Something feels not quite right with that answer. You only got the "Timeout (12s) waiting for privilege escalation prompt" timeout when you used *become_exe: "sudo rootsh"*, which of course will never work because there is no executable named "*sudo rootsh*". The other times, you were just disconnected. I believe this wasn't because it expected no-password sudo to work, but rather because *testuser* has only a limited set of commands it's allowed to run under sudo. These were listed in the output of "*sudo -l*" previously.
One thing you might try is setting "*become_flags: rootsh*". I know it's not really a flag, but we're trying to get sudo to run rootsh — I'm guessing, based on what you showed us already. I don't really expect it to work, but its failure may provide more information. More generally, to do Ansible right, your connecting user needs sudo capability to run any command, regardless of whether a sudo password is required. There are four distinct issues that must be considered: connection, privilege escalation, authorization, and execution. Any of those *may* have distinct authentication components. It can be difficult to discern which one is thwarting success. On Monday, January 23, 2023 at 8:35:20 AM UTC-5 [email protected] wrote: > Yes Walter, you are right. I am passing the root password ( > *--ask-become-pass* ) as part of the ansible playbook execution cmd. > Here my ssh user pwd and root pwd are the same. > > *ansible-playbook -i hosts testroot.yaml -e "host=host.iil.corp.com > <http://host.iil.corp.com/>" --ask-become-pass -k* > [DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the > controller starting with Ansible 2.12. Current version: 3.6.15 (default, > Sep 15 2021, 14:20:42) [GCC]. This feature will be removed > from ansible-core in version 2.12. Deprecation warnings can be disabled by > setting deprecation_warnings=False in ansible.cfg. > > *SSH password:BECOME password[defaults to SSH password]:* > On Mon, Jan 23, 2023 at 6:52 PM 'Rowe, Walter P. (Fed)' via Ansible > Project <[email protected]> wrote: > >> Authenticate with *testuser's* password: >> >> >> THIS .. you had to authenticate .. the ansible playbook is also "waiting >> to authenticate" the sudo for testuser (become: true). >> >> That is timing out because it expects to have sudo rights without >> requiring a password. >> >> Walter >> -- >> Walter Rowe, Division Chief >> Infrastructure Services, OISM >> Mobile: 202.355.4123 <(202)%20355-4123> >> >> On Jan 23, 2023, at 7:20 AM, saravanan jothilingam <[email protected]> >> wrote: >> >> Hi, >> I get this output when I run 'sudo -l'. I used ansible_user=testuser in >> the * host inventory file* to connect to the remote server. >> >> testhost> *sudo -l* >> Subject to Corporate's Global Employee and Global Contingent Worker >> Privacy Notices >> (see >> https://employeecontent.Corporate.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html >> >> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Femployeecontent.corporate.com%2Fcontent%2Fcorp%2FGlobal_Employee_and_Global_Contingent_Worker_Privacy.html&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3%2Fgp3Q6JZXTeXFLr340VW9amNA71cez2wfsWn%2Bd94rQ%3D&reserved=0> >> >> ) >> all system access and delegated/privileged activity on the Corporate >> network >> may be logged for auditing and security purposes, including your username >> and commands used. Log records may be retained for up to 1 year. >> >> We trust you have received the usual lecture from the local System >> Administrator. It usually boils down to these three things: >> >> #1) Respect the privacy of others. >> #2) Think before you type. >> #3) With great power comes great responsibility. >> >> Remember you may use 'sudo -l' to review a list of authorized commands. >> >> Authenticate with *testuser's* password: >> Matching Defaults entries for *testuser *on testhost: >> syslog=local3, !set_home, !targetpw, !insults, mailto=alert-sudo, >> !mail_always, ignore_dot, timestamp_timeout=5, >> listpw=always, !lecture_file, passprompt="Authenticate with %u's >> password: ", always_set_home, !env_reset, >> umask_override, !root_sudo, !tty_tickets, fqdn, listpw=always, >> env_delete+=USER_ITOOLS, env_delete+=PROJECT_ITOOLS, >> env_delete+=KRB5CCNAME, env_delete+=XAUTHORITY, lecture=always, >> lecture_file=/nfs/site/gen/adm/ec_global/sudo.lecture, >> passprompt="Authenticate with %u's password: ", always_set_home, >> !env_reset, umask_override, !root_sudo, !tty_tickets, >> fqdn, listpw=always, env_delete+=USER_ITOOLS, >> env_delete+=PROJECT_ITOOLS, env_delete+=KRB5CCNAME >> >> User *testuser *may run the following commands on testhost: >> (root) /usr/Corporate/bin/rootsh, /usr/Corporate/bin/rootsh2, >> /usr/Corporate/bin/rootsh1 >> (root) NOPASSWD: >> /usr/Corporate/common/pkgs/vas-helper/1.0/exe/*/idchange >> (root) NOPASSWD: >> /usr/Corporate/common/pkgs/vas-helper/1.0/bin/krb-helper >> (root) /bin/cat /var/log/messages, /usr/bin/cat /var/log/messages, >> /bin/dmesg >> (kerberostest) NOPASSWD: /usr/bin/sudo /bin/date, /usr/bin/sudo -l, >> /usr/Corporate/bin/sudo /bin/date, /usr/Corporate/bin/sudo -l >> (root) NOPASSWD: /nfs/iil/gen/adm/netbatch/util/nbconfig/nbconfig >> (root) NOPASSWD: /nfs/iil/gen/adm/nbtools/bin/nblock.pl >> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fnblock.pl%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2B%2BkHUc82PzFnmGcYW1AWu4Ii6IRiVxdrHlG2yNoGg2A%3D&reserved=0> >> (root) NOPASSWD: /nfs/iil/local/common/bin/lsdir.amd >> (root) NOPASSWD: /usr/local/common/bin/lsdir.amd >> (profusr) NOPASSWD: >> /nfs/site/gen/itec/profiling/utils/profiler/profiler_post, >> /nfs/site/gen/itec/profiling/utils/profiler/benchmarking_post >> (root) NOPASSWD: >> /usr/Corporate/common/pkgs/acctusers/CURRENT/bin/acctusers >> (root) NOPASSWD: >> /usr/Corporate/common/pkgs/acctusers/1.1/bin/acctusers >> (root) /nfs/site/gen/adm/ec_global/customerSudo/SLES12SP2upgrader.sh >> (root) NOPASSWD: >> /nfs/site/gen/adm/emulation/Global/scripts/virt_modules/startVirt.sh, >> /p/emulation/virt_modules/startVirt.sh, >> /p/emulation/virt_modules/start_virt >> (root) NOPASSWD: >> /usr/Corporate/common/pkgs/vas-helper/1.0/bin/krb-helper >> (root) NOPASSWD: >> /usr/Corporate/common/pkgs/vas-helper/1.0/exe/*/idchange >> testhost> >> >> >> >> >> >> On Mon, Jan 23, 2023 at 5:25 PM Todd Lewis <[email protected]> wrote: >> >>> What's the output from >>> >>> sudo -l >>> >>> on that host (as per the task "Get current user on remote" message)? >>> >>> On 1/23/23 1:10 AM, saravanan jothilingam wrote: >>> >>> No luck :-( >>> I tried this use case with 2 attempts. For both the cases, the password >>> is not taken at the ansible playbook execution time. i get the below error >>> msg. >>> *Note *- In the ansible.cfg, i have set *timeout = 300. Are there any >>> extra parameters which I need to set here ?* >>> >>> *Attempt-1:* >>> >>> cat testroot.yaml >>> --- >>> - hosts: '{{ host }}' >>> gather_facts: yes >>> tasks: >>> - name: Get current user on remote >>> ansible.builtin.shell: | >>> whoami >>> become: true >>> register: out >>> - debug: >>> msg: "{{ out }}" >>> >>> >>> >>> vmansible01:/home/testuser/access_audit_automation_jan172023 # >>> ansible-playbook -i hosts testroot.yaml -e "host= >>> hostname.corp.domain.com >>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0>" >>> >>> --ask-become-pass -k >>> [DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the >>> controller starting with Ansible 2.12. Current >>> version: 3.6.15 (default, Sep 15 2021, 14:20:42) [GCC]. This feature >>> will be removed from ansible-core in version 2.12. >>> Deprecation warnings can be disabled by setting >>> deprecation_warnings=False in ansible.cfg. >>> SSH password: >>> BECOME password[defaults to SSH password]: >>> >>> PLAY [hostname.corp.domain.com >>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0>] >>> >>> ************************************************************************************************ >>> >>> TASK [Gathering Facts] >>> ****************************************************************************************************** >>> [WARNING]: Platform linux on host hostname.corp.domain.com >>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0> >>> >>> is using the discovered Python interpreter at /usr/bin/python, but >>> future installation of another Python interpreter could change the >>> meaning of that path. See >>> >>> https://docs.ansible.com/ansible-core/2.11/reference_appendices/interpreter_discovery.html >>> >>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.ansible.com%2Fansible-core%2F2.11%2Freference_appendices%2Finterpreter_discovery.html&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Vson5jDECDsxc4gh9q7GSl2LtEsgP02QoVmqpVhJOJU%3D&reserved=0> >>> >>> for more information. >>> ok: [hostname.corp.domain.com >>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0> >>> ] >>> >>> TASK [Get current user on remote] >>> ******************************************************************************************* >>> fatal: [hostname.corp.domain.com >>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0>]: >>> >>> FAILED! => {"changed": false, "module_stderr": "Shared connection to >>> hostname.corp.domain.com >>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0> >>> >>> closed.\r\n", "module_stdout": "Subject to Corp's Global Employee and >>> Global Contingent Worker Privacy Notices\r\n(see >>> https://employeecontent.corp.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html >>> >>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Femployeecontent.corp.com%2Fcontent%2Fcorp%2FGlobal_Employee_and_Global_Contingent_Worker_Privacy.html&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CgErwXeSjtdmv061qw32NZWg7DxZn9gQhoAbEqBaGos%3D&reserved=0> >>> >>> )\r\nall system access and delegated/privileged activity on the Corp >>> network\r\nmay be logged for auditing and security purposes, including your >>> username \r\nand commands used. Log records may be retained for up to 1 >>> year.\r\n\r\nWe trust you have received the usual lecture from the local >>> System\r\nAdministrator. It usually boils down to these three >>> things:\r\n\r\n #1) Respect the privacy of others.\r\n #2) Think >>> before you type.\r\n #3) With great power comes great >>> responsibility.\r\n\r\nRemember you may use 'sudo -l' to review a list of >>> authorized commands.\r\n\r\n\r\n", "msg": "MODULE FAILURE\nSee >>> stdout/stderr for the exact error", "rc": 1} >>> >>> PLAY RECAP >>> ****************************************************************************************************************** >>> hostname.corp.domain.com >>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0> >>> >>> : ok=1 changed=0 unreachable=0 failed=1 skipped=0 >>> rescued=0 ignored=0 >>> >>> >>> >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> >>> *Attempt-2:* >>> >>> --- >>> - hosts: '{{ host }}' >>> gather_facts: yes >>> tasks: >>> - name: Get current user on remote >>> ansible.builtin.shell: | >>> whoami >>> become: true >>> become_method: sudo >>> become_exe: "sudo rootsh" >>> become_flags: -i >>> register: out >>> - debug: >>> msg: "{{ out }}" >>> >>> >>> ansible-playbook -i hosts testroot.yaml -e "host= >>> hostname.corp.domain.com >>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0>" >>> >>> --ask-become-pass -k >>> [DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the >>> controller starting with Ansible 2.12. Current >>> version: 3.6.15 (default, Sep 15 2021, 14:20:42) [GCC]. This feature >>> will be removed from ansible-core in version 2.12. >>> Deprecation warnings can be disabled by setting >>> deprecation_warnings=False in ansible.cfg. >>> SSH password: >>> BECOME password[defaults to SSH password]: >>> >>> PLAY [hostname.corp.domain.com >>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0>] >>> >>> ************************************************************************************************ >>> >>> TASK [Get current user on remote] >>> ******************************************************************************************* >>> fatal: [hostname.corp.domain.com >>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0>]: >>> >>> FAILED! => {"changed": false, "module_stderr": "Shared connection to >>> hostname.corp.domain.com >>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=k%2BsOegsjI%2FkXvTazFfnkUpn5paozekqipPjqcAaRB9Y%3D&reserved=0> >>> >>> closed.\r\n", "module_stdout": "Subject to Corp's Global Employee and >>> Global Contingent Worker Privacy Notices\r\n(see >>> https://employeecontent.corp.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html >>> >>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Femployeecontent.corp.com%2Fcontent%2Fcorp%2FGlobal_Employee_and_Global_Contingent_Worker_Privacy.html&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776461616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CgErwXeSjtdmv061qw32NZWg7DxZn9gQhoAbEqBaGos%3D&reserved=0> >>> >>> )\r\nall system access and delegated/privileged activity on the Corp >>> network\r\nmay be logged for auditing and security purposes, including your >>> username \r\nand commands used. Log records may be retained for up to 1 >>> year.\r\n\r\nWe trust you have received the usual lecture from the local >>> System\r\nAdministrator. It usually boils down to these three >>> things:\r\n\r\n #1) Respect the privacy of others.\r\n #2) Think >>> before you type.\r\n #3) With great power comes great >>> responsibility.\r\n\r\nRemember you may use 'sudo -l' to review a list of >>> authorized commands.\r\n\r\nAuthenticate with testuser's password: >>> \r\nsudo: timed out reading password\r\n", "msg": "MODULE FAILURE\nSee >>> stdout/stderr for the exact error", "rc": 1} >>> >>> PLAY RECAP >>> ****************************************************************************************************************** >>> hostname.corp.domain.com >>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhostname.corp.domain.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xUXxkclz%2Fdrr5Yizl%2FHreg3QDfU7l%2FdhRh0Pld8%2BClY%3D&reserved=0> >>> >>> : ok=0 changed=0 unreachable=0 failed=1 skipped=0 >>> rescued=0 ignored=0 >>> >>> >>> >>> On Fri, Jan 20, 2023 at 7:17 PM 'Rowe, Walter P. (Fed)' via Ansible >>> Project <[email protected]> wrote: >>> >>>> Try leaving off become_exe. If you can run sudo rootsh then your task >>>> can use sudo. When you run sudo rootsh at a command prompt does it ask for >>>> your password? If so, the ansible task also will have to respond to a >>>> password prompt. That is causing your timeout. >>>> >>>> Walter >>>> -- >>>> Walter Rowe, Division Chief >>>> Infrastructure Services, OISM >>>> Mobile: 202.355.4123 <(202)%20355-4123> >>>> >>>> On Jan 20, 2023, at 8:31 AM, saravanan jothilingam < >>>> [email protected]> wrote: >>>> >>>> >>>> Thanks for your input. In the remote machine, i dont have any >>>> permission to edit any files under /etc. In this case, how to achieve >>>> the remote node execution using 'sudo rootsh' cmd. >>>> >>>> On Fri, Jan 20, 2023 at 6:33 PM 'Rowe, Walter P. (Fed)' via Ansible >>>> Project <[email protected]> wrote: >>>> >>>>> In ansible if you have become: true on a task, that task will run with >>>>> elevated privileges. On Linux the default is to try sudo. You don't need >>>>> to >>>>> specify become_exe. Any command given to your shell task will run in a >>>>> root >>>>> privileged shell. The user ID you run the playbook as must have login >>>>> access to the remote system and sudo privilege on the remote system via >>>>> /etc/sudoers or a file in /etc/sudoers.d. >>>>> >>>>> In our environment we have some common files we populate in >>>>> /etc/sudoers.d based on server function. For example, all servers we >>>>> manage >>>>> have a server mgmt id we use for remote mgmt and a special group for our >>>>> own user IDs when we remote into those machines. We place a file in >>>>> /etc/sudoers.d that grants our mgmt ID and mgmt group the rights we need. >>>>> For all database servers our DBA group requires some privileges so we add >>>>> an /etc/sudoers.d/dba file that controls their privileged access for >>>>> members of the DBA group members. >>>>> >>>>> In your testroot.yaml file you can remove the become_exe line. >>>>> >>>>> *testroot.yaml* >>>>> --- >>>>> - hosts: '{{ host }}' >>>>> gather_facts: yes >>>>> tasks: >>>>> - name: Get current user on remote >>>>> ansible.builtin.shell: | >>>>> whoami >>>>> become: true >>>>> register: out >>>>> - debug: >>>>> msg: "{{ out }}" >>>>> >>>>> Next you need to make sure your user ID that makes the connection to >>>>> the remote machine has sudo access that does not require a password. I >>>>> imagine your sudo command was waiting on a response to a password prompt >>>>> that was never going to be answered. >>>>> >>>>> Walter >>>>> -- >>>>> Walter Rowe, Division Chief >>>>> Infrastructure Services, OISM >>>>> Mobile: 202.355.4123 <(202)%20355-4123> >>>>> >>>>> On Jan 20, 2023, at 1:40 AM, saravanan jothilingam < >>>>> [email protected]> wrote: >>>>> >>>>> Any update on this? >>>>> >>>>> On Thu, Jan 19, 2023 at 8:05 PM saravanan jothilingam < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi, >>>>>> I am a novice to ansible and am practising to get more hands-on. I am >>>>>> trying one usecase where I need to connect to a remote SLES12 linux >>>>>> server >>>>>> using my id and then switch to root user and execute some tasks. While >>>>>> switching over to root user (*cmd: *sudo rootsh), it prompts for a >>>>>> root password. When I run this usecase using ansible playbook, it gives >>>>>> the >>>>>> below error. >>>>>> >>>>>> Could you please let me know what would be correct/valid directives >>>>>> (become_*) that I need to use to run the cmd using root user. Appreciate >>>>>> your help. >>>>>> >>>>>> I wrote this playboo >>>>>> >>>>>> >>>>>> *testroot.yaml* >>>>>> --- >>>>>> - hosts: '{{ host }}' >>>>>> gather_facts: yes >>>>>> tasks: >>>>>> - name: Get current user on remote >>>>>> ansible.builtin.shell: | >>>>>> whoami >>>>>> become: true >>>>>> become_exe: "sudo rootsh" >>>>>> register: out >>>>>> - debug: >>>>>> msg: "{{ out }}" >>>>>> >>>>>> >>>>>> *ansible-playbook -i hosts testroot.yaml -e "host=host.iil.corp.com >>>>>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CSSrvENPJ9PkfbgDEMmtgygo1eKEeV9IG20kui8QcF4%3D&reserved=0>" >>>>>> >>>>>> --ask-become-pass -k* >>>>>> [DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on >>>>>> the controller starting with Ansible 2.12. Current version: 3.6.15 >>>>>> (default, Sep 15 2021, 14:20:42) [GCC]. This feature will be removed >>>>>> from ansible-core in version 2.12. Deprecation warnings can be >>>>>> disabled by setting deprecation_warnings=False in ansible.cfg. >>>>>> >>>>>> *SSH password: BECOME password[defaults to SSH password]:* >>>>>> >>>>>> PLAY [host.iil.corp.com >>>>>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CSSrvENPJ9PkfbgDEMmtgygo1eKEeV9IG20kui8QcF4%3D&reserved=0>] >>>>>> >>>>>> ******************************************************************************************************************************************************************************** >>>>>> >>>>>> TASK [Get current user on remote] >>>>>> *************************************************************************************************************************************************************************** >>>>>> fatal: [host.iil.corp.com >>>>>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CSSrvENPJ9PkfbgDEMmtgygo1eKEeV9IG20kui8QcF4%3D&reserved=0>]: >>>>>> >>>>>> FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation >>>>>> prompt: >>>>>> Subject to Company's Global Employee and Global Contingent Worker >>>>>> Privacy >>>>>> Notices\r\n(see >>>>>> https://employeecontent.corp.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html >>>>>> >>>>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Femployeecontent.corp.com%2Fcontent%2Fcorp%2FGlobal_Employee_and_Global_Contingent_Worker_Privacy.html&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FwpoqDSnFcvPz3YGxU325XHCh10Jj%2FAw%2FVU8F3Z8xtg%3D&reserved=0> >>>>>> >>>>>> )\r\nall system access and delegated/privileged activity on the corp >>>>>> network\r\nmay be logged for auditing and security purposes, including >>>>>> your >>>>>> username \r\nand commands used. Log records may be retained for up to >>>>>> 1 >>>>>> year.\r\n\r\nWe trust you have received the usual lecture from the local >>>>>> System\r\nAdministrator. It usually boils down to these three >>>>>> things:\r\n\r\n #1) Respect the privacy of others.\r\n #2) Think >>>>>> before you type.\r\n #3) With great power comes great >>>>>> responsibility.\r\n\r\nRemember you may use 'sudo -l' to review a list >>>>>> of >>>>>> authorized commands.\r\n\r\n"} >>>>>> >>>>>> PLAY RECAP >>>>>> ************************************************************************************************************************************************************************************************** >>>>>> host.iil.corp.com >>>>>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CSSrvENPJ9PkfbgDEMmtgygo1eKEeV9IG20kui8QcF4%3D&reserved=0> >>>>>> >>>>>> : ok=0 changed=0 unreachable=0 failed=1 skipped=0 >>>>>> rescued=0 ignored=0 >>>>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Ansible Project" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/ansible-project/CAE7H9qq05ZQ1YcytQQSQmTo_fn0Wo8UAN97WL5iNKtfVSo-uuQ%40mail.gmail.com >>>>> >>>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAE7H9qq05ZQ1YcytQQSQmTo_fn0Wo8UAN97WL5iNKtfVSo-uuQ%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SxoJ%2BRJMjZihfIKMXghBSJVJJB4DEqM7V%2FU%2BTHU9XZI%3D&reserved=0> >>>>> . >>>>> >>>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Ansible Project" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/ansible-project/2F9FE7FD-B3CD-4E16-8CCD-44A6298F5825%40nist.gov >>>>> >>>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F2F9FE7FD-B3CD-4E16-8CCD-44A6298F5825%2540nist.gov%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=F37EFp4WVYdcQEl1tEbuItgZsxLL0j88tUFC1PGzuLs%3D&reserved=0> >>>>> . >>>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ansible-project/CAE7H9qry8T6%2Bc3TE%3D8KiyU6E7Ooh1wAKgGzLztq3EGzsKijDKg%40mail.gmail.com >>>> >>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAE7H9qry8T6%252Bc3TE%253D8KiyU6E7Ooh1wAKgGzLztq3EGzsKijDKg%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BZga7AUnfQAsxT0xKSwMGp5qC3KCv0wixMzp9o4FR1g%3D&reserved=0> >>>> . >>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ansible-project/B0AE6100-8F2D-43C7-A857-144EE740C535%40nist.gov >>>> >>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FB0AE6100-8F2D-43C7-A857-144EE740C535%2540nist.gov%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FJ46qEH0n4PIv9m7iSn7Jxv85khcc87jdM2TUP2pR8c%3D&reserved=0> >>>> . >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/CAE7H9qrQZGwNC1zEViaDkP5BX%3DcZRaZAoERTfUnyOuC3K6FJ5A%40mail.gmail.com >>> >>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAE7H9qrQZGwNC1zEViaDkP5BX%253DcZRaZAoERTfUnyOuC3K6FJ5A%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SsBJNpvG40Eh64b8suzXRwsQd1TmLeFX7VbzuQ%2Fzg2U%3D&reserved=0> >>> . >>> >>> >>> -- >>> Todd >>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/5dc01924-a818-f2cd-fee7-8f91c4350b37%40gmail.com >>> >>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F5dc01924-a818-f2cd-fee7-8f91c4350b37%2540gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7AYm9TAxtc5GggnLG%2B%2F6BwPb59%2FcWXJVNs%2B4sAhc1Hc%3D&reserved=0> >>> . >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/CAE7H9qqocg3-fz0t0KL6SUc%3Dgd4vhaxmTO%3DtkKLcUH9rjnrBkg%40mail.gmail.com >> >> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAE7H9qqocg3-fz0t0KL6SUc%253Dgd4vhaxmTO%253DtkKLcUH9rjnrBkg%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C90ae18cfc9314b2d7d9208dafd3c5295%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638100732776617783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=MMVRKmrC%2B5KSR3rhRIvMPlfmayos2i3qwibyXZRy6%2FQ%3D&reserved=0> >> . >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/E252445D-0709-42AF-9E0F-4CF63959CE47%40nist.gov >> >> <https://groups.google.com/d/msgid/ansible-project/E252445D-0709-42AF-9E0F-4CF63959CE47%40nist.gov?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7df25244-5b17-4fb4-a343-255a1c706dbbn%40googlegroups.com.
