sync_groups not working : User is not provisioned or not managed by keymaker, skipping

[guru-sd]

These are the steps I performed to get to the current point:

1. Created 3 EC2 instances with the instance role with the right policy.
2. Created 3 IAM users (ec2-user-1, 2 and 3) in a security group called keymaker_sd_dev_users
3. Logged in to the EC2 instances as ec2-user and installed keymaker using sudo (as the default ec2-user didn't have permissions to fully run install)
4. From EC2 instance added ssh keys to the 3 IAM users using upload_key and *rsa.pub files
5. Tried to run keymaker sync_groups and got this:

INFO:keymaker:Syncing IAM group keymaker_ec2_strikedeck_developers
WARNING:keymaker:User ec2-user-1 is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User ec2-user-2 is not provisioned or not managed by keymaker, skipping
WARNING:keymaker:User ec2-user-3 is not provisioned or not managed by keymaker, skipping

[saltyfireball]

I am getting the same errors. I did a test to see if I manually passed a user into the bash script if that user was created, ssh key grabbed and added to authorized_keys.

Here is my modified version of keymaker-create-account-for-iam-user (just to pass params). This was copied and moved to a different location to test. I left the original version intact.

#!/bin/bash -e

EX_TEMPFAIL=75
EX_NOPERM=77
SUPATH='/sbin'
USER=$1

if getent passwd "$USER" >/dev/null 2>&1; then
    # Terminate the PAM authentication stack. The SSH client will fail since the user didn't supply a valid public key.
    exit $EX_NOPERM
else
    # Create the user, then terminate the PAM authentication stack. The SSH client will fail, and the user will need to try again.
    # TODO: figure out how to display info banner
    # Verify that the IAM user exists.
    keymaker get_authorized_keys "$USER"
    NEW_UID=$(keymaker get_uid "$USER")
    if ! [ $(command -v useradd > /dev/null) ]; then
        ${SUPATH}/useradd "$USER" --comment "$USER" --uid "$NEW_UID"
    else
        ${SUPATH}/adduser "$USER" --disabled-password --gecos "$USER" --uid "$NEW_UID"
    fi
    for group in $(keymaker get_groups "$USER"); do
        ${SUPATH}/usermod --append --groups "$group" "$USER" || echo "$0: Error while adding user to group"
    done
    mkdir -p /home/"$USER"/.ssh/
    keymaker get_authorized_keys "$USER" > /home/"$USER"/.ssh/authorized_keys

    echo "Keymaker: Your user account has been replicated onto this host, but SSH will not recognize it until you reconnect."
    echo "Keymaker: Connect again to log in to your account."
    exit $EX_TEMPFAIL
fi

All of the below are true for me.

• So when sync_groups is run, I get the same error listed above
• When I try to log in as a user, I noticed some errors in /var/log/secure (this was done to the location of scripts. I then corrected this by creating a symbolic link (ln -s /bin/keymaker-create-account-for-iam-user /usr/local/bin/keymaker-create-account-for-iam-user), and those errors went away.
• Now when I try to log in as a user, it's prompting me for a password and no user is created (therefore no authorized_keys exists as well).

Any additional help or guidance would be great :)

[ChrisMKinsella]

Hi,
I hit & corrected the same problems as above but now seemed to have got the process to work with CentOS7 by temporarily disabling SELinux.
Hopefully a SELinux policy can be created to allow this.?

[kislyuk]

Sorry about the late response to this. The error ("User ... is not provisioned or not managed by keymaker, skipping") is raised when the user's uid is less than 2000 or an error is encountered when querying the user's information. Can you check that the users' UIDs are over 2000? If they are, then the user running the cron job may be denied access to run pwd.getpwnam(unix_username).pw_uid - any ideas why? I don't routinely test on CentOS so haven't been able to reproduce this yet.

[amitgera]

Same exception on both amazon linux and ubuntu.
while exec keymaker sync_groups ,received below warning :
WARNING:keymaker:User xyz.abc is not provisioned or not managed by keymaker, skipping

After debugging found functions in code :sync_groups is line 407 of https://github.com/kislyuk/keymaker/blob/master/keymaker/__init__.py

if not is_managed(user):
                logger.warn("User %s is not provisioned or not managed by keymaker, skipping", user)
                continue

found above one is due to false return by below function line 359:

def is_managed(unix_username):
    try:
        uid = pwd.getpwnam(unix_username).pw_uid
        if uid < 2000:
            raise ValueError(uid)
    except Exception as e:
        return False
    return True

it was due to user doesnot exist

How all iam-user of iam-groups(which get synced on node) , get also created and synced to node.

[amitgera]

@kislyuk Please help

[amitgera]

@kislyuk Please confirm ^