0

I am using the following user resource to create a unix user and then set an initial password for the user. I then performed an exec with chage command to force the user to change his password after his first login.The manifest is as follows

node 'node2.example.com','node3.example.com'{
  user {
     'askar':
      ensure  => 'present',
      managehome => 'true',
      comment => 'Laskar Home',
      home    => '/home/askar',
      shell   => '/bin/bash',
      expiry  => '2016-04-22',
      password => '$1$T7iMiuVY$bVjrtyWV4diXBKlCgcDKT0',
      password_min_age => '20',
      password_max_age => '60',
    }
exec {
  'chage':
   path => '/usr/bin/',
   command => 'chage -d 0 askar',
  }
}

The issue with the above manifests is that every time the agent pulls the manifests the password is again set to the default password and then the user is forced to change his password .

So, in order to avoid this I am adding the refreshonly parameter as follows

 exec {
   'chage':
    path => '/usr/bin/',
    command => 'chage -d 0 askar',
    subscribe => File['askar'],
    refreshonly => true,
   }
  }

I then verified that after applying the refreshonly parameter , the
password is not getting changed to the default password and also chage
in exec is not getting executed . But I had few doubts regarding how refreshonly parameter works and I am not sure whether it is working fine for me.

1) Since refreshonly is an exec parameter using it inside exec will not cause chage -d 0 askar to execute unless there is a change in user resource manifests. Am i correct here ? Does this also means that user resource will also not be executed along with exec because of the refreshonly parameter which means the user password will not be set to default which was defined in user resource ?

2) I tried to change password_min_age => '20' to password_min_age => '30', now since this is a change in user manifests , I am expecting that exec resource will get executed with chage command and user will be forced to change his password. But I am not seeing this change . Is my understanding wrong here ?

3) or the way I am defining refreshonly parameter itself is wrong. The syntax should have been subscribe => User['askar'], instead of subscribe => File['askar'],

Zama Ques
  • 523
  • 1
  • 9
  • 24

2 Answers2

2

@Zama Ques : Considering your problem i faced exactly the same issue which you asked in your point no: 3 that changing any attributes in the user resource , exec resource is not getting executed which it should according to our thought . But, the problem is you and I did the wrong thing in putting the "notify/subscribe" key in the exec resource. Think like this , if any attributes gets changed in the user resource then it should "notify" the exec resource to get executed. isn't it ? not the other way round. Look at my manifest below :

user { "john" :
        ensure => 'present',
        uid => '502',
        password => '$1$3uCLHGag$TVHLvE9T14XVSYoKA4YlH1' ,
        managehome => 'true',
        notify => EXEC['password change']
        }

exec { 'password change' :
        command => 'chage -d 0 john' ,
        path => '/usr/bin',
        refreshonly => 'true'

        }

~ ~ When am changing password to "$1$QmJsatk6$4B.7Ksj5D608SHb/qVscM0" , then its notifying the exec resource to execute.

if we put "notify" in the exec resource , whatever you change in the user resource the exec resource will not execute . It all depends where you specify the "notify". Tips: The resource you expect to be changed , apply notify there itself. Hope this makes the concept clear.

To your 3rd question : look at my manifest.

chicks
  • 3,793
  • 10
  • 27
  • 36
Bharat Chaudhury
  • 21
  • 2
1

Passing the password attribute to a user resource isn't required. If you don't provide a password I believe puppet leaves it disabled, but you would need to test. I know if you don't provide a password, then puppet doesn't change the password of an existing account.

I don't have an environment to test but I believe you could have your user resource that creates the account without a password, then have a notify that notifies an exec that does something like usermod -p '$1$T7iMiuVY$bVjrtyWV4diXBKlCgcDKT0' or something.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • Will be great if you tell me the exact syntax of using refresh only. Can it only be used with file and exec resource as I am asking in point 3) – Zama Ques Mar 29 '16 at 23:38
  • 2
    https://docs.puppetlabs.com/puppet/latest/reference/type.html#exec-attribute-refreshonly The command should only be run as a refresh mechanism for when a dependent object is changed. **Changed** means the state of the system, was different then the state described in the manifests so puppet applied a change for an object. So if the password for the user on the system is not exactly '$1$T7iMiuVY$bVjrtyWV4diXBKlCgcDKT0' during any puppet run then the user is changed to have that password, and that will trigger the exec refresh. – Zoredache Mar 30 '16 at 07:02
  • 1
    Basically if you define a password in the user object, then that password will not be changeable. Messing around with the refreshonly on an exec resource will not have any effect. – Zoredache Mar 30 '16 at 07:04