On Monday, April 23, 2018 at 10:34:56 AM UTC-5, [email protected] wrote: > > hello John, thanks for the answer!!! > > This problem only happens in linux machines that are in the domain, > because I have not yet tested on windows. > > Linux machines names in the test: > > - mint-client.mycompany.intra > - ubuntu-client.mycompany.intra > > Use the 'certname' setting in your machines' Puppet configuration ([main] >> section) to assign a unique certname to each personality of each machine. >> Perhaps you could use a pattern similar to the one I suggested for unique >> hostnames. > > > So I would put an entry in puppet.conf, something like this? > > [main] > certname = mint-client.mycompany.intra > > [agent] > server = puppet.mycompany.intra > > If yes, yet not works. > > The user "xiru" is part of the domain. I logged on to the machine and > executed "puppet agent -t" command and the error of certificates not match > occurs. > > It creates the new certificate on the path: > "/home/xiru/.puppetlabs/etc/puppet/ssl" >
My apologies. It escaped my attention that you are running the agent as an unprivileged user instead of via a system account. This is unusual, because the capabilities of the agent are limited to those of the user running it, so running it as an unprivileged user means that many of the resources one might normally want the agent to manage cannot, in fact, be managed. It is more typical to run the agent as a system service, or to have the system's scheduler (e.g. cron) run it with privilege, so as to be able to manage everything. Nevertheless, the problem is along the same lines I already described. The system does not share its Puppet credentials with ordinary users, and they don't share theirs with each other. Each of them, on each machine, on each OS, needs to be identified by a distinct certname. If supporting multiple individual users running the agent as themselves is in fact what you want, then the solution is along the same lines as I already described. Ordinary users will use Puppet configuration recorded in their own space, under .puppetlabs/etc/puppet. You can form unique certnames by also adding the username, so, for example, */home/xiru/.puppetlabs/etc/puppet/puppet.conf*: [main] certname = lab1-machine1.mycompany.intra-linux-xiru [agent] server = puppet.mycompany.intra Note well that this configuration is under the control of your users, so you would be wise to exercise careful oversight and control of certificate signing. Again, however, this seems very unusual. Unprivileged end users more typically rely on 'puppet apply' to apply local manifests under their own control to manage resources within their own limited sphere of influence. This does not involve interacting with a master, and does not require cryptographic certificates at all. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/9c0f8082-5f5b-4248-92a6-04d6b368c63c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
