Hi Michael, Sorry for the much-delayed response (again...)
This is kind of an edge-case, but for a NIS client (with 'compat' in the /etc/nsswitch.conf for passwd, which is at least the default in Ubuntu), you must add a special entry in to "pick up" the NIS users (again, see section 7.2 in http://www.linux-nis.org/nis-howto/HOWTO/settingup_client.html for the different options.) I believe the 'user' module has the paradigm of adding actual users to the system, and can not just add needed entries to /etc/passwd (and /etc/shadow) to handle as case as the above... Or did I misread the docs on the user module? I found that one can "get around" the need for such an entry in /etc/passwd if you specify the following in nsswitch.conf: passwd: files nis i.e., try the local /etc/passwd first, then if not found, try NIS -- this is what we were doing, so we found the entry of '+::::::' was actually not necessary in /etc/passwd (and why the incorrect '::::::+' we had been putting in there didn't matter, and why NIS worked anyways) Best, Will On Thursday, August 14, 2014 7:50:44 AM UTC-4, Michael DeHaan wrote: > > Can you let us know why the user module won't work for you in this case? > It should not be needed to edit those files directly, and if there's a > missing feature I'd like to see it exposed in the user module. > > Thanks! > > > On Wed, Aug 13, 2014 at 5:28 PM, Willard Dennis <[email protected] > <javascript:>> wrote: > >> Sorry, other work took me away from pursuing this issue until now... >> Thanks for your attention, Michael & James! >> >> In any case, it seems the entry I need is actually "+::::::" in >> /etc/passwd, per this webpage: >> http://www.linux-nis.org/nis-howto/HOWTO/settingup_client.html (and not >> "::::::+" as I've been using, which is weird, because NIS logins are >> working with that... but I digress...) >> >> I can't really template the /etc/passwd and /etc/shadow files, as the >> users can install software that enters new users that my Ansible playbooks >> wouldn't know about... And I'm pretty sure I can't use the "user" module; I >> don't want to create an actual local user (and homedir etc.), just add the >> literal line "+::::::" at the bottom of /etc/passwd to create the needed >> entry to incorporate the NIS users... >> >> I also had an instance today where my playbook worked perfectly (i.e., >> lineinfile did NOT overwrite the then-last entry for the 'ntp' user...) so >> looks like it's also an intermittent problem. >> >> Just wanted to report a seeming problem, and see if there was a >> solution... >> >> Thanks, >> Will >> >> >> >> On Friday, August 8, 2014 7:59:20 PM UTC-4, James Cammarata wrote: >> >>> Also, is there any reason you're not using the user module to manage >>> entries in your passwd/shadow files? >>> >>> >>> On Fri, Aug 8, 2014 at 6:30 PM, Michael DeHaan <[email protected]> >>> wrote: >>> >>>> lineinfile is tricky and I don't have bandwidth to debug this one right >>>> now, but maybe some other folks would like to help? >>>> >>>> Most of the time, I *strongly* recommend just templating the file, that >>>> way you are centrally very sure of the state of everything that's in there. >>>> >>>> >>>> >>>> >>>> On Fri, Aug 8, 2014 at 2:22 PM, Willard Dennis <[email protected]> >>>> wrote: >>>> >>>>> Hi all, >>>>> >>>>> I have a playbook used for setting up new servers here, that among >>>>> other things, ensures both NTP and NIS (yes, we still use NIS here...) >>>>> are >>>>> installed and are running. The problem I am seeing is that when the >>>>> playbook executes the notify action for restarting the ntpd service, it >>>>> is >>>>> failing because the 'ntp' user is no longer in /etc/passwd. I believe the >>>>> problem is occurring when I run tasks in the playbook that call the >>>>> 'lineinfile' module to ensure I have a certain entry needed for NIS >>>>> logins >>>>> at the bottom of /etc/passwd, which seems to be overwriting the >>>>> then-last-line which is the 'ntp' user one. >>>>> >>>>> Here is the tasks that make sure NTPD is installed and running... >>>>> >>>>> [...] >>>>> >>>>> - name: DEBFAM | Ensure NTP package is installed >>>>> apt: pkg=ntp state=present >>>>> tags: ntp >>>>> >>>>> - name: DEBFAM | Ensure NTP configured correctly >>>>> template: src=ntp.conf.j2 dest=/etc/ntp.conf >>>>> notify: >>>>> - restart deb-ntpd >>>>> tags: ntp >>>>> >>>>> - name: DEBFAM | Ensure NTP is running and enabled >>>>> service: name=ntp state=running enabled=yes >>>>> tags: ntp >>>>> >>>>> [...] >>>>> >>>>> Right after these steps are run, I can cat /etc/password and notice >>>>> that the 'ntp' user entry is there, and happens to be the last entry... >>>>> >>>>> [...] >>>>> rtkit:x:116:124:RealtimeKit,,,:/proc:/bin/false >>>>> saned:x:117:125::/home/saned:/bin/false >>>>> whoopsie:x:118:126::/nonexistent:/bin/false >>>>> speech-dispatcher:x:119:29:Speech Dispatcher,,,:/var/run/speech- >>>>> dispatcher:/bin/sh >>>>> hplip:x:120:7:HPLIP system user,,,:/var/run/hplip:/bin/false >>>>> ntp:x:121:127::/home/ntp:/bin/false >>>>> >>>>> Then the playbook runs the tasks I have set up to ensure NIS is >>>>> installed and running... >>>>> >>>>> [...] >>>>> >>>>> - name: DEBFAM | Ensure NIS package is installed >>>>> apt: pkg=nis >>>>> tags: nis >>>>> >>>>> - name: DEBFAM | Ensure /etc/yp.conf configured correctly for NIS >>>>> template: src=yp.conf.j2 dest=/etc/yp.conf >>>>> notify: >>>>> - restart nis >>>>> tags: nis >>>>> >>>>> - name: DEBFAM | Ensure /etc/defaultdomain configured correctly for NIS >>>>> template: src=etc-defaultdomain.j2 dest=/etc/defaultdomain >>>>> notify: >>>>> - restart nis >>>>> tags: nis >>>>> >>>>> - name: DEBFAM | Ensure /etc/nsswitch.conf configured correctly for NIS >>>>> template: src=nsswitch.conf.j2 dest=/etc/nsswitch.conf >>>>> tags: nis >>>>> >>>>> - name: DEBFAM | Erase old /etc/passwd entry for NIS users >>>>> lineinfile: dest=/etc/passwd >>>>> regexp='::::::+' >>>>> state=absent >>>>> tags: nis >>>>> >>>>> - name: DEBFAM | Erase old /etc/shadow entry for NIS users >>>>> lineinfile: dest=/etc/shadow >>>>> regexp='::::::::+' >>>>> state=absent >>>>> tags: nis >>>>> >>>>> - name: DEBFAM | Ensure NIS is running and enabled >>>>> service: name=ypbind state=restarted enabled=yes >>>>> notify: >>>>> - restart autofs >>>>> tags: nis >>>>> >>>>> - name: DEBFAM | Ensure /etc/passwd has correct entry for NIS users >>>>> lineinfile: dest=/etc/passwd >>>>> regexp='' >>>>> insertafter=EOF >>>>> line='::::::+' >>>>> notify: >>>>> - restart nis >>>>> tags: nis >>>>> >>>>> - name: DEBFAM | Ensure /etc/shadow has correct entry for NIS users >>>>> lineinfile: dest=/etc/shadow >>>>> regexp='' >>>>> insertafter=EOF >>>>> line='::::::::+' >>>>> notify: >>>>> - restart nis >>>>> tags: nis >>>>> >>>>> [...] >>>>> >>>>> (I'm running the lineinfile module once on /etc/passwd and /etc/shadow >>>>> to remove any old existing entries for the '+::::...' patterns, and then >>>>> running them again on those files to ensure they are present and at the >>>>> end >>>>> of those respective files.) >>>>> >>>>> However, when the playbook is ending and running the accumulated >>>>> notifies, when it hits the 'restart deb-ntpd' action, this fails, >>>>> complaining that the 'ntp' user is not there -- >>>>> >>>>> NOTIFIED: [common | restart deb-ntpd] >>>>> ***************************************** >>>>> >>>>> failed: [dhcp-207-150] => {"failed": true} >>>>> msg: * Stopping NTP server ntpd >>>>> ...done. >>>>> * Starting NTP server ntpd >>>>> * user "ntp" does not exist >>>>> >>>>> >>>>> FATAL: all hosts have already failed -- aborting >>>>> >>>>> If I then cat /etc/passwd, I notice that the entry for the 'ntp' user >>>>> is gone, and seemingly overwritten by the NIS entry: >>>>> >>>>> [...] >>>>> rtkit:x:116:124:RealtimeKit,,,:/proc:/bin/false >>>>> saned:x:117:125::/home/saned:/bin/false >>>>> whoopsie:x:118:126::/nonexistent:/bin/false >>>>> speech-dispatcher:x:119:29:Speech Dispatcher,,,:/var/run/speech- >>>>> dispatcher:/bin/sh >>>>> hplip:x:120:7:HPLIP system user,,,:/var/run/hplip:/bin/false >>>>> ::::::+ >>>>> >>>>> This has happened a number of times to me, enough that I believe I'm >>>>> hitting a bug (or am using the 'lineinfile' module incorrectly somehow??) >>>>> so I thought I'd post it to this list and ask for help with debugging >>>>> this.... >>>>> >>>>> Thanks, >>>>> Will >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Ansible Project" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To post to this group, send email to [email protected]. >>>>> >>>>> To view this discussion on the web visit https://groups.google.com/d/ >>>>> msgid/ansible-project/e5eada51-a098-4e46-b277- >>>>> c1144ce74829%40googlegroups.com >>>>> <https://groups.google.com/d/msgid/ansible-project/e5eada51-a098-4e46-b277-c1144ce74829%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To post to this group, send email to [email protected]. >>>> To view this discussion on the web visit https://groups.google.com/d/ >>>> msgid/ansible-project/CA%2BnsWgx6zEP42Cw00k%2BwTQ2% >>>> 2BNCBfi_q%3DaVa3Asi2sK1w-svwKA%40mail.gmail.com >>>> <https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgx6zEP42Cw00k%2BwTQ2%2BNCBfi_q%3DaVa3Asi2sK1w-svwKA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/77a14bc6-6509-4e40-9e52-724ed6a706ae%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/77a14bc6-6509-4e40-9e52-724ed6a706ae%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e8931be7-b6c7-45aa-943b-0fa8a0b80808%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
