Ohai Chefs,
I have Windows 2008 R2 client with chef 11.4.4 installed through msi
available on Opscode web site (http://www.opscode.com/chef/install.msi)
I would create users using shadow password, but for this I need the
ruby-shadow gem, which seems not to be shipped with the installer
I tried to install using DevKit but without luck
Can anyone point me to some docs on how to install it?
Thanks
On Friday, June 7, 2013 at 11:47 PM, Andrea Cappelli wrote:
Ohai Chefs,
I have Windows 2008 R2 client with chef 11.4.4 installed through msi
available on Opscode web site (http://www.opscode.com/chef/install.msi)I would create users using shadow password, but for this I need the
ruby-shadow gem, which seems not to be shipped with the installerI tried to install using DevKit but without luck
Can anyone point me to some docs on how to install it?
Thanks
The ruby-shadow gem is for managing the /etc/shadow file on Unix machines. Chef should not be hitting the code path that requires ruby-shadow on Windows. Can you post the error message you get, an example of cookbook code that causes this, and the output ofohai platform?
--
Daniel DeLeo
Il 10/06/2013 18:04, Daniel DeLeo ha scritto:
The ruby-shadow gem is for managing the /etc/shadow file on Unix
machines.
Uhm, ok, so i misunderstood the documentation.
So the right question is: how can i set a password for a windws user
knowing only the hash?
If i do
user "test"
password "$1$wCpUAC5P$NiLw8nU0NjBahe0UPOSo5/"
end
on a linux box the user test gets the password "test", in windows it
gets the password $1$wCpUAC5P$NiLw8nU0NjBahe0UPOSo5/
I (wrongly) supposed that with ruby-shadow gem I would obtain the same
result in both environment
Chef should not be hitting the code path that requires ruby-shadow on
Windows. Can you post the error message you get, an example of
cookbook code that causes this, and the output ofohai platform?
I have no error message, ohai platform returns
[
'windows'
]
Thanks
Simple answer: you can't.
More complicated answer: Windows and Linux use completely different, and incompatible, hashing algorithms. Windows simply doesn't understand Linux hashes (and vice versa). That's hardly surprising because these are really vendor-specific decisions. The Samba project had to actually create its own separate password database for Windows compatibility (Google for smbpasswd if you want to learn the details).
Even within Linux, assuming that your hash will work is somewhat iffy. For starters, not all distros support the same hashing algorithms. Fortunately, at least the format tends to be consistent, and the algorithm identified with the $1$ (MD5), as in your sample, is probably the most common one, although it may be the least secure.
If you really want to set the user to a specific fixed password, maybe you can use Active Directory to accomplish that for both Windows and Linux (via Samba) in a very secure way.
-----Original message-----
From:Andrea Cappelli <a.cappelli@gmail.com mailto:a.cappelli@gmail.com >
Sent: Monday 10th June 2013 9:30
To: chef@lists.opscode.com mailto:chef@lists.opscode.com
Subject: [chef] Re: Re: Using shadow password on WindowsIl 10/06/2013 18:04, Daniel DeLeo ha scritto:
The ruby-shadow gem is for managing the /etc/shadow file on Unix
machines.Uhm, ok, so i misunderstood the documentation.
So the right question is: how can i set a password for a windws user
knowing only the hash?If i do
user "test"
password "$1$wCpUAC5P$NiLw8nU0NjBahe0UPOSo5/"
endon a linux box the user test gets the password "test", in windows it
gets the password $1$wCpUAC5P$NiLw8nU0NjBahe0UPOSo5/I (wrongly) supposed that with ruby-shadow gem I would obtain the same
result in both environmentChef should not be hitting the code path that requires ruby-shadow on
Windows. Can you post the error message you get, an example of
cookbook code that causes this, and the output ofohai platform?I have no error message, ohai platform returns
[
'windows'
]Thanks
Il 11/06/2013 08:52, Kevin Keane Subscription ha scritto:
RE: [chef] Re: Re: Using shadow password on Windows
Simple answer: you can't.
Thanks 
Fortunately, at least the format tends to be consistent, and the algorithm identified with the $1$ (MD5), as in your sample, is probably the most common one, although it may be the least secure.
For Linux distro I use $6$, I hoped that $1$ was working also on Windows
(as you stated is the most common), but I made a wrong assumption
If you really want to set the user to a specific fixed password,
I have to, I need user to be in sync on more than one server. But
probably the use of Active Directory as you suggested is a more suitable way
Thank you
Le 2013-06-11 09:15, Andrea Cappelli a écrit :
Il 11/06/2013
08:52, Kevin Keane Subscription ha scritto:Simple answer: you
can't.Thanks
Fortunately, at least the format tends to be
consistent, and the algorithm identified with the $1$ (MD5), as in your
sample, is probably the most common one, although it may be the least
secure.For Linux distro I use $6$, I hoped that $1$ was working
also on Windows (as you stated is the most common), but I made a wrong
assumptionIf you really want to set th> re than one server. But
probably the use of Active Directory as you suggested is a more suitable
wayThank you
In this case have a look here:
http://community.opscode.com/cookbooks/ad-likewise
http://community.opscode.com/cookbooks/ad-auth
In brief, likewise do
a hash of user and groups SID to create the uid/gid and so an active
directory user keep having the same uid on every linux box (and
obviously the same password).
I think it is your need when you say "I
need user to be in sync".
Regards
Il 11/06/2013 09:40, Tensibai ha scritto:
In this case have a look here:
Thank you Tensibai for pointing me to these cookbooks
Have a nice day