4

I'm attempting to develop an Ansible playbook that uses the getent module to help manage various user accounts. I would like to be able to access the various values like UID, GID, password, etc. (what I think is a Python dictionary -- but am not sure that is accurate).

How do I read/access if a password is lockecd (e.g. ! or !!)?
How do I read/access the UID or GID for say this account: ntp:x:38:38::/etc/ntp:/sbin/nologin into a variable to be used for the next task?

Here is current playbook task so far. Can this be done if a playbook? 

- name: "getent variables"
  getent:
    database: passwd
    key: ntp #root  #uid
    split: ':'
    #fail_key:
    # register: getent_passwd
- debug:
    var: getent_passwd
Bryan
  • 71
  • 1
  • 2
  • 6

2 Answers2

4

Getent results will normally be added as facts to the hosts facts.

Keep in mind that the information about gid/uid/etc are in a separate database from information about passwords.

# ansible localhost -m getent -a 'database=passwd key=root'
localhost | SUCCESS => {
    "ansible_facts": {
        "getent_passwd": {
            "root": [
                "x", 
                "0", 
                "0", 
                "root", 
                "/root", 
                "/bin/bash"
            ]
        }
    }, 
    "changed": false
}

# ansible localhost -m getent -a 'database=shadow key=root' 
localhost | SUCCESS => {
    "ansible_facts": {
        "getent_shadow": {
            "root": [
                "*", 
                "17939", 
                "0", 
                "99999", 
                "7", 
                "", 
                "", 
                ""
            ]
        }
    }, 
    "changed": false
}

How do I read/access the UID or GID for say this account: ntp:x:38:38::/etc/ntp:/sbin/nologin into a variable to be used for the next task?

It isn't that easy.

- name: "getent variables"
  getent:
    database: passwd
    key: ntp

- name: show the UID
  debug:
    var: getent_passwd['ntp'][1]

- name: show the GID
  debug:
    var: getent_passwd['ntp'][2]

- name: "getent variables"
  getent:
    database: passwd
    key: ntp

- name: show the password hash
  debug:
    var: getent_shadow['ntp'][0]
Zoredache
  • 130,897
  • 41
  • 276
  • 420
0

tl;dr - sample solutions to the problem with getent module (tricky) or user module (easier but more limited info)

You can get the most info by using the getent module, but it's tricky to pick out the items you want (use debug to show you the whole structure so you can work out how to specify the fields that you want).

To fetch some common fields with getent for example,

 - ansible.builtin.set_fact:
     username: ntp
 - ansible.builtin.getent:
     database: passwd
     key: "{{ username }}"
 - ansible.builtin.set_fact:
     uid: "{{ getent_passwd[username][1] }}"
     gid: "{{ getent_passwd[username][2] }}"
     home: "{{ getent_passwd[username][4] }}"
     shell: "{{ getent_passwd[username][5] }}"
 - ansible.builtin.debug:
     msg: "UID: {{ uid }}, GID: {{ gid }}, home: {{ home }}, shell: {{ shell }}"

To reiterate Zoredache's comment, the getent module will create host facts of the form getent_databasename where databasename will correspond with the database: specified to getent, thus getent_passwd above.

If it's only those particular fields you want, you could instead use the easier to understand user module with check_mode (without check_mode: true the user concerned will be created or modified so take care!). The corresponding lines would be,

- ansible.builtin.user:
    name: ntp
  check_mode: true
  register: res 
- ansible.builtin.set_fact:
    uid: "{{ res.uid }}"
    gid: "{{ res.group }}"
    home: "{{ res.home }}"
    shell: "{{ res.shell }}"
- ansible.builtin.debug:
    msg: "UID: {{ uid }}, GID: {{ gid }}, home: {{ home }}, shell: {{ shell }}"
Andrew Richards
  • 336
  • 3
  • 9