canmove, Confirmed users
1,394
edits
ReleaseEngineering/PuppetAgain/Modules/users: Difference between revisions
ReleaseEngineering/PuppetAgain/Modules/users (view source)
Revision as of 15:27, 31 July 2012
, 31 July 2012no edit summary
No edit summary |
|||
| Line 1: | Line 1: | ||
This module handles login accounts on the system. It has two classes that can be included. These are generally included high in the [[ReleaseEngineering/Puppet/Modules/toplevel|toplevel]] hierarchy. | This module handles login accounts on the system. It has two classes that can be included. These are generally included high in the [[ReleaseEngineering/Puppet/Modules/toplevel|toplevel]] hierarchy. | ||
= users::global = | = Classes = | ||
== users::global == | |||
This sets up some global (/etc) defaults for user configuration, e.g. PATH. | This sets up some global (/etc) defaults for user configuration, e.g. PATH. | ||
= users::root = | == users::root == | ||
This sets up the root user (or, on Windows, Administrator). This provides the following easy-to-use variables, per {{bug|776641}}: | This sets up the root user (or, on Windows, Administrator). This provides the following easy-to-use variables, per {{bug|776641}}: | ||
* $users::root::username | * $users::root::username | ||
| Line 10: | Line 11: | ||
* $users::root::home | * $users::root::home | ||
= users::builder = | == users::builder == | ||
Installs the builder user (cltbld for releng, although this can be adjusted in <tt>manifests/settings.pp</tt>). This provides the following easy-to-use variables, per {{bug|776641}}: | Installs the builder user (cltbld for releng, although this can be adjusted in <tt>manifests/settings.pp</tt>). This provides the following easy-to-use variables, per {{bug|776641}}: | ||
* $users::root::username | * $users::root::username | ||
| Line 17: | Line 18: | ||
This class also sets up the builder user's dotfiles appropriately, including SSH configuration, and performs some basic cleanup. | This class also sets up the builder user's dotfiles appropriately, including SSH configuration, and performs some basic cleanup. | ||
== users::builder::autologin == | |||
If included, this class will arrange for the builder user to automatically login to a GUI sesssion at boot. | |||
= Implementation = | |||
== Linux == | |||
Puppet supports user management on Linux with no difficulty, via the ''user'' provider. | |||
Automatic login is not currently supported on Linux. | |||
== Darwin == | |||
On Mac OS X, user management is much more complex, and works differently on different versions. | |||
=== 10.8 (Mountain Lion) === | |||
:'''NOTE:''' no released version of Puppet currently supports setting passwords on Mountain Lion. PuppetAgain includes a ''darwinuser'' type and a ''CustomDirectoryService'' provider for that type, both based on the work of Gary Larizza in [http://projects.puppetlabs.com/issues/12833 #12833]. What is eventually available in Puppet proper should closely resemble this implementation. | |||
Authentication on Mountain Lion takes place based on three pieces of information: iterations, salt, and password (called 'entropy' by OS X). You can get this information for an existing user with ''setup/mtnlion-user-info.rb'': | |||
ruby mtnlion-user-info.rb cltbld | |||
and then add it to the ''secrets.csv'' for your installation. | |||
=== Automatic Login === | |||
Automatic login on OS X is controlled in two places: | |||
* ''/Library/Preferences/com.apple.loginwindow'' key ''autoLoginUser'' sets the username to be used to log in | |||
* ''/etc/kcpassword'' contains a lightly obfuscated cleartext password for that user. | |||
There's a handy implementation of the obfuscation algorithm at http://www.brock-family.org/gavin/perl/kcpassword.html, but the easier solution is just to set up automatic login through the GUI, and then copy the file. | |||
Note that kcpassword is binary data. It is given in binhex in secrets.csv. The easiest way to get its contents is: | |||
talos-mtnlion-r5-082:~ root# base64 < /etc/kcpassword | |||