How do I get Chef to find an Active Directory User?

Question

Error:

Chef::Exceptions::UserIDNotFound
--------------------------------
cannot determine user id for 'builduser', does the user exist on this system?

Here is my (trimmed) chef recipe:

if node['platform'] == 'centos'
  package 'yum-utils'
  execute 'yum-config-manager --enable cr'
end

include_recipe "python::source"

...

## Setup key for jenkins... https://supermarket.chef.io/cookbooks/ssh_authorized_keys
ssh_authorize_key 'builduser@supermarket.com' do
    key 'AAAAB3Nz...hiOQ=='
    user 'builduser'
    group 'builduser'
end

This user is not created by this recipe, but already exists in the Active Directory that this CentOS VM is connected to.

Anyone knows how to tell chef to go read this from Active Directory?

Thanks in advance

Answer 1

1. redirect user keys to a different area; /etc/ssh/keys/ for instance:

--- /etc/ssh/sshd_config
+++ /etc/ssh/sshd_config
@@ -41,1 +41,1 @@
-AuthorizedKeysFile     .ssh/authorized_keys
+AuthorizedKeysFile     .ssh/authorized_keys /etc/ssh/keys/keys-%u   

coding like

# bad pseudocoding; at own risk!
include_attribute 'openssh::default'
default['openssh']['server']['authorized_keys_file'] += ' /etc/ssh/keys/keys-%u' 

2. chown them root.root and 400 since only sshd needs to read them

3. manage them by chef anyway

# bad pseudocoding; at own risk!
directory /etc/ssh/keys
keys.each do |user,strarrkeys|

  file "/etc/ssh/keys/keys-#{user}" do  # make this DRYer for added credit
    content strarrkeys.join("\n")
    user  'root'
    group 'root'
    mode  '400'  #600?
    action strarrkeys.empty? ? :delete : :create
  end
end

4. miller time

Answer 2

My workaround / solution was to create file resources owned by root, and then chown them to the user. Somehow... chown doesn't seem to have a problem with AD.

file '/home/orgz_test/builduser/.ssh/authorized_keys' do
  content 'ssh-rsa AAAAB3Nz...hiOQ== builduser@supermarket.com'
  mode '0644'
end

# user and group setting in 'file' or 'directory' does not work... so, do it manually
bash "Change ownership" do
    user "root"
    group "root"
    code <<-EOC
        chown builduser /home/orgz_test/builduser/.ssh/authorized_keys
        chgrp builduser_g /home/orgz_test/builduser/.ssh/authorized_keys
        chmod 600 /home/hedgeservtest.com/cashmgmt/.ssh/authorized_keys
    EOC
end

Not the prettiest solution.. but works.

Answer 3

You might be running in to the dreaded "nsswitch.conf reload" issue. Does it work the second time or does it always fail? If it works the second time, it might be because /etc/nsswitch.conf was only updated earlier in that Chef run, and those changes won't be visible until the Chef process restarts due to how libc caches the nsswitch database config. If it always fails, check that the machine does have the correct nsswitch config to make AD users visible. Linking to AD on PAM alone wouldn't be enough for the user entries to work.