users - These values could not be changed: {'gid': 'oracle', 'uid': 501}

[noelmcloughlin]

Description of Issue/Question

I have trouble with user.present and group.present. I want to ensure user/group is present, and create either locally if missing, but salt throws ERRORS. Issue affects group and user handling.

oracle_group:
  group.present:
    - name: oracle

  oracle:
    empty_password: True
    home: /home/oracle
    uid: 501
    shell: /bin/bash
    prime_group:
      name: oracle
   {% if not salt['cmd.run']('getent group oracle', output_loglevel='quiet') %}
      gid: 501
   {% endif %}
    optional_groups:
      - dba
      - oracle

[WARNING ] Group "oracle" specified in both groups and optional_groups for user oracle
[ERROR   ] Command '['usermod', '-g', 'oracle', 'oracle']' failed with return code: 6
[ERROR   ] output: usermod: user 'oracle' does not exist in /etc/passwd
[ERROR   ] Command '['usermod', '-u', '501', 'oracle']' failed with return code: 6
[ERROR   ] output: usermod: user 'oracle' does not exist in /etc/passwd
[ERROR   ] These values could not be changed: {'gid': 'oracle', 'uid': 501}

I suspect salt users function replies on POSIX Linux user tools, but authentication databases maybe aggregated from various services, so user management is not always controlled by Linux.

The NSS (name switch service) & PAM (pluggable authentication modules) provide abstractions. _

$ net ads testjoin
Join is OK
$ getent passwd oracle
oracle:*:16779755:16777216:oracle:/home/oracle:/bin/bash
$ getent group oracle
oracle:x:501: 

$ head /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind 
group:          compat winbind 

Setup

(Please provide relevant configs and/or SLS files (Be sure to remove sensitive info).)

Refer to https://github.com/saltstack-formulas/users-formula and pillar data above.

Steps to Reproduce Issue

(Include debug logs if possible and relevant.)

You need to setup minion so targeted user exists in remote name directory service.

I added minion to the AD domain (see kerberos-formula and samba-ad-formula README), for centralized user managment.

Versions Report

(Provided by running salt --versions-report. Please also mention any differences in master/minionversions.)

2017.07

[Ch3LL]

looks like you are only sharing your user.present state. can you also share the group.present state you are using?

[noelmcloughlin]

I have added group.present state. thx

[Ch3LL]

Can you try with this simplified state and see if you still see the same errors? I don't have an AD setup to attach my minions to so i cannot test currently with this scenario.

oracle_group:
  group.present:
    - name: oracle
    - gid: 501

oracle:
  user.present:
    - empty_password: True
    - home: /home/oracle
    - uid: 501
    - shell: /bin/bash
   {% if not salt['cmd.run']('getent group oracle', output_loglevel='quiet') %}
      gid: 501
   {% endif %}
    - optional_groups:
      - dba
      - oracle

Also i'm guessing this might be a related to https://github.com/saltstack/salt/issues/23947 but if i'm understanding correctly you are wanting to create a local user if it doesn't exist in AD already.

[noelmcloughlin]

Hi @Ch3LL apologies for slow response. I have tested your scenario below.

Perhaps allow usermod failures for optional_groups is best solution.

optional_groups A list of groups to assign the user to, pass a list object. If a group specified here does not exist on the minion, the state will silently ignore it.

Example 1 (no pillars)

[ERROR   ] Command '['usermod', '-u', '501', 'oracle']' failed with return code: 6
[ERROR   ] stdout: usermod: user 'oracle' does not exist in /etc/passwd
[ERROR   ] retcode: 6
[ERROR   ] {'groups': ['dba', 'domain users', 'oracle']}
local:
----------
          ID: oracle_group
    Function: group.present
        Name: oracle
      Result: True
     Comment: The following group attributes are set to be changed:
              gid: 501
     Started: 08:50:17.461439
    Duration: 83447.937 ms
     Changes:
              ----------
              Final:
                  All changes applied successfully
----------
          ID: oracle
    Function: user.present
      Result: False
     Comment: These values could not be changed: {'uid': 501}
     Started: 08:51:40.911086
    Duration: 9380.566 ms
     Changes:
              ----------
              groups:
                  - dba
                  - domain users
                  - oracle

Summary for local
------------
Succeeded: 1 (changed=2)
Failed:    1
------------
Total states run:     2
Total run time:  92.829 s

Example 2 (pillars)

Pillars

users:
  janedoe:
    sudouser: True
    shell: /bin/bash
    optional_groups:
      - adm
      - wheel
      - docker
    #needs sudo privledges
    sudo_rules:
      - 'ALL=(ALL) ALL'

State failures

ID: users_janedoe_user
    Function: group.present
        Name: janedoe
      Result: True
     Comment: New group janedoe created
     Started: 08:46:26.626575
    Duration: 1952.569 ms
     Changes:
              ----------
              gid:
                  1007
              members:
              name:
                  janedoe
              passwd:
                  x

 ID: users_janedoe_user
    Function: user.present
        Name: janedoe
      Result: False
     Comment: These values could not be changed: {'gid': 1007}
     Started: 08:46:28.580673
    Duration: 11219.981 ms
     Changes:
              ----------
              groups:
                  - adm
                  - docker
                  - domain users

[noelmcloughlin]

@Ch3LL any news on this.

[Ch3LL]

can you clarify this: "you are wanting to create a local user if it doesn't exist in AD already." is that correct?

[noelmcloughlin]

Yes, user.present should function as expected (AD/LDAP user management occurs elsewhere).

[Ch3LL]

thanks for clarifying that point.

ping @saltstack/team-core any ideas here?

[rootchord]

Really need the ability to force user.present to create/manage LOCAL accounts.

[rootchord]

to be more precise, i would like an option to create a local user REGARDLESS of whether it exists in AD/LDAP or not

[noelmcloughlin]

me too.

[noelmcloughlin]

Still happening with Salt 2019.2.0

https://github.com/saltstack-formulas/mongodb-formula/issues/65

   ID: mongodb server user and group present
    Function: user.present
        Name: mongodb
      Result: False
     Comment: These values could not be changed: {'groups': ['mongodb']}

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

[mitar]

Unstale.

[stale[bot]]

Thank you for updating this issue. It is no longer marked as stale.

[MalloZup]

hi guys any update on this? :sunflower:

[MaciejGGH]

I seem to have similar issue. I'm not able to user.present to create user with a specified uid, even when using allow_uid_change: True. I've shared the detailed description on Stackoverflow. TLDR: user gets created with generated uid. Applying same state again result:

---------
          ID: Add Student
    Function: user.present
        Name: Student
      Result: False
     Comment: These values could not be changed: {'uid': 3331}
     Started: 11:02:00.801698
    Duration: 7843.753 ms
     Changes: