Managing Groups and User creation using Ansible

We have hundreds of Linux servers and requirement came in our email stating” Babin create below users in all Linux servers by referring attachment with approved given privileges” Oh no it takes time.

In fact, it takes time for manual intervention to create user accounts across number or servers. So we have decided to create an ansible playbook to automate the task in remote servers with specific UID, GID, “Gecos” information, Shell and user passwords. This is how we have managed to create the groups and users in remote servers using Ansible. Let see how can achieve this.

Requirement:

• Create three groups “nixadmins” with GID (2010), “office” with GID (2011), “warehouse” with GID (2012). Each group should have there specific GID.
• Create five users. User “sysadmin” should be the privileged account with UID “2001” and he allowed to participate in all the groups with “nixadmins” as his primary group. He should have a bash shell and his ssh key should be in place.
• User “bobin” should be the unprivileged account with UID “2002” and he allowed to participate in only “office” group. All other settings are applied for him same as “sysadmin” user.
• User “lonston” should have UID “2003” remaining all other settings refer to user “bobin”.
• Create a user “rajesh” with GID “2004” He is a Unix admin should have all the privileges. And he will participate in “office” and “warehouse” groups. His primary group should be “nixadmins”. Remaining settings applied same as user “sysadmin”.
• Create a user Temporary account “guest001” with UID “2004” without privilege and he will be a collaborator under “warehouse” group. His home directory should not be created and his account should expire on 1st May 2018.
• At last, remove the unwanted system account “games” from all the servers.

Here we are using an empty password for the user  “guest001” and force him to create his own password at first login.

If we need to create and use the password in Ansible playbook better we need to stick with encrypted hash passwords using python or using the mkpasswd command.

[ansible@ansible ~]$ python -c 'import crypt; print crypt.crypt("redhat@1234567", "$1$SomeSalt$")' $1$SomeSalt$ZpW3Lbd6PK5Sj1rF279et0

Above all tasks can be done using ansible playbook. I’m running this playbook using the command.

[ansible@ansible ~]$ ansible-playbook add_user_in_remote_servers.yml -i hosts

Find the full playbook as follow.

---
- hosts: oel7_prod
  gather_facts: no
  connection: ssh
  tasks:
   - name: Add group "nixadmins" to remote server
     remote_user: ansible
     become: yes
     become_method: sudo
     group:
       name: nixadmins
       gid: 2010
       state: present

   - name: Add group "Office" to the remote server
     remote_user: ansible
     become: yes
     become_method: sudo
     group:
       name: office
       gid: 2011
       state: present

   - name: Add group "Warehouse" to the remote server
     remote_user: ansible
     become: yes
     become_method: sudo
     group:
       name: warehouse
       gid: 2012
       state: present 

   - name: Add user "sysadmin" to the remote server
     remote_user: ansible
     become: yes
     become_method: sudo
     user:
       name: sysadmin
       comment: "Privileged User"
       uid: 2001
       group: nixadmins
       groups: office,warehouse
       append: yes
       shell: /bin/bash
       generate_ssh_key: yes
       ssh_key_bits: 2048
       ssh_key_file: .ssh/id_rsa

   - name: Add user "Bobin" to the remote server
     remote_user: ansible
     become: yes
     become_method: sudo
     user:
       name: bobin
       comment: "Accountant UnPrivileged User"
       uid: 2002
       group: office
       shell: /bin/bash
       generate_ssh_key: yes
       ssh_key_bits: 2048
       ssh_key_file: .ssh/id_rsa

   - name: Add user "Lonston" to the remote server
     remote_user: ansible
     become: yes
     become_method: sudo
     user:
       name: lonston
       comment: "Content creator UnPrivileged User"
       uid: 2003
       group: office
       shell: /bin/bash
       generate_ssh_key: yes
       ssh_key_bits: 2048
       ssh_key_file: .ssh/id_rsa

   - name: Add user "Rajesh" to the remote server
     remote_user: ansible
     become: yes
     become_method: sudo
     user:
       name: rajesh
       comment: "Unix Admin Privileged User"
       uid: 2004
       group: nixadmins
       groups: office,warehouse
       append: yes
       shell: /bin/sh
       generate_ssh_key: yes
       ssh_key_bits: 2048
       ssh_key_file: .ssh/id_rsa

   - name: Add user "Guest001" to the remote server
     remote_user: ansible
     become: yes
     become_method: sudo
     user:
       name: guest001
       comment: "Temp account"
       uid: 2005
       group: warehouse
       shell: /bin/bash
       createhome: no
       password: ''
       expires: 1525198731

   - name: Force user "Guest001" to change the password
     remote_user: ansible
     become: yes
     become_method: sudo 
     command: 
         chage -d 0 guest001

   - name: Remove user "Games" from remote server
     remote_user: ansible
     become: yes
     become_method: sudo
     user:
       name: games
       state: absent
       remove: yes

That’s it we are now good to go for any number of servers by replacing host group name “oel7_prod” in few seconds we can achieve our user creation requirements. 

Conclusion: 

We have managed to create the number of users and groups across remote servers, it’s pretty easier to create with a playbook for our daily tasks, Hope this helps you. Provide your feedback and improvement plans by commenting in below comment section.