puppet nis user management

Question

I started using puppet for managing our RHEL servers. At this point I try to setup the user management. We are running a NIS environment on our campus, so until now I added the line +testuser::::: to the /etc/passwd file which then received the user information over NIS. What I want to achieve is that I have a set of admin users (admin1, admin2 and admin3) which can log in to every machine and a set of users (user1, user2 and user3) which are different on every machines. At the end of the passwd file I need an entry line +::::::/sbin/nologin to have all users information available but grant no access to them.

So /etc/passwd on one machine would look like

+admin1::::::
+admin2::::::
+admin3::::::
+user1::::::
+user2::::::
+::::::/sbin/nologin

and on an other machine

+admin1::::::
+admin2::::::
+admin3::::::
+user1::::::
+user3::::::
+::::::/sbin/nologin

Because the admin users are rather static but the normal users vary from system to system, I thought to declare the admin users in a module and the normal users on a per node basis.

My first problem is, how to edit the /etc/passwd file to add the lines. Furthermore it's important that the sorting is correct, so that the nologin line is at the end. Do you have any idea how to achieve this in a flexible manner?

Thanks and regards

Answer 1

There is a function in the latest version of stdlib - (https://forge.puppetlabs.com/puppetlabs/stdlib) - called 'file_line', which may help you achieve what you are aiming to do:

I've not tested this, but the resource would likely look something like this:

file_line { 'nis_admin_users':
  path  => '/etc/passwd',
  line  => '+::::::/sbin/nologin',
}

However, I'm not sure how to ensure that the line is placed right at the bottom, since you mention that the ordering does matter. Is it likely that the original file would contain a similar line already? If so, you could use the additional optional parameter to file_line called 'match', and craft a regex to match on.

Alternately, look at using augues rather -> http://projects.puppetlabs.com/projects/1/wiki/puppet_augeas#Using+Puppet+with+Augeas

Answer 2

Puppet will edit /etc/passwd on its own accord, when you add user resources to your manifest, such as

user {
    'admin1':
        ensure => present,
        uid => 1003,
        password => '$6$...',
}

Ordering of existing lines will be tricky at best. Puppet natively does not support anything like that. My advice would be to use an exec resource like this:

exec {
    '/path/to/script-that-moves-nologin-line-to-the-end':
        unless => '/script/that/returns-true-if-nologins-line-is-currently-at-the-end'
}

You would want Puppet to perform that after syncing all user resources to your system. There are different ways to go about that, all with their pros and cons.

Assuming your manifests are not too complex, you can likely get away with global defaults for the user type.

User { before => Exec['/path/to/script-that-moves-nologin-line-to-the-end'] }

Just be careful that no user resources overwrites this with a different before value.

Other alternatives include

• overriding the the before value of all existing user resources with a resource collector
• run stages
• gathering your user resources in few classes and just add require => Class[...] to the exec

Among others that are probably conceivable.