Yeah, it's nasty. Running the puppet commands you listed doesn't show any problems. The logs show the password being set correctly, but it isn't really. Once I manually change the password, then puppet can make those password changes again. It looks like the problem may be limited to my clients which are running different (older) versions of puppet than the server is running. I am updating all of my out of date clients, manually forcing password changes and I'll have to watch it to see what happens.
Thanks for your help. I'll let you know if I find anything out. On Jun 15, 6:29 pm, Todd Zullinger <t...@pobox.com> wrote: > Gus F. wrote: > > I am using puppet (version 0.25.5-1.e15 for redhat) for password > > management for non-system users. This morning, users on some of my > > puppet clients had their encrypted password strings in /etc/shadow > > replaced with the following string: > > > YAML::syck::BadAlias > > Eeeww. That's no damn good. > > > That has effectively broken the users' ability to login to those > > servers. Puppet will not overwrite that string with the correct > > encrypted string, and I can't even change the password manually > > using 'passwd', because I get an 'Authentication token manipulation > > error'. The only way I can fix this is by manually editing > > /etc/shadow, replaced that YAML string with something valid (I've > > been using an '*'), and then changing the password manually or > > letting puppet overwrite it with the correct password. > > > What could have caused this? > > If you run puppet again, does it attempt to change the entries back? > You could run it with --noop to test quickly without risking a change. > Though depending on the cause, it might not show up unless you run it > without --noop. If no one else chimes in with better ideas, you might > want to run "puppetd --test --trace --debug" (after backing up > /etc/shadow). Maybe that would help determine the source of the > problem. > > -- > Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL:www.pobox.com/~tmz/pgp > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > I do not believe in the collective wisdom of individual ignorance. > -- Thomas Carlyle > > application_pgp-signature_part > < 1KViewDownload -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
