On Sep 1, 8:03 am, jcbollinger <john.bollin...@stjude.org> wrote:
> On Aug 31, 8:09 pm, treydock <treyd...@gmail.com> wrote:
>
> > I have a file resource defined to be owned by a group that is
> > accessible via samba/winbind (AD based group), but every time Puppet
> > runs automatically (every 30 min) the run fails with this error ,
> > (sensitive information removed)
>
> > (/Stage[main]//Node[node1.tld]/Apache::Vhost[vhost1]/File[/var/www/
> > vhost1/html]) Could not evaluate: Could not find group org-www at /etc/
> > puppet/modules/apache/manifests/definitions/vhost.pp:52
>
> > When I manually run "puppetd --test --debug -v" there is no failure.
> > Also the group is visible on the system and all works just fine. It
> > only fails during the automatic Puppet runs. I also have another
> > host, with an almost identical setup , assigning AD based groups to
> > file resources, and it doesn't have this problem. Using Puppet 2.6.9,
> > on CentOS 6.
>
> It looks like the Puppet agent is unable to connect to the domain to
> retrieve group information. In all likelihood this is an issue with
> the environment in which the agent runs or the user (root) as whom it
> runs, perhaps in conjunction with winbind configuration specifics.
> You could try to duplicate it from the command line by doing something
> like 'env -i PATH="/bin:/sbin:/usr/bin:/usr/sbin" puppetd --test --
> debug -v' to ensure that it runs with a minimal environment.
>
> Not being familiar with the details of using samba/winbind as a user
> and group resolution service, I'm not sure what specifically to
> recommend you check in that area. Duplicating the problem from the
> command line should give you a leg up, though.
>
> John
Thanks for the suggestion. I run puppet manually as you suggested,
and still no errors. Even stranger is sometime last night the errors
stopped occurring. From the time I activated the samba module, till
last night it failed like clockwork, every 30 minutes. Now the
automatic puppet runs seem to be working just fine.
My understanding of the internals of how Winbind/Samba store and cache
AD account information is a bit lacking, but could this be that it
just took time for the groups/users to get cached? Authentication and
all other functions relying on these groups worked just fine from the
beginnining.
Here are some of the relavent lines from my smb.conf...
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind expand groups = 3
winbind separator = +
Thanks
- Trey
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
