salt: users - These values could not be changed: {'gid': 'oracle', 'uid': 501}

Description of Issue/Question

I have trouble with user.present and group.present. I want to ensure user/group is present, and create either locally if missing, but salt throws ERRORS. Issue affects group and user handling.

oracle_group:
  group.present:
    - name: oracle

  oracle:
    empty_password: True
    home: /home/oracle
    uid: 501
    shell: /bin/bash
    prime_group:
      name: oracle
   {% if not salt['cmd.run']('getent group oracle', output_loglevel='quiet') %}
      gid: 501
   {% endif %}
    optional_groups:
      - dba
      - oracle

[WARNING ] Group "oracle" specified in both groups and optional_groups for user oracle
[ERROR   ] Command '['usermod', '-g', 'oracle', 'oracle']' failed with return code: 6
[ERROR   ] output: usermod: user 'oracle' does not exist in /etc/passwd
[ERROR   ] Command '['usermod', '-u', '501', 'oracle']' failed with return code: 6
[ERROR   ] output: usermod: user 'oracle' does not exist in /etc/passwd
[ERROR   ] These values could not be changed: {'gid': 'oracle', 'uid': 501}

I suspect salt users function replies on POSIX Linux user tools, but authentication databases maybe aggregated from various services, so user management is not always controlled by Linux.

The NSS (name switch service) & PAM (pluggable authentication modules) provide abstractions. _

$ net ads testjoin
Join is OK
$ getent passwd oracle
oracle:*:16779755:16777216:oracle:/home/oracle:/bin/bash
$ getent group oracle
oracle:x:501: 

$ head /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind 
group:          compat winbind

Setup

(Please provide relevant configs and/or SLS files (Be sure to remove sensitive info).)

Refer to https://github.com/saltstack-formulas/users-formula and pillar data above.

Steps to Reproduce Issue

(Include debug logs if possible and relevant.)

You need to setup minion so targeted user exists in remote name directory service.

I added minion to the AD domain (see kerberos-formula and samba-ad-formula README), for centralized user managment.

Versions Report

(Provided by running salt --versions-report. Please also mention any differences in master/minionversions.)

2017.07

About this issue

  • Original URL
  • State: open
  • Created 6 years ago
  • Comments: 17 (12 by maintainers)

Most upvoted comments

Really need the ability to force user.present to create/manage LOCAL accounts.

+3
rootchord on Sep 21, 2018

to be more precise, i would like an option to create a local user REGARDLESS of whether it exists in AD/LDAP or not

+1
rootchord on Oct 10, 2018
Read more comments on GitHub
← salt: Upgrading Salt via Salt results in dying minions and broken dpkg
salt: using clean=True parameter in file.recurse causes python process to spin out of control →