Unable to add a windows user password - user state and windows useradd module (v2014.1.0-5)

[emmellee]

My environment consists of standalone-windows-minions.

c:\salt\salt-call --version
salt-call.exe 2014.1.0-5-g7400343

From the documentation, "password" does not appear to be supported for the user state on windows:

"password
A password hash to set for the user. This field is only supported on Linux, FreeBSD, NetBSD, OpenBSD, and Solaris."

Yet, documentation concerning win_useradd states this:

"salt.modules.win_useradd.setpassword(name, password)
Set a user's password"

And, in order to truly add a windows user, I need to be able to include a password along with the username. I've tried adding this parameter within the user.state like below, but am having no luck.

Is there a solution for adding users via the user state for windows like below?

JenkinsGroup:
  group:
   - present

sshGroup:
  group:
   - present

mletest:
  user:
    - present
    - fullname:  "mletest Account"
    - password: {{ pillar['Jauth'] }}
    - groups:
      - JenkinsGroup
      - Users
      - sshGroup

Thanks.

[basepi]

Are you trying to add a plaintext password or a hash? It's possible the hash requirements could be different on Windows.

@UtahDave ping

[emmellee]

I'm wondering if it's working either way in the user state for windows. It doesn't appear to be documented. Since there's a win_useradd module, I think user state could/should work. The module is plaintext. Is it plaintext or a hash for the user state? More importantly, can it use pillars?

[UtahDave]

The user module for Windows requires a plaintext password. The state should
pass that through just fine. You also should be able to use pillars for the
password as well.

On Wed, Mar 12, 2014 at 7:49 AM, emmellee notifications@github.com wrote:

I'm wondering if it's working either way in the user state for windows. It
doesn't appear to be documented. Since there's a win_useradd module, I
think user state could/should work. The module is plaintext. Is it
plaintext or a hash for the user state? More importantly, can it use
pillars?

Reply to this email directly or view it on GitHubhttps://github.com//issues/11093#issuecomment-37409678
.

Dave Boucha | Sr. Engineer

2825 E. Cottonwood Parkway, Suite 360 | Salt Lake City, UT 84121
office 801-305-3563
dave@saltstack.com | www.saltstack.com http://saltstack.com/

[emmellee]

When trying the above, I receive this error:

    Function: user.present
      Result: False
     Comment: An exception occurred in this state: Traceback (most recent call l
ast):
                File "salt/state.py", line 1371, in call
                File "salt/states/user.py", line 370, in present
                File "salt/modules/win_useradd.py", line 61, in add
                File "salt/modules/win_useradd.py", line 250, in chgroups
              TypeError: 'bool' object is not iterable
     Changes:

Summary
------------
Succeeded: 2
Failed:    1
------------
Total:     3

[emmellee]

Hmmm...this doesn't seem necessarily related to the password. I just can't seem to add a user on the windows platform. Perhaps the OS needs more info than the user state supplies? I'll see if I can debug in some way.

[emmellee]

When I create a user on our Windows 2008 servers interactively, there are two required fields: username and password. Additionally, the radio button "User must change password at next logon" is selected by default. For application ids, I sometimes chose the radio button "Password never expires" instead. These 3 things allow me to create a user interactively. I have been unsuccessful in creating a windows user via salt-call using the salt user state. Is this unique to me?

[emmellee]

Salt does not appear to be passing the net user command the password value.

More help is available by typing NET HELPMSG 2221.
2014-03-18 12:39:20,931 [salt.loaded.int.module.cmdmod][INFO ] Executing command 'net user mlemle /add' in directory 'C:\Users\snipped.snipped'
2014-03-18 12:39:21,087 [salt.loaded.int.module.cmdmod][ERROR ] Command 'net user mlemle /add' failed with return code: 2
2014-03-18 12:39:21,102 [salt.loaded.int.module.cmdmod][ERROR ] stderr: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.

[emmellee]

Above error resulted from these declarations:

In pillar :

mleauth: AZaz09@#BYby87&*AZaz09@#BYby87&*

In state file:

mlemle:
  user:
    - present
    - password: {{ pillar['mleauth'] }}

[UtahDave]

Try putting single quotes around your password or backslashing the hash or
pound signs in the password "#'

The hash is treated as a comment in yaml

On Tue, Mar 18, 2014 at 1:55 PM, emmellee notifications@github.com wrote:

Above error resulted from these declarations:

In pillar :
mleauth: AZaz09@#BYby87&AZaz09@#BYby87&

In state file:
mlemle:
user:

• present
• password: {{ pillar['mleauth'] }}

Reply to this email directly or view it on GitHubhttps://github.com//issues/11093#issuecomment-37979947
.

Dave Boucha | Sr. Engineer

2825 E. Cottonwood Parkway, Suite 360 | Salt Lake City, UT 84121
office 801-305-3563
dave@saltstack.com | www.saltstack.com http://saltstack.com/

[emmellee]

Okay, I've tried different strings. The first one just had an underscore in it - seemed harmless, but it didn't work either. I also tried double quotes, but I'll try single quotes. The one above in the example, I purposely made complicated just in case the windows server was choking on the password rules - even though I was testing earlier with a known good password that met the rules.

But just to confirm - this works for others?

[emmellee]

Removed the hash, added single quotes to pillar item. Log shows this rendering:

mlemle:
  user:
    - present
    - password: AZaz09@BYby87&*AZaz09@BYby87&*
2014-03-18 15:15:11,805 [salt.loaded.int.render.yaml][DEBUG   ] Results of YAML rendering: 
OrderedDict([('JenkinsGroup', OrderedDict([('group', ['present'])])), ('sshGroup', OrderedDict([('group', ['present'])])), ('mlemle', OrderedDict([('user', ['present', OrderedDict([('password', 'AZaz09@BYby87&*AZaz09@BYby87&*')])])]))])

But I do not see the password being passed to the net user command in the log:

2014-03-18 15:15:16,626 [salt.state       ][INFO    ] Executing state user.present for mlemle
2014-03-18 15:15:16,641 [salt.loaded.int.module.cmdmod][INFO    ] Executing command 'net user mlemle' in directory 'C:\\Users\\snipped.snipped'
2014-03-18 15:15:16,860 [salt.loaded.int.module.cmdmod][ERROR   ] Command 'net user mlemle' failed with return code: 2
2014-03-18 15:15:16,875 [salt.loaded.int.module.cmdmod][ERROR   ] output: The user name could not be found.

More help is available by typing NET HELPMSG 2221.
2014-03-18 15:15:16,891 [salt.loaded.int.module.cmdmod][INFO    ] Executing command 'net user mlemle /add' in directory 'C:\\Users\\snipped.snipped'
2014-03-18 15:15:17,156 [salt.loaded.int.module.cmdmod][ERROR   ] Command 'net user mlemle /add' failed with return code: 2
2014-03-18 15:15:17,187 [salt.loaded.int.module.cmdmod][ERROR   ] stderr: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.

More help is available by typing NET HELPMSG 2245.
2014-03-18 15:15:17,203 [salt.state       ][ERROR   ] Failed to create new user mlemle
2014-03-18 15:15:17,219 [salt.state       ][INFO    ] Completed state [mlemle] at time 

[UtahDave]

Does this user already exist?

On Tue, Mar 18, 2014 at 4:27 PM, emmellee notifications@github.com wrote:

Removed the hash, added single quotes to pillar item. Log shows this
rendering:

mlemle:
user:
- present
- password: AZaz09@BYby87&AZaz09@BYby87&
2014-03-18 15:15:11,805 [salt.loaded.int.render.yaml][DEBUG ] Results of YAML rendering:
OrderedDict([('JenkinsGroup', OrderedDict([('group', ['present'])])), ('sshGroup', OrderedDict([('group', ['present'])])), ('mlemle', OrderedDict([('user', ['present', OrderedDict([('password', 'AZaz09@BYby87&AZaz09@BYby87&')])])]))])

But I do not see the password being passed to the net user command in the
log:

2014-03-18 15:15:16,626 [salt.state ][INFO ] Executing state user.present for mlemle
2014-03-18 15:15:16,641 [salt.loaded.int.module.cmdmod][INFO ] Executing command 'net user mlemle' in directory 'C:\Users\snipped.snipped'
2014-03-18 15:15:16,860 [salt.loaded.int.module.cmdmod][ERROR ] Command 'net user mlemle' failed with return code: 2
2014-03-18 15:15:16,875 [salt.loaded.int.module.cmdmod][ERROR ] output: The user name could not be found.

More help is available by typing NET HELPMSG 2221.
2014-03-18 15:15:16,891 [salt.loaded.int.module.cmdmod][INFO ] Executing command 'net user mlemle /add' in directory 'C:\Users\snipped.snipped'
2014-03-18 15:15:17,156 [salt.loaded.int.module.cmdmod][ERROR ] Command 'net user mlemle /add' failed with return code: 2
2014-03-18 15:15:17,187 [salt.loaded.int.module.cmdmod][ERROR ] stderr: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.

More help is available by typing NET HELPMSG 2245.
2014-03-18 15:15:17,203 [salt.state ][ERROR ] Failed to create new user mlemle
2014-03-18 15:15:17,219 [salt.state ][INFO ] Completed state [mlemle] at time

Reply to this email directly or view it on GitHubhttps://github.com//issues/11093#issuecomment-37996757
.

Dave Boucha | Sr. Engineer

2825 E. Cottonwood Parkway, Suite 360 | Salt Lake City, UT 84121
office 801-305-3563
dave@saltstack.com | www.saltstack.com http://saltstack.com/

[emmellee]

No. I wish to add it. From the log, salt sees that the user is not present and then attempts to add it. However,also from the log, salt does not appear to be passing the password to the net user /add command.

Shouldn't I have seen this in the log:

Executing command 'net user mlemle AZaz09@BYby87&*AZaz09@BYby87&* /add'

instead of this:

Executing command 'net user mlemle /add'

[UtahDave]

@emmellee I've been testing this issue today with Salt 2014.1.1 on Windows Server 2008 R2

I've used your exact sls file above, even the same passwords with and without single quotes around it and it has created the user for me every time. I'll test now using pillar.

Is there anything else you can think of that would help me reproduce this issue?

(I did find an unrelated bug where reapplying the state gives an error about being able to manage the user's groups.)

[UtahDave]

Yeah, even with using the password from pillar I'm still successfully creating the groups and user.

[emmellee]

Wow. No, I can't think of anything. It sounds as if it's a problem local to
me, I guess. Especially, if you were able to do that using previous versions.
I could upgrade to v2014.1.1 just in case it could help - do you think that
might be the case?

[UtahDave]

Actually, I just noticed in your first report that you're using the stand-alone minion. I've been doing all the testing with a salt-master and salt-minion.

Let me test with a stand-alone minion.

[UtahDave]

Ok, I didn't bother to set up the pillar data, but running that sls in standalone mode created the groups and the user just fine.

Could you try upgrading to 2014.1.1 and see if that works?

[emmellee]

Will do.

[emmellee]

UtahDave, I upgraded and still had the problem.

Then I ran the net command manually and found it didn't like the ampersands. So I took those out, reran the net command and it came back with a prompt I always see when changing my password interactively:

net user mlemle AZaz09@BYby87*AZaz09@BYby87* /add
The password entered is longer than 14 characters.  Computers
with Windows prior to Windows 2000 will not be able to use
this account. Do you want to continue this operation? (Y/N) [Y]:

The password policy is something I don't have control over. One of the rules is that it be at least 15 chars. Of course satisfying that requirement, means I'm going to run into that windows prompt.

This is a problem, no?

[emmellee]

Is there a force option I can use in the state file?

[emmellee]

I somehow need to be able to pass /y to the net user command, it seems...

[UtahDave]

@emmellee do you think we should always pass in /y ?

[emmellee]

I'm sorry, I don't know enough about Windows to say. I work in the environment under duress...

[emmellee]

I've been using the 32 bit version of salt on these windows 2008 servers having this issue. I recently ran into a webadministration module problem using powershell v3 and 32-bit salt on a windows 2012 server. When I replaced the 32 bit version of salt with the 64 bit version, it fixed my webadministration problem and I ALSO found I did not have this pw issue using the 2012/64bit-salt configuration. I'm afraid I did not test the pw issue prior to replacing the 32 bit version on the 2012; but I will replace the 32 bit version on the 2008 servers and test. I'm sorry it didn't occur to me before.

[emmellee]

I replaced the 32 bit version on the 2008 servers with the 62 bit version - but it did not fix the issue:

\salt\salt-call --versions-report
           Salt: 2014.1.1
         Python: 2.7.5 (default, May 15 2013, 22:44:16) [MSC v.1500 64 bit (AMD6
4)]
         Jinja2: 2.7.1
       M2Crypto: 0.21.1
 msgpack-python: 0.4.2
   msgpack-pure: Not Installed
       pycrypto: 2.6
         PyYAML: 3.10
          PyZMQ: 14.1.1
            ZMQ: 4.0.4

Perhaps I need to upgrade if you've introduced a patch for this?