Yes Walter, you are right. I am passing the root password ( *--ask-become-pass* ) as part of the ansible playbook execution cmd. Here my ssh user pwd and root pwd are the same.
*ansible-playbook -i hosts testroot.yaml -e "host=host.iil.corp.com <http://host.iil.corp.com/>" --ask-become-pass -k* [DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the controller starting with Ansible 2.12. Current version: 3.6.15 (default, Sep 15 2021, 14:20:42) [GCC]. This feature will be removed from ansible-core in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. *SSH password:BECOME password[defaults to SSH password]:* On Mon, Jan 23, 2023 at 6:52 PM 'Rowe, Walter P. (Fed)' via Ansible Project <[email protected]> wrote: > Authenticate with *testuser's* password: > > > THIS .. you had to authenticate .. the ansible playbook is also "waiting > to authenticate" the sudo for testuser (become: true). > > That is timing out because it expects to have sudo rights without > requiring a password. > > Walter > -- > Walter Rowe, Division Chief > Infrastructure Services, OISM > Mobile: 202.355.4123 > > On Jan 23, 2023, at 7:20 AM, saravanan jothilingam < > [email protected]> wrote: > > Hi, > I get this output when I run 'sudo -l'. I used ansible_user=testuser in > the * host inventory file* to connect to the remote server. > > testhost> *sudo -l* > Subject to Corporate's Global Employee and Global Contingent Worker > Privacy Notices > (see > https://employeecontent.Corporate.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html > <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Femployeecontent.corporate.com%2Fcontent%2Fcorp%2FGlobal_Employee_and_Global_Contingent_Worker_Privacy.html&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3%2Fgp3Q6JZXTeXFLr340VW9amNA71cez2wfsWn%2Bd94rQ%3D&reserved=0> > ) > all system access and delegated/privileged activity on the Corporate > network > may be logged for auditing and security purposes, including your username > and commands used. Log records may be retained for up to 1 year. > > We trust you have received the usual lecture from the local System > Administrator. It usually boils down to these three things: > > #1) Respect the privacy of others. > #2) Think before you type. > #3) With great power comes great responsibility. > > Remember you may use 'sudo -l' to review a list of authorized commands. > > Authenticate with *testuser's* password: > Matching Defaults entries for *testuser *on testhost: > syslog=local3, !set_home, !targetpw, !insults, mailto=alert-sudo, > !mail_always, ignore_dot, timestamp_timeout=5, > listpw=always, !lecture_file, passprompt="Authenticate with %u's > password: ", always_set_home, !env_reset, > umask_override, !root_sudo, !tty_tickets, fqdn, listpw=always, > env_delete+=USER_ITOOLS, env_delete+=PROJECT_ITOOLS, > env_delete+=KRB5CCNAME, env_delete+=XAUTHORITY, lecture=always, > lecture_file=/nfs/site/gen/adm/ec_global/sudo.lecture, > passprompt="Authenticate with %u's password: ", always_set_home, > !env_reset, umask_override, !root_sudo, !tty_tickets, > fqdn, listpw=always, env_delete+=USER_ITOOLS, > env_delete+=PROJECT_ITOOLS, env_delete+=KRB5CCNAME > > User *testuser *may run the following commands on testhost: > (root) /usr/Corporate/bin/rootsh, /usr/Corporate/bin/rootsh2, > /usr/Corporate/bin/rootsh1 > (root) NOPASSWD: > /usr/Corporate/common/pkgs/vas-helper/1.0/exe/*/idchange > (root) NOPASSWD: > /usr/Corporate/common/pkgs/vas-helper/1.0/bin/krb-helper > (root) /bin/cat /var/log/messages, /usr/bin/cat /var/log/messages, > /bin/dmesg > (kerberostest) NOPASSWD: /usr/bin/sudo /bin/date, /usr/bin/sudo -l, > /usr/Corporate/bin/sudo /bin/date, /usr/Corporate/bin/sudo -l > (root) NOPASSWD: /nfs/iil/gen/adm/netbatch/util/nbconfig/nbconfig > (root) NOPASSWD: /nfs/iil/gen/adm/nbtools/bin/nblock.pl > <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fnblock.pl%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2B%2BkHUc82PzFnmGcYW1AWu4Ii6IRiVxdrHlG2yNoGg2A%3D&reserved=0> > (root) NOPASSWD: /nfs/iil/local/common/bin/lsdir.amd > (root) NOPASSWD: /usr/local/common/bin/lsdir.amd > (profusr) NOPASSWD: > /nfs/site/gen/itec/profiling/utils/profiler/profiler_post, > /nfs/site/gen/itec/profiling/utils/profiler/benchmarking_post > (root) NOPASSWD: > /usr/Corporate/common/pkgs/acctusers/CURRENT/bin/acctusers > (root) NOPASSWD: /usr/Corporate/common/pkgs/acctusers/1.1/bin/acctusers > (root) /nfs/site/gen/adm/ec_global/customerSudo/SLES12SP2upgrader.sh > (root) NOPASSWD: > /nfs/site/gen/adm/emulation/Global/scripts/virt_modules/startVirt.sh, > /p/emulation/virt_modules/startVirt.sh, > /p/emulation/virt_modules/start_virt > (root) NOPASSWD: > /usr/Corporate/common/pkgs/vas-helper/1.0/bin/krb-helper > (root) NOPASSWD: > /usr/Corporate/common/pkgs/vas-helper/1.0/exe/*/idchange > testhost> > > > > > > On Mon, Jan 23, 2023 at 5:25 PM Todd Lewis <[email protected]> wrote: > >> What's the output from >> >> sudo -l >> >> on that host (as per the task "Get current user on remote" message)? >> >> On 1/23/23 1:10 AM, saravanan jothilingam wrote: >> >> No luck :-( >> I tried this use case with 2 attempts. For both the cases, the password >> is not taken at the ansible playbook execution time. i get the below error >> msg. >> *Note *- In the ansible.cfg, i have set *timeout = 300. Are there any >> extra parameters which I need to set here ?* >> >> *Attempt-1:* >> >> cat testroot.yaml >> --- >> - hosts: '{{ host }}' >> gather_facts: yes >> tasks: >> - name: Get current user on remote >> ansible.builtin.shell: | >> whoami >> become: true >> register: out >> - debug: >> msg: "{{ out }}" >> >> >> >> vmansible01:/home/testuser/access_audit_automation_jan172023 # >> ansible-playbook -i hosts testroot.yaml -e "host=hostname.corp.domain.com >> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0>" >> --ask-become-pass -k >> [DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the >> controller starting with Ansible 2.12. Current >> version: 3.6.15 (default, Sep 15 2021, 14:20:42) [GCC]. This feature will >> be removed from ansible-core in version 2.12. >> Deprecation warnings can be disabled by setting >> deprecation_warnings=False in ansible.cfg. >> SSH password: >> BECOME password[defaults to SSH password]: >> >> PLAY [hostname.corp.domain.com >> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0>] >> ************************************************************************************************ >> >> TASK [Gathering Facts] >> ****************************************************************************************************** >> [WARNING]: Platform linux on host hostname.corp.domain.com >> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0> >> is using the discovered Python interpreter at /usr/bin/python, but >> future installation of another Python interpreter could change the >> meaning of that path. See >> >> https://docs.ansible.com/ansible-core/2.11/reference_appendices/interpreter_discovery.html >> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.ansible.com%2Fansible-core%2F2.11%2Freference_appendices%2Finterpreter_discovery.html&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Vson5jDECDsxc4gh9q7GSl2LtEsgP02QoVmqpVhJOJU%3D&reserved=0> >> for more information. >> ok: [hostname.corp.domain.com >> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0> >> ] >> >> TASK [Get current user on remote] >> ******************************************************************************************* >> fatal: [hostname.corp.domain.com >> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0>]: >> FAILED! => {"changed": false, "module_stderr": "Shared connection to >> hostname.corp.domain.com >> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0> >> closed.\r\n", "module_stdout": "Subject to Corp's Global Employee and >> Global Contingent Worker Privacy Notices\r\n(see >> https://employeecontent.corp.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html >> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Femployeecontent.corp.com%2Fcontent%2Fcorp%2FGlobal_Employee_and_Global_Contingent_Worker_Privacy.html&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CgErwXeSjtdmv061qw32NZWg7DxZn9gQhoAbEqBaGos%3D&reserved=0> >> )\r\nall system access and delegated/privileged activity on the Corp >> network\r\nmay be logged for auditing and security purposes, including your >> username \r\nand commands used. Log records may be retained for up to 1 >> year.\r\n\r\nWe trust you have received the usual lecture from the local >> System\r\nAdministrator. It usually boils down to these three >> things:\r\n\r\n #1) Respect the privacy of others.\r\n #2) Think >> before you type.\r\n #3) With great power comes great >> responsibility.\r\n\r\nRemember you may use 'sudo -l' to review a list of >> authorized commands.\r\n\r\n\r\n", "msg": "MODULE FAILURE\nSee >> stdout/stderr for the exact error", "rc": 1} >> >> PLAY RECAP >> ****************************************************************************************************************** >> hostname.corp.domain.com >> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0> >> : ok=1 changed=0 unreachable=0 failed=1 skipped=0 >> rescued=0 ignored=0 >> >> >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> *Attempt-2:* >> >> --- >> - hosts: '{{ host }}' >> gather_facts: yes >> tasks: >> - name: Get current user on remote >> ansible.builtin.shell: | >> whoami >> become: true >> become_method: sudo >> become_exe: "sudo rootsh" >> become_flags: -i >> register: out >> - debug: >> msg: "{{ out }}" >> >> >> ansible-playbook -i hosts testroot.yaml -e "host=hostname.corp.domain.com >> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0>" >> --ask-become-pass -k >> [DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the >> controller starting with Ansible 2.12. Current >> version: 3.6.15 (default, Sep 15 2021, 14:20:42) [GCC]. This feature will >> be removed from ansible-core in version 2.12. >> Deprecation warnings can be disabled by setting >> deprecation_warnings=False in ansible.cfg. >> SSH password: >> BECOME password[defaults to SSH password]: >> >> PLAY [hostname.corp.domain.com >> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0>] >> ************************************************************************************************ >> >> TASK [Get current user on remote] >> ******************************************************************************************* >> fatal: [hostname.corp.domain.com >> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0>]: >> FAILED! => {"changed": false, "module_stderr": "Shared connection to >> hostname.corp.domain.com >> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0> >> closed.\r\n", "module_stdout": "Subject to Corp's Global Employee and >> Global Contingent Worker Privacy Notices\r\n(see >> https://employeecontent.corp.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html >> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Femployeecontent.corp.com%2Fcontent%2Fcorp%2FGlobal_Employee_and_Global_Contingent_Worker_Privacy.html&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CgErwXeSjtdmv061qw32NZWg7DxZn9gQhoAbEqBaGos%3D&reserved=0> >> )\r\nall system access and delegated/privileged activity on the Corp >> network\r\nmay be logged for auditing and security purposes, including your >> username \r\nand commands used. Log records may be retained for up to 1 >> year.\r\n\r\nWe trust you have received the usual lecture from the local >> System\r\nAdministrator. It usually boils down to these three >> things:\r\n\r\n #1) Respect the privacy of others.\r\n #2) Think >> before you type.\r\n #3) With great power comes great >> responsibility.\r\n\r\nRemember you may use 'sudo -l' to review a list of >> authorized commands.\r\n\r\nAuthenticate with testuser's password: >> \r\nsudo: timed out reading password\r\n", "msg": "MODULE FAILURE\nSee >> stdout/stderr for the exact error", "rc": 1} >> >> PLAY RECAP >> ****************************************************************************************************************** >> hostname.corp.domain.com >> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xUXxkclz%2Fdrr5Yizl%2FHreg3QDfU7l%2FdhRh0Pld8%2BClY%3D&reserved=0> >> : ok=0 changed=0 unreachable=0 failed=1 skipped=0 >> rescued=0 ignored=0 >> >> >> >> On Fri, Jan 20, 2023 at 7:17 PM 'Rowe, Walter P. (Fed)' via Ansible >> Project <[email protected]> wrote: >> >>> Try leaving off become_exe. If you can run sudo rootsh then your task >>> can use sudo. When you run sudo rootsh at a command prompt does it ask for >>> your password? If so, the ansible task also will have to respond to a >>> password prompt. That is causing your timeout. >>> >>> Walter >>> -- >>> Walter Rowe, Division Chief >>> Infrastructure Services, OISM >>> Mobile: 202.355.4123 >>> >>> On Jan 20, 2023, at 8:31 AM, saravanan jothilingam < >>> [email protected]> wrote: >>> >>> >>> Thanks for your input. In the remote machine, i dont have any permission >>> to edit any files under /etc. In this case, how to achieve the remote node >>> execution using 'sudo rootsh' cmd. >>> >>> On Fri, Jan 20, 2023 at 6:33 PM 'Rowe, Walter P. (Fed)' via Ansible >>> Project <[email protected]> wrote: >>> >>>> In ansible if you have become: true on a task, that task will run with >>>> elevated privileges. On Linux the default is to try sudo. You don't need to >>>> specify become_exe. Any command given to your shell task will run in a root >>>> privileged shell. The user ID you run the playbook as must have login >>>> access to the remote system and sudo privilege on the remote system via >>>> /etc/sudoers or a file in /etc/sudoers.d. >>>> >>>> In our environment we have some common files we populate in >>>> /etc/sudoers.d based on server function. For example, all servers we manage >>>> have a server mgmt id we use for remote mgmt and a special group for our >>>> own user IDs when we remote into those machines. We place a file in >>>> /etc/sudoers.d that grants our mgmt ID and mgmt group the rights we need. >>>> For all database servers our DBA group requires some privileges so we add >>>> an /etc/sudoers.d/dba file that controls their privileged access for >>>> members of the DBA group members. >>>> >>>> In your testroot.yaml file you can remove the become_exe line. >>>> >>>> *testroot.yaml* >>>> --- >>>> - hosts: '{{ host }}' >>>> gather_facts: yes >>>> tasks: >>>> - name: Get current user on remote >>>> ansible.builtin.shell: | >>>> whoami >>>> become: true >>>> register: out >>>> - debug: >>>> msg: "{{ out }}" >>>> >>>> Next you need to make sure your user ID that makes the connection to >>>> the remote machine has sudo access that does not require a password. I >>>> imagine your sudo command was waiting on a response to a password prompt >>>> that was never going to be answered. >>>> >>>> Walter >>>> -- >>>> Walter Rowe, Division Chief >>>> Infrastructure Services, OISM >>>> Mobile: 202.355.4123 >>>> >>>> On Jan 20, 2023, at 1:40 AM, saravanan jothilingam < >>>> [email protected]> wrote: >>>> >>>> Any update on this? >>>> >>>> On Thu, Jan 19, 2023 at 8:05 PM saravanan jothilingam < >>>> [email protected]> wrote: >>>> >>>>> Hi, >>>>> I am a novice to ansible and am practising to get more hands-on. I am >>>>> trying one usecase where I need to connect to a remote SLES12 linux server >>>>> using my id and then switch to root user and execute some tasks. While >>>>> switching over to root user (*cmd: *sudo rootsh), it prompts for a >>>>> root password. When I run this usecase using ansible playbook, it gives >>>>> the >>>>> below error. >>>>> >>>>> Could you please let me know what would be correct/valid directives >>>>> (become_*) that I need to use to run the cmd using root user. Appreciate >>>>> your help. >>>>> >>>>> I wrote this playboo >>>>> >>>>> >>>>> *testroot.yaml* >>>>> --- >>>>> - hosts: '{{ host }}' >>>>> gather_facts: yes >>>>> tasks: >>>>> - name: Get current user on remote >>>>> ansible.builtin.shell: | >>>>> whoami >>>>> become: true >>>>> become_exe: "sudo rootsh" >>>>> register: out >>>>> - debug: >>>>> msg: "{{ out }}" >>>>> >>>>> >>>>> *ansible-playbook -i hosts testroot.yaml -e "host=host.iil.corp.com >>>>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CSSrvENPJ9PkfbgDEMmtgygo1eKEeV9IG20kui8QcF4%3D&reserved=0>" >>>>> --ask-become-pass -k* >>>>> [DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the >>>>> controller starting with Ansible 2.12. Current version: 3.6.15 (default, >>>>> Sep 15 2021, 14:20:42) [GCC]. This feature will be removed >>>>> from ansible-core in version 2.12. Deprecation warnings can be >>>>> disabled by setting deprecation_warnings=False in ansible.cfg. >>>>> >>>>> *SSH password: BECOME password[defaults to SSH password]:* >>>>> >>>>> PLAY [host.iil.corp.com >>>>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CSSrvENPJ9PkfbgDEMmtgygo1eKEeV9IG20kui8QcF4%3D&reserved=0>] >>>>> ******************************************************************************************************************************************************************************** >>>>> >>>>> TASK [Get current user on remote] >>>>> *************************************************************************************************************************************************************************** >>>>> fatal: [host.iil.corp.com >>>>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CSSrvENPJ9PkfbgDEMmtgygo1eKEeV9IG20kui8QcF4%3D&reserved=0>]: >>>>> FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: >>>>> Subject to Company's Global Employee and Global Contingent Worker Privacy >>>>> Notices\r\n(see >>>>> https://employeecontent.corp.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html >>>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Femployeecontent.corp.com%2Fcontent%2Fcorp%2FGlobal_Employee_and_Global_Contingent_Worker_Privacy.html&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FwpoqDSnFcvPz3YGxU325XHCh10Jj%2FAw%2FVU8F3Z8xtg%3D&reserved=0> >>>>> )\r\nall system access and delegated/privileged activity on the corp >>>>> network\r\nmay be logged for auditing and security purposes, including >>>>> your >>>>> username \r\nand commands used. Log records may be retained for up to 1 >>>>> year.\r\n\r\nWe trust you have received the usual lecture from the local >>>>> System\r\nAdministrator. It usually boils down to these three >>>>> things:\r\n\r\n #1) Respect the privacy of others.\r\n #2) Think >>>>> before you type.\r\n #3) With great power comes great >>>>> responsibility.\r\n\r\nRemember you may use 'sudo -l' to review a list of >>>>> authorized commands.\r\n\r\n"} >>>>> >>>>> PLAY RECAP >>>>> ************************************************************************************************************************************************************************************************** >>>>> host.iil.corp.com >>>>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CSSrvENPJ9PkfbgDEMmtgygo1eKEeV9IG20kui8QcF4%3D&reserved=0> >>>>> : ok=0 changed=0 unreachable=0 failed=1 skipped=0 >>>>> rescued=0 ignored=0 >>>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ansible-project/CAE7H9qq05ZQ1YcytQQSQmTo_fn0Wo8UAN97WL5iNKtfVSo-uuQ%40mail.gmail.com >>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAE7H9qq05ZQ1YcytQQSQmTo_fn0Wo8UAN97WL5iNKtfVSo-uuQ%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SxoJ%2BRJMjZihfIKMXghBSJVJJB4DEqM7V%2FU%2BTHU9XZI%3D&reserved=0> >>>> . >>>> >>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ansible-project/2F9FE7FD-B3CD-4E16-8CCD-44A6298F5825%40nist.gov >>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F2F9FE7FD-B3CD-4E16-8CCD-44A6298F5825%2540nist.gov%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=F37EFp4WVYdcQEl1tEbuItgZsxLL0j88tUFC1PGzuLs%3D&reserved=0> >>>> . >>>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/CAE7H9qry8T6%2Bc3TE%3D8KiyU6E7Ooh1wAKgGzLztq3EGzsKijDKg%40mail.gmail.com >>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAE7H9qry8T6%252Bc3TE%253D8KiyU6E7Ooh1wAKgGzLztq3EGzsKijDKg%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BZga7AUnfQAsxT0xKSwMGp5qC3KCv0wixMzp9o4FR1g%3D&reserved=0> >>> . >>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/B0AE6100-8F2D-43C7-A857-144EE740C535%40nist.gov >>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FB0AE6100-8F2D-43C7-A857-144EE740C535%2540nist.gov%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FJ46qEH0n4PIv9m7iSn7Jxv85khcc87jdM2TUP2pR8c%3D&reserved=0> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/CAE7H9qrQZGwNC1zEViaDkP5BX%3DcZRaZAoERTfUnyOuC3K6FJ5A%40mail.gmail.com >> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAE7H9qrQZGwNC1zEViaDkP5BX%253DcZRaZAoERTfUnyOuC3K6FJ5A%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SsBJNpvG40Eh64b8suzXRwsQd1TmLeFX7VbzuQ%2Fzg2U%3D&reserved=0> >> . >> >> >> -- >> Todd >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/5dc01924-a818-f2cd-fee7-8f91c4350b37%40gmail.com >> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F5dc01924-a818-f2cd-fee7-8f91c4350b37%2540gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7AYm9TAxtc5GggnLG%2B%2F6BwPb59%2FcWXJVNs%2B4sAhc1Hc%3D&reserved=0> >> . >> > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CAE7H9qqocg3-fz0t0KL6SUc%3Dgd4vhaxmTO%3DtkKLcUH9rjnrBkg%40mail.gmail.com > <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAE7H9qqocg3-fz0t0KL6SUc%253Dgd4vhaxmTO%253DtkKLcUH9rjnrBkg%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=MMVRKmrC%2B5KSR3rhRIvMPlfmayos2i3qwibyXZRy6%2FQ%3D&reserved=0> > . > > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/E252445D-0709-42AF-9E0F-4CF63959CE47%40nist.gov > <https://groups.google.com/d/msgid/ansible-project/E252445D-0709-42AF-9E0F-4CF63959CE47%40nist.gov?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAE7H9qrG4KZesY8G7gNYdATCsMhivTO9R1G%2BEx%3DnX1GZ8qSfKg%40mail.gmail.com.
