At my work, we use AD for access across all our Windows and Linux servers. Then we use puppet to manage consistent permissions on the /etc/sudoers file, auto_home, and ssh access. This combination works great!!! On Nov 9, 2011 4:24 PM, "Dan Dubovik" wrote: > We currently use puppet. We have used it for quite some time, and just > revisited our configuration management system, to see if it was still the > right way to go. > > In looking at Chef, CFEngine and Puppet, we decided to stick with Puppet. > The cost of changing over a number of extremely complex systems to a new > management service was simply too high, for minimal (if any) gain. > > On the topic of user management, while a shell script may be easier / > faster in the short term, over time (and once an environment is > sufficiently large) it can result in an inconsistent environment. Servers > can be down, unresponsive, have some random failure, and if not immediately > and manually remediated, you end up with users on servers that shouldn't > be, missing users on others, and old passwords on yet others. > > Using Puppet, you can either maintain /etc/{passwd|group|shadow} (wouldn't > personally do this, but it is an option, so included here in the interest > of being complete), or you can use the 'user' and 'group' resource type ( > http://docs.puppetlabs.com/references/stable/type.html#user) to maintain > users across the environment. This is if you need / want to continue using > local users. Personally, I'm with Bryan, and prefer a central > authentication method, as it resolves many of the problems you would have > with local users, and provides for an easier method of auditing user > accounts. > > -- Dan. > > On Tue, Nov 8, 2011 at 7:43 PM, Lisa Kachold wrote: > >> Thanks to all who responded. >> I believe this is an excellent subject for a blog after about 10,000 lab >> testing package comparison hours! >> Laugh! >> >> On Tue, Nov 8, 2011 at 9:34 AM, Bryan O'Neal < >> Bryan.ONeal@theonealandassociates.com> wrote: >> >>> Personal opinion - for large scale use with many people maintaining >>> different sections puppet is one of the best - however it is really >>> only good for file management. Since nearly everything on a linux >>> system is a file, this should not be a problem. As for user management >>> - I am still under the opinion on that (unless you are a pure Linux >>> environment) this should be solved by using Active Directory for >>> authentication and pam for access mismanagement. (if you don't want to >>> integrate your services with pam they probably have a simple >>> configuration file that controls access management that could be >>> handled by puppet just as easily) >>> Chef is more extensible with access to a full ruby stack - however >>> unless you have a very small group of well coordinated developers who >>> insist on adhering to standards you will rapidly find your >>> provisioning code will become unwieldy and almost useless as you >>> inheritances start overriding key portions without notice as to why or >>> what section did what. In the rite hands the flexibly is an asset that >>> may help solve key problems. In the wrong hands it will propagate >>> problems whose effect compound over time until the entire system is >>> scraped. >>> >>> Disclaimer - I know very little regarding this compared to others. I >>> use puppet, write manifests, build systems, etc. I am not responsible >>> for the engineering. >>> >>> On Sun, Nov 6, 2011 at 3:56 PM, Ed wrote: >>> > On Sat, Nov 5, 2011 at 4:59 PM, James Mcphee wrote: >>> >> I am also looking at implementing one of these at some point in the >>> near >>> >> future. The standard scripts over ssh is simple and relatively well >>> >> controlled, but teaching new people how to use them and maintaining >>> them in >>> >> a sane fashion is troublesome. I've used a few HP, Dell, Sun, and IBM >>> >> config products in the past and they were all bad enough I went back >>> to >>> >> scripts in no time. >>> >> >>> >> On Nov 5, 2011 11:33 AM, "Lisa Kachold" >>> wrote: >>> >>> >>> >>> Can anyone chime in on using enterprise mass systems configuration >>> and >>> >>> management tools? >>> >>> >>> >>> What are you using? Chef, Puppet or CFEngine and why? >>> >>> >>> > >>> > I like CFengine - the task based focus is on "promises" and the >>> > install is painless. The only ruff spot I could point to is with >>> > application updates - the interface to yum is less polished than some >>> > - updates work if you work on them as groups vs particular apps. There >>> > are many promises online and in the maillists for particular tasks. I >>> > think there is even a starter pack on github somewhere. CFengine fits >>> > well into ITIL and managing IT - lots of IT - and it has it's own >>> > directory in /var too! ;) >>> > >>> > The RH world has worked with Cobbler plus Puppet - this is getting >>> > tighter with Puppet plus TheForman and Pulp - if I remember the >>> > roadmap. >>> > --------------------------------------------------- >>> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >>> > To subscribe, unsubscribe, or to change your mail settings: >>> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >>> --------------------------------------------------- >>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >>> To subscribe, unsubscribe, or to change your mail settings: >>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >>> >> >> >> >> -- >> (602) 791-8002 Android >> (623) 239-3392 Skype >> (623) 688-3392 Google Voice >> ** >> HomeSmartInternational.com >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >> > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >