Ansible: user escalation failureHow to see stdout of ansible commands?Ansible Fails to Authenticate Sudo Even When Sudo Pass is Givenansible run global variableAnsible can't git clone from enterprise git serverretry ansible remote task that copies the file if there is any failure?Managing multiple remote user accounts and pubkeys with AnsibleAnsible Variable above hostsAnsible Playbook running locally but unable to ssh to host via AWXAnsible: Debug and iteration over dicts fails in ansible playbookUnable to ping the remote user via ansible
Why does Taylor’s series “work”?
What color to choose as "danger" if the main color of my app is red
Single word that parallels "Recent" when discussing the near future
Who is frowning in the sentence "Daisy looked at Tom frowning"?
Is there a method to separate iron from mercury?
How do Ctrl+C and Ctrl+V work?
Could a space colony 1g from the sun work?
Resistor Selection to retain same brightness in LED PWM circuit
Can I pay my credit card?
Why are lawsuits between the President and Congress not automatically sent to the Supreme Court
Why is it correct to use ~た in this sentence, even though we're talking about next week?
What kind of action are dodge and disengage?
How to use TOSEC?
Do high-wing aircraft represent more difficult engineering challenges than low-wing aircraft?
What kind of environment would favor hermaphroditism in a sentient species over regular, old sexes?
Holding rent money for my friend which amounts to over $10k?
Find the area of the rectangle
Enqueue Queueable class multiple times
Assign the same string to multiple variables
When did Britain learn about American independence?
How does Heat Metal interact with a follow-up Frostbite?
How does casting really works for primitive datatypes?
Is there an academic word that means "to split hairs over"?
How can we delete item permanently without storing in Recycle Bin?
Ansible: user escalation failure
How to see stdout of ansible commands?Ansible Fails to Authenticate Sudo Even When Sudo Pass is Givenansible run global variableAnsible can't git clone from enterprise git serverretry ansible remote task that copies the file if there is any failure?Managing multiple remote user accounts and pubkeys with AnsibleAnsible Variable above hostsAnsible Playbook running locally but unable to ssh to host via AWXAnsible: Debug and iteration over dicts fails in ansible playbookUnable to ping the remote user via ansible
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
EDIT: This ansible_become_pass: " scrappy.pass " #scrappy's password is the source of the problem. Should be password for ubuntu user
I am having a hard time understanding how to set privileges per task in ansible.
So given the playbook scrappy, I want to log in as the admin user (ubuntu) but do something as the user scrappy.
Note that:
- both scrappy and ubuntu are in the
sudoersfile - both also have the same set of permissions
name ALL=(ALL) ALL - but
ubuntuis the only user allowed to log into the host
Playbook scrappy.yml:
---
- hosts: fig
name: LogInAsUbuntuButDoSomethingAsScrappy
gather_facts: false
remote_user: ubuntu
vars:
ansible_become_pass: " scrappy.pass "
ansible_ssh_private_key_file: " ubuntu_key_path "
roles:
- examplerole
and the task is:
- name: ScrappyDoesSomething
become_user: scrappy
become: true
apt:
name: python3-pip
state: present
Yet, running the above playbook results in:
TASK [fig : Run some command as docker user] *********************************************************************
task path: /Users/pnotes/Code/Ansible/example/roles/fig/tasks/main.yml:35
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'echo ~ubuntu && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'/home/ubuntun', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /var/tmp/ansible-tmp-1540132846.970539-145559158546185 `" && echo ansible-tmp-1540132846.970539-145559158546185="` echo /var/tmp/ansible-tmp-1540132846.970539-145559158546185 `" ) && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'ansible-tmp-1540132846.970539-145559158546185=/var/tmp/ansible-tmp-1540132846.970539-145559158546185n', b'')
Using module file /Users/pnotes/.pyenv/versions/3.6.4/lib/python3.6/site-packages/ansible/modules/packaging/os/apt.py
<xx.xxx.xx.xxx> PUT /Users/pnotes/.ansible/tmp/ansible-local-33576100fmfnk/tmpp4r90jce TO /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py
<xx.xxx.xx.xxx> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 '[xx.xxx.xx.xxx]'
<xx.xxx.xx.xxx> (0, b'sftp> put /Users/pnotes/.ansible/tmp/ansible-local-33576100fmfnk/tmpp4r90jce /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.pyn', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'setfacl -m u:rekc:r-x /var/tmp/ansible-tmp-1540132846.970539-145559158546185/ /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 -tt xx.xxx.xx.xxx '/bin/sh -c '"'"'sudo -H -S -p "[sudo via ansible, key=hegelcumrkxfphxoykzfggauamdrklck] password: " -u rekc /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-hegelcumrkxfphxoykzfggauamdrklck; /usr/bin/env python3.6 /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation failed
fatal: [xx.xxx.xx.xxx]: FAILED! =>
"msg": "Incorrect sudo password"
Can someone please explain what I am missing here? Thank you.
ansible ansible-playbook
asked Oct 21 '18 at 15:23
P NotesP Notes
12
add a comment |
EDIT: This ansible_become_pass: " scrappy.pass " #scrappy's password is the source of the problem. Should be password for ubuntu user
I am having a hard time understanding how to set privileges per task in ansible.
So given the playbook scrappy, I want to log in as the admin user (ubuntu) but do something as the user scrappy.
Note that:
- both scrappy and ubuntu are in the
sudoersfile - both also have the same set of permissions
name ALL=(ALL) ALL - but
ubuntuis the only user allowed to log into the host
Playbook scrappy.yml:
---
- hosts: fig
name: LogInAsUbuntuButDoSomethingAsScrappy
gather_facts: false
remote_user: ubuntu
vars:
ansible_become_pass: " scrappy.pass "
ansible_ssh_private_key_file: " ubuntu_key_path "
roles:
- examplerole
and the task is:
- name: ScrappyDoesSomething
become_user: scrappy
become: true
apt:
name: python3-pip
state: present
Yet, running the above playbook results in:
TASK [fig : Run some command as docker user] *********************************************************************
task path: /Users/pnotes/Code/Ansible/example/roles/fig/tasks/main.yml:35
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'echo ~ubuntu && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'/home/ubuntun', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /var/tmp/ansible-tmp-1540132846.970539-145559158546185 `" && echo ansible-tmp-1540132846.970539-145559158546185="` echo /var/tmp/ansible-tmp-1540132846.970539-145559158546185 `" ) && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'ansible-tmp-1540132846.970539-145559158546185=/var/tmp/ansible-tmp-1540132846.970539-145559158546185n', b'')
Using module file /Users/pnotes/.pyenv/versions/3.6.4/lib/python3.6/site-packages/ansible/modules/packaging/os/apt.py
<xx.xxx.xx.xxx> PUT /Users/pnotes/.ansible/tmp/ansible-local-33576100fmfnk/tmpp4r90jce TO /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py
<xx.xxx.xx.xxx> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 '[xx.xxx.xx.xxx]'
<xx.xxx.xx.xxx> (0, b'sftp> put /Users/pnotes/.ansible/tmp/ansible-local-33576100fmfnk/tmpp4r90jce /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.pyn', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'setfacl -m u:rekc:r-x /var/tmp/ansible-tmp-1540132846.970539-145559158546185/ /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 -tt xx.xxx.xx.xxx '/bin/sh -c '"'"'sudo -H -S -p "[sudo via ansible, key=hegelcumrkxfphxoykzfggauamdrklck] password: " -u rekc /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-hegelcumrkxfphxoykzfggauamdrklck; /usr/bin/env python3.6 /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation failed
fatal: [xx.xxx.xx.xxx]: FAILED! =>
"msg": "Incorrect sudo password"
Can someone please explain what I am missing here? Thank you.
ansible ansible-playbook
asked Oct 21 '18 at 15:23
P NotesP Notes
12
Usingsudofrom one user to another user requires the originating user's password.
– Michael Hampton♦
Oct 21 '18 at 16:31
just realized that I never responded to this. Looking at this now, I am like "Dude, what what were you thinking?" I clearly needed sleep/break
– P Notes
May 5 at 2:47
add a comment |
EDIT: This ansible_become_pass: " scrappy.pass " #scrappy's password is the source of the problem. Should be password for ubuntu user
I am having a hard time understanding how to set privileges per task in ansible.
So given the playbook scrappy, I want to log in as the admin user (ubuntu) but do something as the user scrappy.
Note that:
- both scrappy and ubuntu are in the
sudoersfile - both also have the same set of permissions
name ALL=(ALL) ALL - but
ubuntuis the only user allowed to log into the host
Playbook scrappy.yml:
---
- hosts: fig
name: LogInAsUbuntuButDoSomethingAsScrappy
gather_facts: false
remote_user: ubuntu
vars:
ansible_become_pass: " scrappy.pass "
ansible_ssh_private_key_file: " ubuntu_key_path "
roles:
- examplerole
and the task is:
- name: ScrappyDoesSomething
become_user: scrappy
become: true
apt:
name: python3-pip
state: present
Yet, running the above playbook results in:
TASK [fig : Run some command as docker user] *********************************************************************
task path: /Users/pnotes/Code/Ansible/example/roles/fig/tasks/main.yml:35
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'echo ~ubuntu && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'/home/ubuntun', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /var/tmp/ansible-tmp-1540132846.970539-145559158546185 `" && echo ansible-tmp-1540132846.970539-145559158546185="` echo /var/tmp/ansible-tmp-1540132846.970539-145559158546185 `" ) && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'ansible-tmp-1540132846.970539-145559158546185=/var/tmp/ansible-tmp-1540132846.970539-145559158546185n', b'')
Using module file /Users/pnotes/.pyenv/versions/3.6.4/lib/python3.6/site-packages/ansible/modules/packaging/os/apt.py
<xx.xxx.xx.xxx> PUT /Users/pnotes/.ansible/tmp/ansible-local-33576100fmfnk/tmpp4r90jce TO /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py
<xx.xxx.xx.xxx> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 '[xx.xxx.xx.xxx]'
<xx.xxx.xx.xxx> (0, b'sftp> put /Users/pnotes/.ansible/tmp/ansible-local-33576100fmfnk/tmpp4r90jce /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.pyn', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'setfacl -m u:rekc:r-x /var/tmp/ansible-tmp-1540132846.970539-145559158546185/ /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 -tt xx.xxx.xx.xxx '/bin/sh -c '"'"'sudo -H -S -p "[sudo via ansible, key=hegelcumrkxfphxoykzfggauamdrklck] password: " -u rekc /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-hegelcumrkxfphxoykzfggauamdrklck; /usr/bin/env python3.6 /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation failed
fatal: [xx.xxx.xx.xxx]: FAILED! =>
"msg": "Incorrect sudo password"
Can someone please explain what I am missing here? Thank you.
ansible ansible-playbook
asked Oct 21 '18 at 15:23
P NotesP Notes
12
EDIT: This ansible_become_pass: " scrappy.pass " #scrappy's password is the source of the problem. Should be password for ubuntu user
I am having a hard time understanding how to set privileges per task in ansible.
So given the playbook scrappy, I want to log in as the admin user (ubuntu) but do something as the user scrappy.
Note that:
- both scrappy and ubuntu are in the
sudoersfile - both also have the same set of permissions
name ALL=(ALL) ALL - but
ubuntuis the only user allowed to log into the host
Playbook scrappy.yml:
---
- hosts: fig
name: LogInAsUbuntuButDoSomethingAsScrappy
gather_facts: false
remote_user: ubuntu
vars:
ansible_become_pass: " scrappy.pass "
ansible_ssh_private_key_file: " ubuntu_key_path "
roles:
- examplerole
and the task is:
- name: ScrappyDoesSomething
become_user: scrappy
become: true
apt:
name: python3-pip
state: present
Yet, running the above playbook results in:
TASK [fig : Run some command as docker user] *********************************************************************
task path: /Users/pnotes/Code/Ansible/example/roles/fig/tasks/main.yml:35
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'echo ~ubuntu && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'/home/ubuntun', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /var/tmp/ansible-tmp-1540132846.970539-145559158546185 `" && echo ansible-tmp-1540132846.970539-145559158546185="` echo /var/tmp/ansible-tmp-1540132846.970539-145559158546185 `" ) && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'ansible-tmp-1540132846.970539-145559158546185=/var/tmp/ansible-tmp-1540132846.970539-145559158546185n', b'')
Using module file /Users/pnotes/.pyenv/versions/3.6.4/lib/python3.6/site-packages/ansible/modules/packaging/os/apt.py
<xx.xxx.xx.xxx> PUT /Users/pnotes/.ansible/tmp/ansible-local-33576100fmfnk/tmpp4r90jce TO /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py
<xx.xxx.xx.xxx> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 '[xx.xxx.xx.xxx]'
<xx.xxx.xx.xxx> (0, b'sftp> put /Users/pnotes/.ansible/tmp/ansible-local-33576100fmfnk/tmpp4r90jce /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.pyn', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'setfacl -m u:rekc:r-x /var/tmp/ansible-tmp-1540132846.970539-145559158546185/ /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 -tt xx.xxx.xx.xxx '/bin/sh -c '"'"'sudo -H -S -p "[sudo via ansible, key=hegelcumrkxfphxoykzfggauamdrklck] password: " -u rekc /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-hegelcumrkxfphxoykzfggauamdrklck; /usr/bin/env python3.6 /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation failed
fatal: [xx.xxx.xx.xxx]: FAILED! =>
"msg": "Incorrect sudo password"
Can someone please explain what I am missing here? Thank you.
ansible ansible-playbook
ansible ansible-playbook
asked Oct 21 '18 at 15:23
P NotesP Notes
12
asked Oct 21 '18 at 15:23
P NotesP Notes
12
edited May 5 at 2:51
P Notes
asked Oct 21 '18 at 15:23
P NotesP Notes
12
asked Oct 21 '18 at 15:23
P NotesP Notes
12
asked Oct 21 '18 at 15:23
P NotesP Notes
12
12
Usingsudofrom one user to another user requires the originating user's password.
– Michael Hampton♦
Oct 21 '18 at 16:31
just realized that I never responded to this. Looking at this now, I am like "Dude, what what were you thinking?" I clearly needed sleep/break
– P Notes
May 5 at 2:47
add a comment |
Usingsudofrom one user to another user requires the originating user's password.
– Michael Hampton♦
Oct 21 '18 at 16:31
just realized that I never responded to this. Looking at this now, I am like "Dude, what what were you thinking?" I clearly needed sleep/break
– P Notes
May 5 at 2:47
Using
sudo from one user to another user requires the originating user's password.– Michael Hampton♦
Oct 21 '18 at 16:31
Using
sudo from one user to another user requires the originating user's password.– Michael Hampton♦
Oct 21 '18 at 16:31
just realized that I never responded to this. Looking at this now, I am like "Dude, what what were you thinking?" I clearly needed sleep/break
– P Notes
May 5 at 2:47
just realized that I never responded to this. Looking at this now, I am like "Dude, what what were you thinking?" I clearly needed sleep/break
– P Notes
May 5 at 2:47
add a comment |
2 Answers
2
active
oldest
votes
An option would be to allow admin to sudo without password
ubuntu ALL=(ALL) NOPASSWD: ALL
answered Oct 22 '18 at 8:28
Vladimir BotkaVladimir Botka
725212
add a comment |
If the task needs to be run by root, it should not have become_user - this is running the task as that user, which does not have the rights to do so.
- name: ScrappyDoesSomething
become: true
apt:
name: python3-pip
state: present
In this case it will be ubuntu who requests escalation, since they are set as remote_user. If you need scrappy to be the one who requests escalation, then remote_user should be set to scrappy for the task, but become_user should still be root. Since the remote user is set for a play, you need to have a new play if you want to change users.
answered Oct 22 '18 at 9:30
Bruce BeckerBruce Becker
203317
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f936511%2fansible-user-escalation-failure%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
An option would be to allow admin to sudo without password
ubuntu ALL=(ALL) NOPASSWD: ALL
answered Oct 22 '18 at 8:28
Vladimir BotkaVladimir Botka
725212
add a comment |
An option would be to allow admin to sudo without password
ubuntu ALL=(ALL) NOPASSWD: ALL
answered Oct 22 '18 at 8:28
Vladimir BotkaVladimir Botka
725212
add a comment |
An option would be to allow admin to sudo without password
ubuntu ALL=(ALL) NOPASSWD: ALL
answered Oct 22 '18 at 8:28
Vladimir BotkaVladimir Botka
725212
An option would be to allow admin to sudo without password
ubuntu ALL=(ALL) NOPASSWD: ALL
answered Oct 22 '18 at 8:28
Vladimir BotkaVladimir Botka
725212
edited Oct 22 '18 at 8:34
answered Oct 22 '18 at 8:28
Vladimir BotkaVladimir Botka
725212
answered Oct 22 '18 at 8:28
Vladimir BotkaVladimir Botka
725212
answered Oct 22 '18 at 8:28
Vladimir BotkaVladimir Botka
725212
725212
add a comment |
add a comment |
If the task needs to be run by root, it should not have become_user - this is running the task as that user, which does not have the rights to do so.
- name: ScrappyDoesSomething
become: true
apt:
name: python3-pip
state: present
In this case it will be ubuntu who requests escalation, since they are set as remote_user. If you need scrappy to be the one who requests escalation, then remote_user should be set to scrappy for the task, but become_user should still be root. Since the remote user is set for a play, you need to have a new play if you want to change users.
answered Oct 22 '18 at 9:30
Bruce BeckerBruce Becker
203317
add a comment |
If the task needs to be run by root, it should not have become_user - this is running the task as that user, which does not have the rights to do so.
- name: ScrappyDoesSomething
become: true
apt:
name: python3-pip
state: present
In this case it will be ubuntu who requests escalation, since they are set as remote_user. If you need scrappy to be the one who requests escalation, then remote_user should be set to scrappy for the task, but become_user should still be root. Since the remote user is set for a play, you need to have a new play if you want to change users.
answered Oct 22 '18 at 9:30
Bruce BeckerBruce Becker
203317
add a comment |
If the task needs to be run by root, it should not have become_user - this is running the task as that user, which does not have the rights to do so.
- name: ScrappyDoesSomething
become: true
apt:
name: python3-pip
state: present
In this case it will be ubuntu who requests escalation, since they are set as remote_user. If you need scrappy to be the one who requests escalation, then remote_user should be set to scrappy for the task, but become_user should still be root. Since the remote user is set for a play, you need to have a new play if you want to change users.
answered Oct 22 '18 at 9:30
Bruce BeckerBruce Becker
203317
If the task needs to be run by root, it should not have become_user - this is running the task as that user, which does not have the rights to do so.
- name: ScrappyDoesSomething
become: true
apt:
name: python3-pip
state: present
In this case it will be ubuntu who requests escalation, since they are set as remote_user. If you need scrappy to be the one who requests escalation, then remote_user should be set to scrappy for the task, but become_user should still be root. Since the remote user is set for a play, you need to have a new play if you want to change users.
answered Oct 22 '18 at 9:30
Bruce BeckerBruce Becker
203317
answered Oct 22 '18 at 9:30
Bruce BeckerBruce Becker
203317
answered Oct 22 '18 at 9:30
Bruce BeckerBruce Becker
203317
answered Oct 22 '18 at 9:30
Bruce BeckerBruce Becker
203317
203317
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f936511%2fansible-user-escalation-failure%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Using
sudofrom one user to another user requires the originating user's password.– Michael Hampton♦
Oct 21 '18 at 16:31
just realized that I never responded to this. Looking at this now, I am like "Dude, what what were you thinking?" I clearly needed sleep/break
– P Notes
May 5 at 2:47