Open kyrias opened 6 years ago
I tried this today and I failed. I have the feeling, that the module isn't working and that it is not my fault, but I'm not sure of course. Here is my code:
{% if grains['os_family'] in ('RedHat', 'Suse', 'Debian') %}
include:
- samba.client
{% endif %}
{% for login,user in salt['pillar.get']('samba:users', {}).items() %}
{{ login }}:
user.present:
- name: {{ login }}
- fullname: {{ login }}
- password: {{ user.password }}
pdbedit.managed:
- login: {{ login }}
- password: {{ user.password }}
- password_hashed: False
{% endfor %}
This is the error I get:
----------
ID: agent
Function: pdbedit.managed
Result: False
Comment: An exception occurred in this state: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/salt/state.py", line 1919, in call
**cdata['kwargs'])
File "/usr/lib/python3/dist-packages/salt/loader.py", line 1918, in wrapper
return f(*args, **kwargs)
File "/usr/lib/python3/dist-packages/salt/states/pdbedit.py", line 132, in managed
res = __salt__['pdbedit.modify'](**kwargs)
File "/usr/lib/python3/dist-packages/salt/modules/pdbedit.py", line 325, in modify
ret = create(login, password, password_hashed)[login]
File "/usr/lib/python3/dist-packages/salt/modules/pdbedit.py", line 218, in create
nthash=_quote_args(password_hash)
File "/usr/lib/python3.5/shlex.py", line 282, in quote
if _find_unsafe(s) is None:
TypeError: cannot use a string pattern on a bytes-like object
Started: 19:10:47.391963
Duration: 87.277 ms
Changes:
Can somebody help me decide if it's my fault, or if I have to raise a bug in the saltstack project? ping @noelmcloughlin
That's annoying.
Could this be jinja encoding/decoding issue?
https://stackoverflow.com/questions/39047657/base64-decode-string-in-jinja
I'm honestly not sure and bit too busy to look at this.
I wonder if there is an open or closed issue for this error at https://github.com/saltstack/salt repo?
Update:
I can get it to work, if I set - password_hashed: True
and change the Pillar to an NT hash. But that would need two pillar values, as user.present
and pdbedit.managed
use different password hashes.
Even if I try it via the pdbedit module I get the error, when I use Plaintext passwords:
root@salt:/srv# salt 'HOST' pdbedit.modify agent password='abc'
HOST:
Passed invalid arguments to pdbedit.modify: cannot use a string pattern on a bytes-like object
This seems to work, if I write it like this, but this would require the define two hashes in the pillar:
{% if grains['os_family'] in ('RedHat', 'Suse', 'Debian') %}
include:
- samba.client
{% endif %}
{% for login,user in salt['pillar.get']('samba:users', {}).items() %}
{{ login }}:
user.present:
- name: {{ login }}
- fullname: {{ login }}
- password: {{ user.passwordPASSWD }}
pdbedit.managed:
- login: {{ login }}
- password: {{ user.passwordNT }}
- password_hashed: True
{% endfor %}
You could update pillar.example with what worked, if no code change is necessary.
This would help stop other people getting tripped up.
Does your solution scale? How many users would be managed using smbpasswd. I'm typically using Active Directory (winbind) and/or users-formula
for use management and never used samba.users
state to be honest.
I had a look at the python module, it's a basic implementation: https://github.com/saltstack/salt/blob/b44f0f1d0fd564690c6e45c6dd061c0e84d76def/salt/states/pdbedit.py#L78
Only Bool is supported for password. So if False should work then raise an issue at https://github.com/saltstack/salt so someone might improve this.
Regarding your different questions: Here is the pillar I had to use. This works with the init.sls state I wrote in https://github.com/saltstack-formulas/samba-formula/issues/35#issuecomment-525858674
# user.present needs hash -> openssl passwd -1
# pdbedit.managed needs hash -> salt '*' pdbedit.generate_nt_hash PASSWORD
samba:
users:
agent:
passwordPASSWD: $1$EN0z3WOT$/1Y.PghPl0C1t.b9Q4w4F1
passwordNT: 7B592E4F8178B4C75788531B2E747687
Or maybe it would be nicer to write? I have no idea, I just started using Salt to solve my problems, not salt's problems xD
samba:
users:
agent:
password:
PASSWD: $1$EN0z3WOT$/1Y.PghPl0C1t.b9Q4w4F1
NT: 7B592E4F8178B4C75788531B2E747687
Does your solution scale?
I have no idea. I just need one user for one special use case. It's not about samba for me, it's about Zabbix. On each Zabbix Proxy I need a single smb share with a single user to make the Zabbix agent available to the Windows Server OS.
So if False should work then raise an issue at...
I guess I have to do that.
But anyway we would have to decide, if the pillar for this state has to to be plaintext or Hash. I guess it can't be both? Or can it? user.present
can handle both. And the True or False Bool for pdbedit.managed
could be set via pillar? But that would get rather complicated for a simple to use formula.
Cool - great work! I'd suggest you raise PR to incorporate https://github.com/saltstack-formulas/samba-formula/issues/35#issuecomment-525858674 and update pillar.example
with what worked (you can add more than one example if you want). Whatever solves your problem is the correct contribution.
The only minor suggestion is to keep keys lowercase password_nt
and password_passwd
. YAML supports "any case" but the current style pillar.example is lowercase and underscores.
Nice work anyway - it will be great contribution to have samba.users
work out of the box - i.e. paste example from pillar.example into their environment and run the state with no failures or unwanted behaviour.
And since the user case is one user (i.e. not 1 million users) the solution scales. I guess the most common use case is one or two users.
I guess this can be closed after #70 ?
It would be nice if the
samba.users
state file would use thepdbedit
state module to create samba users instead of always piping the password tosmbpasswd
on every run. Additionally it would allow us to only store a password hash in the pillar rather than the raw password.