Understanding Salt Stack user and group management – Russell Ballestrini

Stephen-Wood-rb 12y, 148d ago

Worked like a charm. Thanks for sharing this state recipe.

remark

luupux-rb 11y, 146d ago

Many tHanks This is Very Good example for novice user

remark

LerpDurp-rb 10y, 68d ago

What should the name of the file be and what pathname should it have? I know these could be almost anything, but a hint would help the novice.

remark

russell 8y, 62d ago

I setup my directory structure with a:

state file /srv/salt/users/init.sls
pillar file /srv/pillar/users/init.sls

In both my state and pillar top.sls files I reference - users for '*': so that my users get installed on all minions.

remark

Highloop-rb 9y, 324d ago

Just curious about the - crypt: argument; looking on the doc, I can't find it. The most similar one is - password... Is that yet right for 2015.8.8 ?

remark

russell 8y, 62d ago

Yeah, seems like it was switched to password and crypt was removed. I updated the example in the post.

remark

s23UIQKS 8y, 236d ago [edited]

We have 4 users in a single group. The group is for sysadmins. How to add the group in sudoers via saltstack?

remark

russell 8y, 236d ago

You have a number of options.

The path of least resistance is to simply use an existing group like sudo or admin which is typically already granted elevated privileges in the sudoers config file.

Alternatively you may use salt to manage either:

the sudoers config file (typically /etc/sudoers)
a file dropped into the sudoers drop directory (typically /etc/sudoers.d)

remark

4H9X7aSM 8y, 63d ago

I can't seem to get this to work on Ubuntu 16.04 hosts.

There seems to be an issue from the past that was similar: https://github.com/saltstack/salt/issues/7690

Any pointers? Cheers, Leo

Function: user.present
  Result: False
 Comment: The following requisites were not found:
                             require:
                                 group: sudo

remark

russell 8y, 62d ago [edited]

Hey Leo — I have a groups/init.sls state file that I run on all my minions to make sure the sudo group exists. I wonder if Ubuntu 16.04 doesn't ship this with group anymore.

group-sudo:
  group.present:
    - name: sudo

remark

4H9X7aSM 8y, 62d ago

Hi Russell, Thanks for the reply! The strange thing with this error is that 'sudo' is a default group on Ubuntu (as a Debian derivative).

remark

russell 8y, 62d ago [edited]

Yeah, I would try adding a state to make sure the sudo group exists.

SaltStack builds a sort of graph of state dependencies. This error appears to relate not to the actual sudo group but to the fact that the sudo group isn't listed in SaltStack's dependency tree.

It's harmless to add a state to ensure the sudo group exists. SaltStack will do nothing if it exists.

remark

unverified 7y, 283d ago

If you manually add user to group seems that salt doesn't remove it on apply. Do you know if there's any documentation for that?

remark

unverified 7y, 283d ago

From documentation it says (https://docs.saltstack.com/en/2017.7/ref/states/all/salt.states.user.html#salt.states.user.present):

remove_groups
Remove groups that the user is a member of that weren't specified in the state, Default is True.

But that doesn't work for me.

remark

russell 7y, 283d ago

That sounds like a defect to me!

Please create an issue report.

remark

Comments