Ansible for user management -removing dead accounts

Question

How to efficiently manage user accounts in Ansible? I want to keep user accounts and certificates in list.

When running playbook I would like to create every account from list (thats easy). I also want to remove accounts existing on host, but not present in list.

For now, I figured out list existing accounts awk -F: '($3 >= 1000) {printf "%s\n",$1}' /etc/passwd

and compare it with my list- removing unwanted accounts.

Is there easier way- module that does that out-of-the-box?

I have one thought: use your snippet in a local fact (http://docs.ansible.com/ansible/playbooks_variables.html#local-facts-facts-d) so that the users on each server can be accessed as an array from the playbook. — Matthew Schuchard, May 25 '16 at 16:07

Dennis Winter · Answer 1 · 2021-04-25T11:22:40.337

8

Search for user-id > 1000 when parsing /etc/passwd and add nobody to the list of valid users. This way you're not removing any system users.

vars:
  myusers: ['nobody', 'obama', 'trump', 'clinton', 'you', 'me']

tasks:
- shell: "getent passwd | awk -F: '$3 > 1000 {print $1}'"
  register: users

- user: name={{item}} state=absent remove=yes
  with_items: users.stdout_lines
  when: item not in myusers

Remember to add nobody to your list of valid users.

edited Apr 25 '21 at 11:22

answered Aug 11 '17 at 12:28

Dennis Winter

2,027
4
32
45

Unfortunately, `getent passwd` does not list remote users, e.g. coming from `sssd`. – yktoo Nov 20 '18 at 11:41
1

Well, you won't get coffee out of a tea maker. – Dennis Winter Nov 20 '18 at 19:19
On Centos 7 with NFS instead of `nobody` you will have `nfsnobody` user. – Greg Dubicki Apr 03 '21 at 11:19
Why do you want remote users to be listed here, @yktoo? I think that you should remove them in their source, like LDAP, in a source-specific way. – Greg Dubicki Apr 03 '21 at 11:23

helloV · Accepted Answer · 2016-05-25T20:50:43.190

4

WARNING CAUTION Do it only if you are absolutely sure about the user to be removed. This may make your system useless if you remove system users like root.

Few lines of Ansible can do what you are asking for. Leverage the user module.

  vars:
    myusers: ['root', 'bin', 'mail', 'obama', 'trump', 'clinton', 'you', 'me']

  tasks:
  - shell: 'cut -d: -f1 /etc/passwd'
    register: users
  - user: name={{item}} state=absent remove=yes
    with_items: users.stdout_lines
    when: item not in myusers

edited May 25 '16 at 20:50

answered May 25 '16 at 17:30

helloV

50,176
7
137
145

2

You need to be really careful about doing things this way. You would need to specify all of the system users or it will remove them. – MillerGeek May 25 '16 at 19:31
@smiller171 you are correct. If not used correctly, it will render the machine useless. – helloV May 25 '16 at 20:51
The solution I use has you specify users to remove, rather than deleting everything not in a list. – MillerGeek May 25 '16 at 20:53
Also just suggested an edit so that your example doesn't mark anything as changed unless it has changed something. – MillerGeek May 25 '16 at 20:54
With more recent versions of Ansible you'd use `loop`. Having said that, this code will fail with `'dict object' has no attribute 'stdout_lines' if no items exist (e.g. if you try extending this code to groups). – Snowcrash Jan 07 '20 at 08:58

MillerGeek · Answer 3 · 2021-05-12T16:15:32.463

0

Try using this Ansible role I wrote: https://galaxy.ansible.com/smiller171/manage_users

edited May 12 '21 at 16:15

answered May 25 '16 at 17:01

MillerGeek

3,057
20
23

URL leads to 404. – Greg Dubicki Apr 03 '21 at 09:04
Looks like my username ended up changing, breaking the URL I've edited my answer – MillerGeek May 12 '21 at 16:15

Ansible for user management -removing dead accounts

3 Answers3