Pass secondary groups when creating a user

[ianssoftcom]

Created users should be assigned to secondary groups; pass the groups parameter to the user resource.

Note: I had to set manage_groups: false so that the accounts module no longer creates the secondary groups, this was to prevent a dependency loop:

Error: Failed to apply catalog: Found 1 dependency cycle:
(Group[sudo] => User[ubuntu] => Accounts::Group[sudo] => Group[sudo])

[deric]

Hi, thanks for reading the code. It's not a bug, it's a feature. You can define group membership either at group level or at user's definition:

accounts::groups:
  www-data:
    gid: 33
    members: ['john']
accounts::users:
  john:
    groups: ["sudo", "users"]

The definition of group membership gets merged and applied (the relevant code). First we're creating user accounts, then groups so that the plan is executed in a single run.

Did you have a problem with secondary groups not being applied?

[ianssoftcom]

Creating secondary groups using accounts::groups works, but assigning members to secondary groups does not work. The provider for Linux is groupadd (https://docs.puppet.com/puppet/4.9/type.html#group-provider-groupadd) which does not support managing group members.

# puppet resource group testgroup ensure=present members=testuser --debug
...
Debug: /Group[testgroup]: Provider groupadd does not support features manages_members; not managing attribute members

Which is the reason I had to look at making 'acounts::users' to add to secondary groups work, but this created a dependency loop which CI detected.

[deric]

Not sure if I follow. Could you post your configuration?

[ianssoftcom]

Adding members to secondary groups does not work. The group is created, but members were not added.

accounts::groups:
  www-data:
    members: ['john']

When using the accounts::users, the groups array does not do anything (the user resource in the code does not pass the groups - that's what this PR was for).

accounts::users:
  john:
    groups: ["sudo", "users"]

      user { $username:
        ensure    => present,
        uid       => $uid,
        shell     => $shell,
        allowdupe => $allowdupe,
      }

[deric]

Have you installed deric-gpasswd module which is listed as dependency? If so, please send me full log.

[ianssoftcom]

Thanks - that's the piece I was missing (gpasswd provider). We have been using deric-accounts for years, so I never looked for dependencies. I will give that a test.

[deric]

It should be mentioned in the README, sorry about that. But the dependency will probably go away in next release, if I manage to find some time for refactoring. I'm closing this PR, in fact it's pretty much duplicate of #51.