Ansible Playbook to create Users and Groups in Linux

When Ansible helps me?

Why we use Ansible playbook? We have hundreds of Linux servers and requirement came in our email stating” Babin create below users in all Linux servers by referring attachment with approved given privileges” Oh no it takes time.

In fact, it takes time for manual intervention to create user accounts across number or servers. So we have decided to create an ansible playbook to automate the task in remote servers with specific UID, GID, “Gecos” information, Shell and user passwords. This is how we have managed to create the groups and users in remote servers using Ansible. Let see how can achieve this.

ansible
ansible

To read about more topics on “Ansible” you can refer to the below links.

  1. Install and configure Ansible Automation IT Tool
  2. Install Ansible using Python installation manager pip
  3. How to create a host’s Inventory using Ansible
  4. Managing Groups and User creation using Ansible
  5. Creating a Logical volume-based file system using Ansible
  6. Ansible tasks for Sysadmins with examples

Requirement:

  • Create three groups “nixadmins” with GID (2010), “office” with GID (2011), “warehouse” with GID (2012). Each group should have there specific GID.
  • Create five users. User “sysadmin” should be the privileged account with UID “2001” and he allowed to participate in all the groups with “nixadmins” as his primary group. He should have a bash shell and his ssh key should be in place.
  • User “bobin” should be the unprivileged account with UID “2002” and he allowed to participate in only “office” group. All other settings are applied for him same as “sysadmin” user.
  • User “lonston” should have UID “2003” remaining all other settings refer to user “bobin”.
  • Create a user “rajesh” with GID “2004” He is a Unix admin should have all the privileges. And he will participate in “office” and “warehouse” groups. His primary group should be “nixadmins”. Remaining settings applied same as user “sysadmin”.
  • Create a user Temporary account “guest001” with UID “2004” without privilege and he will be a collaborator under “warehouse” group. His home directory should not be created and his account should expire on 1st May 2018.
  • At last, remove the unwanted system account “games” from all the servers.

Here we are using an empty password for the user  “guest001” and force him to create his own password at first login.

If we need to create and use the password in Ansible playbook better we need to stick with encrypted hash passwords using python or using the mkpasswd command.

[ansible@ansible ~]$ python -c 'import crypt; print crypt.crypt("redhat@1234567", "$1$SomeSalt$")' $1$SomeSalt$ZpW3Lbd6PK5Sj1rF279et0

Above all tasks can be done using ansible playbook. I’m running this playbook using the command.

[ansible@ansible ~]$ ansible-playbook add_user_in_remote_servers.yml -i hosts

Watch the video when we run the playbook.


Playbooks for creating Users & Groups

Find the full playbook as follow.

---
- hosts: linuxsysadmins
  remote_user: ansible
  become: yes
  become_method: sudo
  gather_facts: no
  connection: ssh
  tasks:
   - name: Add group "nixadmins" to remote server
     group:
       name: nixadmins
       gid: 2010
       state: present

   - name: Add group "Office" to remote server
     group:
       name: office
       gid: 2011
       state: present

   - name: Add group "Warehouse" to remote server
     group:
       name: warehouse
       gid: 2012
       state: present 

   - name: Add user "sysadmin" to remote server
     user:
       name: sysadmin
       comment: "Privileged User"
       uid: 2001
       group: nixadmins
       groups: office,warehouse
       append: yes
       shell: /bin/bash
       generate_ssh_key: yes
       ssh_key_bits: 2048
       ssh_key_file: .ssh/id_rsa

   - name: Add user "Bobin" to remote server
     user:
       name: bobin
       comment: "Accountant UnPrivileged User"
       uid: 2002
       group: office
       shell: /bin/bash
       generate_ssh_key: yes
       ssh_key_bits: 2048
       ssh_key_file: .ssh/id_rsa

   - name: Add user "Lonston" to remote server
     user:
       name: lonston
       comment: "Content creator UnPrivileged User"
       uid: 2003
       group: office
       shell: /bin/bash
       generate_ssh_key: yes
       ssh_key_bits: 2048
       ssh_key_file: .ssh/id_rsa

   - name: Add user "Rajesh" to remote server
     user:
       name: rajesh
       comment: "Unix Admin Privileged User"
       uid: 2004
       group: nixadmins
       groups: office,warehouse
       append: yes
       shell: /bin/sh
       generate_ssh_key: yes
       ssh_key_bits: 2048
       ssh_key_file: .ssh/id_rsa

   - name: Add user "Guest001" to remote server
     user:
       name: guest001
       comment: "Temp account"
       uid: 2005
       group: warehouse
       shell: /bin/bash
       createhome: no
       password: ''
       expires: 1525198731

   - name: Force user "Guest001" to change the password
     command: 
         chage -d 0 guest001

   - name: Remove user "Games" from remote server
     user:
       name: games
       state: absent
       remove: yes
...

That’s it we are now good to go for any number of servers by replacing host group name “linuxsysadmins” in a few seconds we can achieve our user creation requirements.

Conclusion:

We have managed to create the number of users and groups across remote servers, it’s pretty easier to create with a playbook for our daily tasks, Hope this helps you. Provide your feedback and improvement plans by commenting in below comment section.

5 thoughts on “Ansible Playbook to create Users and Groups in Linux

  1. can any one explain?
    password: ”
    expires: 1525198731

    – name: Force user “Guest001” to change the password
    command:
    chage -d 0 guest001

    1. Dear Harindra,

      Answer for expires: 1525198731 is

      An expiry time for the user in epoch time format. It will be ignored on platforms that do not support this.
      Currently supported on GNU/Linux, FreeBSD, and DragonFlyBSD.
      Since Ansible 2.6 you can remove the expiry time by specifying a negative value. Currently supported on GNU/Linux and FreeBSD.

      Install this package on your ansible host

      # yum install ansible-doc

      Then run the below command to read more about the user module.

      # ansible-doc -s user

      To read more about the chage command and options better run the command # man chage

      -d, –lastday LAST_DAY
      Set the number of days since January 1st, 1970 when the password was last
      changed. The date may also be expressed in the format YYYY-MM-DD (or the
      format more commonly used in your area). If the LAST_DAY is set to 0 the user
      is forced to change his password on the next log on.

      Thanks & Regards,
      Babin Lonston

  2. can any one explain?
    password: ”
    expires: 1525198731

    – name: Force user “Guest001” to change the password
    command:
    chage -d 0 guest001

    1. Dear Anonymous,

      An expiry time for the user in epoch time format. It will be ignored on platforms that do not support this.
      Currently supported on GNU/Linux, FreeBSD, and DragonFlyBSD.
      Since Ansible 2.6 you can remove the expiry time by specifying a negative value. Currently supported on GNU/Linux and FreeBSD.

      Thanks & Regards,
      Babin Lonston

Comments are closed.