Creating/Managing Unix user accounts using Puppet user resource

Puppet comes with a builtin user resource which installs and manages unix user accounts. More of this resource is available at

A user resource with some of its attributes are

user { 'resource title':
  name                 => # (namevar) The user name. While naming limitations vary by...
  ensure               => # The basic state that the object should be in....
  comment              => # A description of the user.  Generally the user's 
  expiry               => # The expiry date for this user. Must be provided...
  gid                  => # The user's primary group.  Can be specified...
  groups               => # The groups to which the user belongs.  The...
  home                 => # The home directory of the user.  The directory...
  managehome           => # Whether to manage the home directory when...
  password             => # The user's password, in whatever encrypted...
  password_max_age     => # The maximum number of days a password may be...
  password_min_age     => # The minimum number of days a password must be...
  profile_membership   => # Whether specified roles should be treated as the 
  shell                => # The user's login shell.  The shell must exist...
  system               => # Whether the user is a system user, according to...
  uid                  => # The user ID; must be specified numerically. If...
  # any applicable metaparameters.

Few of the examples of using user resource are as follows:

Example 1:

           user { 'zaman':
                ensure  => 'present',
                comment => 'Zaman's Home',
                home    => '/home/zaman',
                shell   => '/bin/bash',

This creates an unix account 'zaman' as follows:

         # grep zaman /etc/passwd
          zaman:x:502:502:Zaman Home:/home/zaman:/bin/bash
         # id zaman
          uid=502(zaman) gid=502(zaman) groups=502(zaman)

Example 2:

        node '',''{
        user {
            ensure  => 'present',
            managehome => 'true',
            comment => 'Zaman Home',
            home    => '/home/askar',
            shell   => '/bin/bash',
            expiry  => '2016-03-22',
            password => '$1$cs1j/t.D$4qjZLwFQ2Ocr0pulyNTUx/',
            password_min_age => '0',
            password_max_age => '60',
       exec {
             path => '/usr/bin/',
             command => 'chage -d 0 askar',

This creates an unix account 'askar' as follows.It also adds 
additional settings like setting password expiration policies.
The password parameter sets the initial password for user

To generate the encrypted password for the user, we can use the following command
             openssl passwd -1 redhat123

This generates the encrypted password for redhat123 which is then set as value to password parameter in user resource. 
The user is created as follows with the below information

   #grep askar /etc/passwd
    askar:x:506:506:Zaman Home:/home/askar:/bin/bash

   #grep askar /etc/shadow

We need to install ruby-shadow package on all client hosts where the user accounts needs to be pushed so that Puppet can update /etc/shadow file . ruby-shadow is available for download from the following location 
In the second example, I also used the exec resource. This exec resource uses the chage command . The purpose of using the chage command is that it will force the user to change his password after the first login . chage shows the following information after the manifest is executed .

# chage -l askar
Last password change                                    : password must be changed
Password expires                                        : password must be changed
Password inactive                                       : password must be changed
Account expires                                         : Mar 22, 2016
Minimum number of days between password change          : 0
Maximum number of days between password change          : 60
Number of days of warning before password expires       : 7




Ajay said…
Hi, how the new user will know, what is his password ?

As we have given the password in encrypted form.

Popular posts from this blog

PSSH : Parallel SSH to execute commands on a number of hosts

How to add check_http as a service in Nagios Monitoring using NRPE

Using lsof to identify deleted files: