Salt: users - These values could not be changed: {'gid': 'oracle', 'uid': 501}

Created on 6 Mar 2018 · 16Comments · Source: saltstack/salt

Description of Issue/Question

I have trouble with user.present and group.present. I want to ensure user/group is present, and create either locally if missing, but salt throws ERRORS. Issue affects group and user handling.

oracle_group:
  group.present:
    - name: oracle

  oracle:
    empty_password: True
    home: /home/oracle
    uid: 501
    shell: /bin/bash
    prime_group:
      name: oracle
   {% if not salt['cmd.run']('getent group oracle', output_loglevel='quiet') %}
      gid: 501
   {% endif %}
    optional_groups:
      - dba
      - oracle

[WARNING ] Group "oracle" specified in both groups and optional_groups for user oracle
[ERROR   ] Command '['usermod', '-g', 'oracle', 'oracle']' failed with return code: 6
[ERROR   ] output: usermod: user 'oracle' does not exist in /etc/passwd
[ERROR   ] Command '['usermod', '-u', '501', 'oracle']' failed with return code: 6
[ERROR   ] output: usermod: user 'oracle' does not exist in /etc/passwd
[ERROR   ] These values could not be changed: {'gid': 'oracle', 'uid': 501}

I suspect salt users function replies on POSIX Linux user tools, but authentication databases maybe aggregated from various services, so user management is not always controlled by Linux.

The NSS (name switch service) & PAM (pluggable authentication modules) provide abstractions. _

$ net ads testjoin
Join is OK
$ getent passwd oracle
oracle:*:16779755:16777216:oracle:/home/oracle:/bin/bash
$ getent group oracle
oracle:x:501: 

$ head /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind 
group:          compat winbind

Setup

(Please provide relevant configs and/or SLS files (Be sure to remove sensitive info).)

Refer to https://github.com/saltstack-formulas/users-formula and pillar data above.

Steps to Reproduce Issue

(Include debug logs if possible and relevant.)

You need to setup minion so targeted user exists in remote name directory service.

I added minion to the AD domain (see kerberos-formula and samba-ad-formula README), for centralized user managment.

Versions Report

(Provided by running salt --versions-report. Please also mention any differences in master/minionversions.)

2017.07

Bug severity-medium

Source

noelmcloughlin

Most helpful comment

Really need the ability to force user.present to create/manage LOCAL accounts.

rootchord on 21 Sep 2018

👍3

All 16 comments

looks like you are only sharing your user.present state. can you also share the group.present state you are using?

Ch3LL on 6 Mar 2018

I have added group.present state. thx

noelmcloughlin on 6 Mar 2018

Can you try with this simplified state and see if you still see the same errors? I don't have an AD setup to attach my minions to so i cannot test currently with this scenario.

oracle_group:
  group.present:
    - name: oracle
    - gid: 501

oracle:
  user.present:
    - empty_password: True
    - home: /home/oracle
    - uid: 501
    - shell: /bin/bash
   {% if not salt['cmd.run']('getent group oracle', output_loglevel='quiet') %}
      gid: 501
   {% endif %}
    - optional_groups:
      - dba
      - oracle

Also i'm guessing this might be a related to https://github.com/saltstack/salt/issues/23947 but if i'm understanding correctly you are wanting to create a local user if it doesn't exist in AD already.

Ch3LL on 7 Mar 2018

Hi @Ch3LL apologies for slow response. I have tested your scenario below.

Perhaps allow usermod failures for optional_groups is best solution.

optional_groups
A list of groups to assign the user to, pass a list object. If a group specified here does not exist on the minion, the state will silently ignore it.

Example 1 (no pillars)

[ERROR   ] Command '['usermod', '-u', '501', 'oracle']' failed with return code: 6
[ERROR   ] stdout: usermod: user 'oracle' does not exist in /etc/passwd
[ERROR   ] retcode: 6
[ERROR   ] {'groups': ['dba', 'domain users', 'oracle']}
local:
----------
          ID: oracle_group
    Function: group.present
        Name: oracle
      Result: True
     Comment: The following group attributes are set to be changed:
              gid: 501
     Started: 08:50:17.461439
    Duration: 83447.937 ms
     Changes:
              ----------
              Final:
                  All changes applied successfully
----------
          ID: oracle
    Function: user.present
      Result: False
     Comment: These values could not be changed: {'uid': 501}
     Started: 08:51:40.911086
    Duration: 9380.566 ms
     Changes:
              ----------
              groups:
                  - dba
                  - domain users
                  - oracle

Summary for local
------------
Succeeded: 1 (changed=2)
Failed:    1
------------
Total states run:     2
Total run time:  92.829 s

Example 2 (pillars)

_Pillars_

users:
  janedoe:
    sudouser: True
    shell: /bin/bash
    optional_groups:
      - adm
      - wheel
      - docker
    #needs sudo privledges
    sudo_rules:
      - 'ALL=(ALL) ALL'

_State failures_

ID: users_janedoe_user
    Function: group.present
        Name: janedoe
      Result: True
     Comment: New group janedoe created
     Started: 08:46:26.626575
    Duration: 1952.569 ms
     Changes:
              ----------
              gid:
                  1007
              members:
              name:
                  janedoe
              passwd:
                  x

 ID: users_janedoe_user
    Function: user.present
        Name: janedoe
      Result: False
     Comment: These values could not be changed: {'gid': 1007}
     Started: 08:46:28.580673
    Duration: 11219.981 ms
     Changes:
              ----------
              groups:
                  - adm
                  - docker
                  - domain users

noelmcloughlin on 10 Apr 2018

@Ch3LL any news on this.

noelmcloughlin on 11 Jun 2018

can you clarify this: "you are wanting to create a local user if it doesn't exist in AD already." is that correct?

Ch3LL on 12 Jun 2018

Yes, user.present should function as expected (AD/LDAP user management occurs elsewhere).

noelmcloughlin on 12 Jun 2018

thanks for clarifying that point.

ping @saltstack/team-core any ideas here?

Ch3LL on 15 Jun 2018

Really need the ability to force user.present to create/manage LOCAL accounts.

rootchord on 21 Sep 2018

👍3

to be more precise, i would like an option to create a local user REGARDLESS of whether it exists in AD/LDAP or not

rootchord on 10 Oct 2018

👍1

me too.

noelmcloughlin on 11 Oct 2018

Still happening with Salt 2019.2.0

https://github.com/saltstack-formulas/mongodb-formula/issues/65

   ID: mongodb server user and group present
    Function: user.present
        Name: mongodb
      Result: False
     Comment: These values could not be changed: {'groups': ['mongodb']}

noelmcloughlin on 6 May 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.