ReleaseEngineering/PuppetAgain/Modules/users
This module handles login accounts on the system. It has two classes that can be included. These are generally included high in the toplevel hierarchy.
Classes
users::global
This sets up some global (/etc) defaults for user configuration, e.g. PATH.
users::root
This sets up the root user (or, on Windows, Administrator). This provides the following easy-to-use variables, per bug 776641:
- $users::root::username
- $users::root::group
- $users::root::home
users::builder
Installs the builder user (cltbld for releng, although this can be adjusted in manifests/settings.pp). This provides the following easy-to-use variables, per bug 776641:
- $users::root::username
- $users::root::group
- $users::root::home
This class also sets up the builder user's dotfiles appropriately, including SSH configuration, and performs some basic cleanup.
users::builder::autologin
If included, this class will arrange for the builder user to automatically login to a GUI sesssion at boot.
Implementation
Linux
Puppet supports user management on Linux with no difficulty, via the user provider. Password hashes are most easily created by using 'passwd' on a temporary host, then copying the password hash from /etc/shadow.
Automatic login is not currently supported on Linux.
Darwin
On Mac OS X, user management is much more complex, and works differently on different versions.
10.8 (Mountain Lion)
- NOTE: no released version of Puppet currently supports setting passwords on Mountain Lion. PuppetAgain includes a darwinuser type and a CustomDirectoryService provider for that type, both based on the work of Gary Larizza in #12833. What is eventually available in Puppet proper should closely resemble this implementation.
Authentication on Mountain Lion takes place based on three pieces of information: iterations, salt, and password (called 'entropy' by OS X). You can get this information for an existing user with setup/mtnlion-user-info.rb:
ruby mtnlion-user-info.rb cltbld
and then add it to the secrets.csv for your installation.
Automatic Login
Automatic login on OS X is controlled in two places:
- /Library/Preferences/com.apple.loginwindow key autoLoginUser sets the username to be used to log in
- /etc/kcpassword contains a lightly obfuscated cleartext password for that user.
There's a handy implementation of the obfuscation algorithm at http://www.brock-family.org/gavin/perl/kcpassword.html, but the easier solution is just to set up automatic login through the GUI, and then copy the file.
Note that kcpassword is binary data. It is given in binhex in secrets.csv. The easiest way to get its contents is:
talos-mtnlion-r5-082:~ root# base64 < /etc/kcpassword