > mentioned files via hard link on fileserver.conf. There appear to be > some security holes with this approach, so I have to re-think my > deployment strategy.. All suggestions are welcome :-))
If you only have a few service accounts, it's probably easiest to just manage them using the user resource. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.