Non interactive samba user creation via ansible

Question

Although the following command works when typing in in shell

echo -ne "myser\nmypass\n" | smbpasswd -a -s myuser

The following task fails in ansible

  - name: add dms samba user
    command: echo -ne "myuser\nmypass\n" | smbpasswd -a -s myuser
    notify: restart samba

It does not produce any errors, but the user is not created.

Working with ansible 2.3.0.0 on Ubuntu 16.0.4.

Answer 1

As stated, pipes won't work with the command module. I've used something like this in the past to create Samba users:

- name: Configure Samba users.
  shell: >
    (pdbedit --user={{ item.username }} 2>&1 > /dev/null)
    || (echo '{{ item.password }}'; echo '{{ item.password }}')
    | smbpasswd -s -a {{ item.username }}
  register: smbpasswd
  changed_when: "'Added user' in smbpasswd.stdout"
  with_items: "{{ samba_users }}"
  loop_control:
    label: "{{ item.username }}"

The task will only run if the user does not exist yet. So changing passwords won't work with this example.

Answer 2

Please try this approach with your Ansible Playbook:

- name: set Samba passwords for each user
  shell: "printf '{{ item.passwd }}\n{{ item.passwd }}\n' | smbpasswd -a {{ item.name }}"
  with_items:
  - "{{ users }}"
  tags: smbpasswd

Please note that you will need to map your variables file that includes users: with the format of:

users:
- name: userName
  passwd: myClearTextPassword

Please note that to support smbpasswd you will be passing this password as clear text. Additionally, noting this is only a single task that would need to be included in your playbook.

Answer 3

The answer by siwyd above is excellent. I was struggling to figure out how to solve this problem in an idempotent way until I saw this. For my use-case, I'd like to keep the passwords in sync so I've added another play to do this. Might be useful for someone

- name: shell - create samba users
  shell: >
    (pdbedit --user={{ item.username }} 2>&1 > /dev/null)
    || (echo '{{ item.password }}'; echo '{{ item.password }}')
    | smbpasswd -s -a {{ item.username }}
  register: create_samba_users
  changed_when: "'Added user' in create_samba_users.stdout"
  become: true
  with_items: "{{ samba_users }}"
  loop_control:
    label: "{{ item.username }}"

- name: shell - set samba passwords correctly
  shell: >
    (smbclient -U {{ item.username }}%{{ item.password }} -L 127.0.0.1 2>&1 > /dev/null)
    || (echo '{{ item.password }}'; echo '{{ item.password }}')
    | smbpasswd {{ item.username }}
  register: verify_samba_users
  changed_when: "'New SMB password' in verify_samba_users.stdout"
  become: true
  with_items: "{{ samba_users }}"
  loop_control:
    label: "{{ item.username }}"

Answer 4

I improved the code from siwyd and Tormod Macleod slightly. Thanks to both of you!

- name: shell - create samba users
  shell: >
    set -e -o pipefail
    && (pdbedit --user={{ item.username }} 2>&1 > /dev/null)
    || (echo '{{ item.password }}'; echo '{{ item.password }}')
    | smbpasswd -s -a {{ item.username }}
  args:
    executable: /bin/bash
  register: samba_create_users
  changed_when: "'Added user' in samba_create_users.stdout"
  loop: "{{ samba_users }}"
  no_log: true

- name: shell - set samba passwords correctly
  shell: >
    set -e -o pipefail
    && (smbclient -U {{ item.username }}%{{ item.password }} -L 127.0.0.1 2>&1 > /dev/null)
    || (echo '{{ item.password }}'; echo '{{ item.password }}')
    | smbpasswd {{ item.username }}
  args:
    executable: /bin/bash
  register: samba_verify_users
  changed_when: "'New SMB password' in samba_verify_users.stdout"
  loop: "{{ samba_users }}"
  no_log: true

Changes:

• Added pipefail to satisfy Ansible Lint (https://ansible-lint.readthedocs.io/en/latest/default_rules.html#risky-shell-pipe)
• Changed executable to /bin/bash, beacause /bin/sh doesn't know pipefail
• Added no_log to prevent password logging if the task fails
• Removed loop_control label, since logging is disabled
• Used loop instead of with_items