The user module is used to create and manage user settings, users can be set as either absent or present
fred:
user.present:
- fullname: Fred Jones
- shell: /bin/zsh
- home: /home/fred
- uid: 4000
- gid: 4000
- groups:
- wheel
- storage
- games
testuser:
user.absent
Ensure that the named user is absent
The name of the user to remove
Set purge to True to delete all of the user's files as well as the user,
Default is False
.
If the user is logged in, the absent state will fail. Set the force
option to True to remove the user even if they are logged in. Not
supported in FreeBSD and Solaris, Default is False
.
Ensure that the named user is present with the specified properties
The name of the user to manage
The user id to assign. If not specified, and the user does not exist, then the next available uid will be assigned.
The id of the default group to assign to the user. Either a group name or gid can be used. If not specified, and the user does not exist, then the next available gid will be assigned.
Set to True
to allow the state to update the uid.
New in version 2018.3.1.
Set to True
to allow the state to update the gid.
New in version 2018.3.1.
If True, a group with the same name as the user will be created. If False, a group with the same name as the user will not be created. The default is distribution-specific. See the USERGROUPS_ENAB section of the login.defs(5) man page.
Note
Only supported on GNU/Linux distributions
New in version 3001.
A list of groups to assign the user to, pass a list object. If a group specified here does not exist on the minion, the state will fail. If set to the empty list, the user will be removed from all groups except the default group. If unset, salt will assume current groups are still wanted, and will make no changes to them.
A list of groups to assign the user to, pass a list object. If a group specified here does not exist on the minion, the state will silently ignore it.
NOTE: If the same group is specified in both "groups" and "optional_groups", then it will be assumed to be required and not optional.
Remove groups that the user is a member of that weren't specified in
the state, Default is True
.
The custom login directory of user. Uses default value of underlying system if not set. Notice that this directory does not have to exist. This also the location of the home directory to create if createhome is set to True.
If set to False
, the home directory will not be created if it
doesn't already exist.
Warning
Not supported on Windows or Mac OS.
Additionally, parent directories will not be created. The parent
directory for home
must already exist.
If set to True
, it will not add the user to lastlog and faillog
databases.
Note
Not supported on Windows.
A password hash to set for the user. This field is only supported on
Linux, FreeBSD, NetBSD, OpenBSD, and Solaris. If the empty_password
argument is set to True
then password
is ignored.
For Windows this is the plain text password.
For Linux, the hash can be generated with mkpasswd -m sha-256
.
Changed in version 0.16.0: BSD support added.
Set to True to hash the clear text password. Default is False
.
Set to False to keep the password from being changed if it has already
been set and the password hash differs from what is specified in the
"password" field. This option will be ignored if "password" is not
specified, Default is True
.
Set to True to enable password-less login for user, Default is False
.
Set to False
to unlock a user's password (or Windows account). On
non-Windows systems ONLY, this parameter can be set to True
to lock
a user's password. Default is None
, which does not take action on
the password (or Windows account).
New in version 3006.0.
The login shell, defaults to the system default shell
Require a unique UID, Default is True
.
Choose UID in the range of FIRST_SYSTEM_UID and LAST_SYSTEM_UID, Default is
False
.
The login class, defaults to empty (BSD only)
User comment field (GECOS) support (currently Linux, BSD, and MacOS only):
The below values should be specified as strings to avoid ambiguities when the values are loaded. (Especially the phone and room number fields which are likely to contain numeric data)
The user's full name
The user's room number (not supported in MacOS)
The user's work phone number (not supported in MacOS)
The user's home phone number (not supported in MacOS)
The user's other attribute (not supported in MacOS) If GECOS field contains more than 4 commas, this field will have the rest of 'em
Changed in version 2014.7.0: Shadow attribute support added.
Shadow attributes support (currently Linux only):
The below values should be specified as integers.
Date of last change of password, represented in days since epoch (January 1, 1970).
The minimum number of days between password changes.
The maximum number of days between password changes.
The number of days after a password expires before an account is locked.
Number of days prior to maxdays to warn users.
Date that account expires, represented in days since epoch (January 1, 1970).
The below parameters apply to windows only:
The drive letter to use for the home directory. If not specified the
home directory will be a unc path. Otherwise the home directory will be
mapped to the specified drive. Must be a letter followed by a colon.
Because of the colon, the value must be surrounded by single quotes. ie:
- win_homedrive: 'U:'
Changed in version 2015.8.0.
The custom profile directory of the user. Uses default value of underlying system if not set.
Changed in version 2015.8.0.
The full path to the logon script to run when the user logs in.
Changed in version 2015.8.0.
A brief description of the purpose of the users account.
Changed in version 2015.8.0.