pdbedit for creating samba users

[kyrias]

It would be nice if the samba.users state file would use the pdbedit state module to create samba users instead of always piping the password to smbpasswd on every run. Additionally it would allow us to only store a password hash in the pillar rather than the raw password.

[xenadmin]

I tried this today and I failed. I have the feeling, that the module isn't working and that it is not my fault, but I'm not sure of course. Here is my code:

{% if grains['os_family'] in ('RedHat', 'Suse', 'Debian') %}
include:
  - samba.client
{% endif %}

{% for login,user in salt['pillar.get']('samba:users', {}).items() %}
{{ login }}:
  user.present:
    - name: {{ login }}
    - fullname: {{ login }}
    - password: {{ user.password }}
  pdbedit.managed:
    - login: {{ login }}
    - password: {{ user.password }}
    - password_hashed: False
{% endfor %}

This is the error I get:

----------
          ID: agent
    Function: pdbedit.managed
      Result: False
     Comment: An exception occurred in this state: Traceback (most recent call last):
                File "/usr/lib/python3/dist-packages/salt/state.py", line 1919, in call
                  **cdata['kwargs'])
                File "/usr/lib/python3/dist-packages/salt/loader.py", line 1918, in wrapper
                  return f(*args, **kwargs)
                File "/usr/lib/python3/dist-packages/salt/states/pdbedit.py", line 132, in managed
                  res = __salt__['pdbedit.modify'](**kwargs)
                File "/usr/lib/python3/dist-packages/salt/modules/pdbedit.py", line 325, in modify
                  ret = create(login, password, password_hashed)[login]
                File "/usr/lib/python3/dist-packages/salt/modules/pdbedit.py", line 218, in create
                  nthash=_quote_args(password_hash)
                File "/usr/lib/python3.5/shlex.py", line 282, in quote
                  if _find_unsafe(s) is None:
              TypeError: cannot use a string pattern on a bytes-like object
     Started: 19:10:47.391963
    Duration: 87.277 ms
     Changes:   

Can somebody help me decide if it's my fault, or if I have to raise a bug in the saltstack project? ping @noelmcloughlin

[noelmcloughlin]

That's annoying.
Could this be jinja encoding/decoding issue?
https://stackoverflow.com/questions/39047657/base64-decode-string-in-jinja
I'm honestly not sure and bit too busy to look at this.
I wonder if there is an open or closed issue for this error at https://github.com/saltstack/salt repo?

[xenadmin]

Update:
I can get it to work, if I set - password_hashed: True and change the Pillar to an NT hash. But that would need two pillar values, as user.present and pdbedit.managed use different password hashes.
Even if I try it via the pdbedit module I get the error, when I use Plaintext passwords:

root@salt:/srv# salt 'HOST' pdbedit.modify agent password='abc' 
HOST:
    Passed invalid arguments to pdbedit.modify: cannot use a string pattern on a bytes-like object

[xenadmin]

This seems to work, if I write it like this, but this would require the define two hashes in the pillar:

{% if grains['os_family'] in ('RedHat', 'Suse', 'Debian') %}
include:
  - samba.client
{% endif %}

{% for login,user in salt['pillar.get']('samba:users', {}).items() %}
{{ login }}:
  user.present:
    - name: {{ login }}
    - fullname: {{ login }}
    - password: {{ user.passwordPASSWD }}
  pdbedit.managed:
    - login: {{ login }}
    - password: {{ user.passwordNT }}
    - password_hashed: True

{% endfor %}

[noelmcloughlin]

You could update pillar.example with what worked, if no code change is necessary.
This would help stop other people getting tripped up.
Does your solution scale? How many users would be managed using smbpasswd. I'm typically using Active Directory (winbind) and/or users-formula for use management and never used samba.users state to be honest.

I had a look at the python module, it's a basic implementation:
https://github.com/saltstack/salt/blob/b44f0f1d0fd564690c6e45c6dd061c0e84d76def/salt/states/pdbedit.py#L78

Only Bool is supported for password. So if False should work then raise an issue at https://github.com/saltstack/salt so someone might improve this.

[xenadmin]

Regarding your different questions: Here is the pillar I had to use. This works with the init.sls state I wrote in #35 (comment)

# user.present needs hash -> openssl passwd -1
# pdbedit.managed needs hash -> salt '*' pdbedit.generate_nt_hash PASSWORD

samba:
  users:
    agent:
      passwordPASSWD: $1$EN0z3WOT$/1Y.PghPl0C1t.b9Q4w4F1
      passwordNT: 7B592E4F8178B4C75788531B2E747687

Or maybe it would be nicer to write? I have no idea, I just started using Salt to solve my problems, not salt's problems xD

samba:
  users:
    agent:
      password:
        PASSWD: $1$EN0z3WOT$/1Y.PghPl0C1t.b9Q4w4F1
        NT: 7B592E4F8178B4C75788531B2E747687

Does your solution scale?

I have no idea. I just need one user for one special use case. It's not about samba for me, it's about Zabbix. On each Zabbix Proxy I need a single smb share with a single user to make the Zabbix agent available to the Windows Server OS.

So if False should work then raise an issue at...

I guess I have to do that.
But anyway we would have to decide, if the pillar for this state has to to be plaintext or Hash. I guess it can't be both? Or can it? user.present can handle both. And the True or False Bool for pdbedit.managed could be set via pillar? But that would get rather complicated for a simple to use formula.

[noelmcloughlin]

Cool - great work! I'd suggest you raise PR to incorporate #35 (comment) and update pillar.example with what worked (you can add more than one example if you want). Whatever solves your problem is the correct contribution.

The only minor suggestion is to keep keys lowercase password_nt and password_passwd. YAML supports "any case" but the current style pillar.example is lowercase and underscores.

Nice work anyway - it will be great contribution to have samba.users work out of the box - i.e. paste example from pillar.example into their environment and run the state with no failures or unwanted behaviour.

[noelmcloughlin]

And since the user case is one user (i.e. not 1 million users) the solution scales. I guess the most common use case is one or two users.

[xenadmin]

I guess this can be closed after #70 ?