Bug #2944
closed
sshKeyDistribution technique does not work with network users
Added by Michael Gliwinski about 12 years ago.
Updated about 12 years ago.
Description
The sshKeyDistribution technique makes two assumptions that prevent it from working with network users (e.g. from LDAP, NIS, AD, etc.):
- assumes user info is in /etc/passwd
- assumes user's primary group is named after the username
The attached patch changes it to obtain user information from `getent passwd` and to use primary group GID when assigning ownership.
The patch is in format for `git am`, but if you prefer a plain diff let me know.
Files
- Assignee set to Nicolas PERRON
- Target version changed from 2.4.0~rc1 to 2.3.9
Great ! We will see to test and add it as soon as possible to Rudder !
You're right, the method used for this Technique only use /etc/passwd, then network users aren't take into account.
Thanks again for the patch, Michael. Your help is greatly appreciated :)
In the patch, you used parseintarray function but i'm not sure to understand. Why the regex contains "#" ?
Nicolas PERRON wrote:
In the patch, you used parseintarray function but i'm not sure to understand. Why the regex contains "#" ?
Hi, sorry for the delay and thanks for review!
Ah, yes, this is the comment regex parameter to parsestringarray. The output of getent does not contain any comments, but it was not clear to me from function description in CFE reference if this can be left blank, so I copied the regex used in examples. Now that I think about it, this probably isn't right because the gecos field could in fact contain a #.
Any ideas if comment regex param for parsestringarray can be blank? If not I'll try to come up with a regex that will never match and run some tests.
Nicolas CHARLES wrote:
From the reference manual, it can be left blank :
https://cfengine.com/manuals/cf3-Reference#Function-readstringarray
Another solution might be to anchor the regexp with a ^ (the regexp in parsestringarray is not anchored)
Indeed, should have checked documentation for readstringarray too :P
OK I will test this and re-submit the patch. Thanks!
Michael Gliwinski wrote:
OK I will test this and re-submit the patch. Thanks!
Sorry for delay, tested passing empty string as comment regex to parsestringarray and it works OK, attaching updated patch.
BTW, I've noticed you changed target version to 2.3.9, the patch is against 2.4 branch, should I re-send one against 2.3 branch?
Michael Gliwinski wrote:
Michael Gliwinski wrote:
OK I will test this and re-submit the patch. Thanks!
Sorry for delay, tested passing empty string as comment regex to parsestringarray and it works OK, attaching updated patch.
BTW, I've noticed you changed target version to 2.3.9, the patch is against 2.4 branch, should I re-send one against 2.3 branch?
Hi Michael,
Sorry for the dealy in the answer. Since the bug also exists in the 2.3 version, we have to correct this bug it in the 2.3 branch, hence the change of target version.
If you could do the patch for the 2.3, it would be awesome, but I understand that you probably have something else to do rather than patching older version of Rudder. So if you want to, yes, with pleasure, otherwise we can do it ourself (I think there mustn't be much difference between both versions)
- Status changed from New to Pending technical review
- % Done changed from 0 to 100
Applied in changeset commit:3ec03f6dd5e6a48ceab883ab2fbe3bf20a5c197e.
- Status changed from Pending technical review to Released
Michael, I applied your patch on the 2.3 branch, and I must admit I'm highly impressed by the quality of the patch !
Also available in: Atom
PDF
Updated by Nicolas PERRON 
Updated by 
Updated by