Open noelmcloughlin opened 6 years ago
looks like you are only sharing your user.present state. can you also share the group.present state you are using?
I have added group.present state. thx
Can you try with this simplified state and see if you still see the same errors? I don't have an AD setup to attach my minions to so i cannot test currently with this scenario.
oracle_group:
group.present:
- name: oracle
- gid: 501
oracle:
user.present:
- empty_password: True
- home: /home/oracle
- uid: 501
- shell: /bin/bash
{% if not salt['cmd.run']('getent group oracle', output_loglevel='quiet') %}
gid: 501
{% endif %}
- optional_groups:
- dba
- oracle
Also i'm guessing this might be a related to https://github.com/saltstack/salt/issues/23947 but if i'm understanding correctly you are wanting to create a local user if it doesn't exist in AD already.
Hi @Ch3LL apologies for slow response. I have tested your scenario below.
Perhaps allow usermod
failures for optional_groups
is best solution.
optional_groups A list of groups to assign the user to, pass a list object. If a group specified here does not exist on the minion, the state will silently ignore it.
Example 1 (no pillars)
[ERROR ] Command '['usermod', '-u', '501', 'oracle']' failed with return code: 6
[ERROR ] stdout: usermod: user 'oracle' does not exist in /etc/passwd
[ERROR ] retcode: 6
[ERROR ] {'groups': ['dba', 'domain users', 'oracle']}
local:
----------
ID: oracle_group
Function: group.present
Name: oracle
Result: True
Comment: The following group attributes are set to be changed:
gid: 501
Started: 08:50:17.461439
Duration: 83447.937 ms
Changes:
----------
Final:
All changes applied successfully
----------
ID: oracle
Function: user.present
Result: False
Comment: These values could not be changed: {'uid': 501}
Started: 08:51:40.911086
Duration: 9380.566 ms
Changes:
----------
groups:
- dba
- domain users
- oracle
Summary for local
------------
Succeeded: 1 (changed=2)
Failed: 1
------------
Total states run: 2
Total run time: 92.829 s
Example 2 (pillars)
Pillars
users:
janedoe:
sudouser: True
shell: /bin/bash
optional_groups:
- adm
- wheel
- docker
#needs sudo privledges
sudo_rules:
- 'ALL=(ALL) ALL'
State failures
ID: users_janedoe_user
Function: group.present
Name: janedoe
Result: True
Comment: New group janedoe created
Started: 08:46:26.626575
Duration: 1952.569 ms
Changes:
----------
gid:
1007
members:
name:
janedoe
passwd:
x
ID: users_janedoe_user
Function: user.present
Name: janedoe
Result: False
Comment: These values could not be changed: {'gid': 1007}
Started: 08:46:28.580673
Duration: 11219.981 ms
Changes:
----------
groups:
- adm
- docker
- domain users
@Ch3LL any news on this.
can you clarify this: "you are wanting to create a local user if it doesn't exist in AD already." is that correct?
Yes, user.present
should function as expected (AD/LDAP user management occurs elsewhere).
thanks for clarifying that point.
ping @saltstack/team-core any ideas here?
Really need the ability to force user.present to create/manage LOCAL accounts.
to be more precise, i would like an option to create a local user REGARDLESS of whether it exists in AD/LDAP or not
me too.
Still happening with Salt 2019.2.0
https://github.com/saltstack-formulas/mongodb-formula/issues/65
ID: mongodb server user and group present
Function: user.present
Name: mongodb
Result: False
Comment: These values could not be changed: {'groups': ['mongodb']}
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.
Unstale.
Thank you for updating this issue. It is no longer marked as stale.
hi guys any update on this? :sunflower:
I seem to have similar issue. I'm not able to user.present
to create user with a specified uid
, even when using allow_uid_change: True
. I've shared the detailed description on Stackoverflow.
TLDR: user gets created with generated uid
. Applying same state again result:
---------
ID: Add Student
Function: user.present
Name: Student
Result: False
Comment: These values could not be changed: {'uid': 3331}
Started: 11:02:00.801698
Duration: 7843.753 ms
Changes:
Description of Issue/Question
I have trouble with
user.present
andgroup.present
. I want to ensure user/group is present, and create either locally if missing, but salt throws ERRORS. Issue affects group and user handling.I suspect salt users function replies on POSIX Linux user tools, but authentication databases maybe aggregated from various services, so user management is not always controlled by Linux.
The NSS (name switch service) & PAM (pluggable authentication modules) provide abstractions. _
Setup
(Please provide relevant configs and/or SLS files (Be sure to remove sensitive info).)
Refer to https://github.com/saltstack-formulas/users-formula and pillar data above.
Steps to Reproduce Issue
(Include debug logs if possible and relevant.)
You need to setup minion so targeted user exists in remote name directory service.
I added minion to the AD domain (see
kerberos-formula
andsamba-ad-formula
README), for centralized user managment.Versions Report
(Provided by running
salt --versions-report
. Please also mention any differences in master/minionversions.)2017.07