Check if the output of your script actually matches *exactly* the hash that gets written into the user. Whitespace, even a new line at the end, might confuse puppet here. If that's the problem, use https://forge.puppet.com/puppetlabs/stdlib#strip to fix that.
Cheers, DavidS On Thu, Oct 18, 2018 at 7:23 PM James Perry <[email protected]> wrote: > I have been asked to set password for a user so it is unique on every > single host we support. I have a script that generates the password and I > had pulled it in via a generate call. The scripts takes in two of facter > values to be used to aid in generating the password. > > $myvar = generate("/bin/sh","myscript.sh"."value1","value2") > user { 'bob': > password => "${myvar}", > } > > > This value is coming in as expected. When I pass it to the password => block > it gets set as expected. Cool, but then it isn't. > > Each time puppet runs for the host, it keeps changing the user's password > hash even though the hash from the script is the same as that on the host. > Even that could be acceptable, except, these hosts are audited for password > changes. Root being shown as updated every puppet run fails the audit. > > When I define it as a static hash aka '$1$salt$ab12k3oa01ksf01810' it > doesn't keep resetting the password > > Notice: Local environment: 'production' doesn't match server specified > node environment 'passfix', switching agent to 'passfix'. > Info: Retrieving pluginfacts > Info: Retrieving plugin > Info: Loading facts > Info: Caching catalog for tlistmrrh511.myhost.net > Info: Applying configuration version '1539886469' > *Notice: /Stage[main]/Users::mypassword/User[bob]/password: created > password* > Notice: Applied catalog in 4.52 seconds > [root@tlistmrrh511 ~]# > [root@tlistmrrh511 ~]# puppet agent -tv > Notice: Local environment: 'production' doesn't match server specified > node environment 'passfix', switching agent to 'passfix'. > Info: Retrieving pluginfacts > Info: Retrieving plugin > Info: Loading facts > Info: Caching catalog for tlistmrrh511.myhost.net > Info: Applying configuration version '1539886484' > *Notice: /Stage[main]/Users::myassword/User[bob]/password: created > password* > Notice: Applied catalog in 4.36 seconds > > I have tried a number of ways to get this work inside puppet without using > exec. Searching on this came up with creating custom facts to get the hash > or hierra, which we don't use, to do this step. Having user hashes > available as a fact won't pass an audit either. Basically this all needs to > happen on the Puppet master and be pushed to all clients. > > It seems that Puppet has a way to compare the old has with the new one > when the hash is put between ' ', but I'm passing in a var. > > I don't see any indication of why it is failing the comparrison. I have > even set passwd => generate(... and it behaves the same way. > > What am I doing wrong here? It is quite frustrating. > > Thanks > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/4bc322cd-c3bc-44fa-9c6a-1ccd6a778b81%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/4bc322cd-c3bc-44fa-9c6a-1ccd6a778b81%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Cheers, David https://twitter.com/dev_el_ops -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CALF7fHaaFtojXTgKCcz_4p0%3DzrAYXivccgh_QCi%2B05t9-Om_aw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
