Tuesday, February 11, 2014


We would be learning about, how to set password in clients via puppet in this post. This seems to be easy task, but believe me its not.

Before, we start setting up password for user, lets checkout for some of the important files in /etc/puppet on master server, auth.conf, fileserver.conf, puppet.conf.

We would be discussing as to how to share/transfer a file to client via puppet.
We will be putting all the files to share in /etc/puppet/files directory, if directory is not existing, we need to create it, its not necessary that we need to have same name, but we stick to it.

Edit file /etc/puppet/fileserver.conf

Add mentioned lines at end, you can also search MOUNT POINTS section and uncomment it, but is is wise to have it done at end of file.

   path /etc/puppet/files
   allow *

Edit file /etc/puppet/auth.conf

Add mentioned lines below "path /file" section and not above it as it can implement extra security and would be hard for you to debug.

path ~ ^/file_(metadata|content)/files/
auth yes
allow /^(.+\.)?puppet.com$/

In our case is private range and puppet.com as domain, set according to your convenience.

Edit file /etc/puppet/puppet.conf

In [main] section add the mentioned parameter

pluginsync = true

After doing all necessary changes, restart service for puppet master.

On master server : CentOS

/etc/init.d/puppetmaster restart

Lets move onto setting up password in /etc/shadow file. We tried alot of methods to set password but eventually the method which worked is defined under.

First, we will create a sh file and place it in files folder in /etc/puppet.
This file basically, queries second field of /etc.shadow file and if returned with "!" it sets password, else does not executes change password command i.e chpasswd.

Create and edit file /etc/puppet/files/shadow.sh


rc=`/bin/grep $1 /etc/shadow | awk -F":" '($2 == "!")' | wc -l`

if [ $rc -eq 0 ]
    exit 1
    exit 0

Edit file /etc/puppet/modules/accounts/init.pp

In this file we will add file type and exec type under accounts class, file type will share/transfer file created in above step on the client and exec type will execute chpasswd on client along with username and password. To avoid password in shadow to overwritten again and again whenever the client is synchronized, an onlyif attribute is set, wherein with the help of above script file and the user name it will query the second field for "!" and if not returned with the same result, it will not execute chpasswd utility.

Also, to remember on the client there should be a directory templates, in our case Ubuntu is by default having it, so we transferred file onto that location, location can be anything according to your convenience, but be sure to point it to right location in file type and similarly using it in exec type.

class accounts {

  file { '/etc/puppet/templates/shadow.sh':
        ensure => file,
        recurse => true,
        mode => "0777",
        source => "puppet:///files/shadow.sh",

 @accounts::system { 'demo':
       comment      => 'demo users',
  exec { "demo":
          command => 'echo "demo:password@123" | chpasswd',
          provider => 'shell',
          onlyif => "/etc/puppet/templates/shadow.sh demo",

Edit file /etc/puppet/manifests/nodes/client2.pp

node 'client2.puppet.com' {
    include accounts
    realize (Accounts::System['demo'])

Apply changes on the master to take effect.

On master server : CentOS

Notice: Compiled catalog for server.puppet.com in environment production in 0.16 seconds
Notice: Finished catalog run in 0.11 seconds

Let move on to client to fetch changes.

On client server : Ubuntu

Info: Retrieving plugin
Info: Caching catalog for client2.puppet.com
Info: Applying configuration version '1392108081'
Notice: /Stage[main]/Accounts/Accounts::System[demo]/User[demo]/ensure: created
Notice: /Stage[main]/Accounts/Exec[demo]/returns: executed successfully
Notice: Finished catalog run in 3.05 seconds