Ansible Sudo Issue-Solaris

[Bairava Surya]

hi all,

i want to run basic command on solaris OS i.e whoami using become command.so am able to sudo to different user using putty successfully but facing issues via ansible.

OS:solaris

Sudo user:mygroup

sudo implementation:.usr/local/bin/sudo su - mygroup

Authentication:QAS(VAS)

Error:

fatal: [mahcine]: FAILED! => {"changed": false, "module_stderr": "Shared connection to machineclosed.\r\n", "module_stdout": "/bin/sh: sudo:

not found\r\n", "msg": "MODULE FAILURE", "rc": 1}

can anyone guide me what changes i need to make inorder to get output as mygroup

[Dick Visser]

Hi

In order to help we need the actual playbook or task that generates this (erroneous) output. So please provide that.

Also, your mentioning of ‘basic command whoami using become command’ indicates that you might be using a wrong approach.

So also tell us what you’re actually trying to achieve on the target system.

Dick

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9f15238e-91ac-4106-985a-beddc098979a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Sent from a mobile device - please excuse the brevity, spelling and punctuation.

[Bairava Surya]

hi Visser,

please find the below playbook and let me know any changes to be made

	---
	- name: Weblogic Server control
	hosts: "server IP"
	become: yes
	become_user: sudo user
	become_method: sudo
	tasks:
	- name: demo
	command: /usr/ucb/whoami
	register: cmdoutput
	- debug: msg="{{ cmdoutput.stdout }}"

[Dick Visser]

Hi Bairava

If this playbook would work, it would basically become a user, run
whoami, and the output would be the same as you told it to become.
Which I why I asked, please tell *what you are trying to achieve* on
the target system.
And by that I mean the real *end goal* - not that fact that you are
trying to figure out what user a null playbook is running at.
FYI, you're supposed to supply this information to ansible - not ask for it.
Despite the playbook not being very useful, one issue can be spot, and
that is that you configure the become_method as 'sudo' (which is the
default btw), but the error you got indicates that there is no sudo
command on the target system. So it looks like the concept of
privilege escalation is not totally clear, you might find it helpful
to read https://docs.ansible.com/ansible/latest/user_guide/become.html.

Dick

> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/25452904-5c64-4887-93d7-6a2b73e4b935%40googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.



--

Dick Visser
Trust & Identity Service Operations Manager
GÉANT
T: +31205304488
PGP key fingerprint: F575 58C6 62C6 FD5B A9CD 217C 2667 13D4 E6EF 488D
GÉANT Vereniging (Association) is registered with the Chamber of
Commerce in Amsterdam with registration number 40535155 and operates
in the UK as a branch of GÉANT Vereniging. Registered office:
Hoekenrode 3, 1102 BR Amsterdam, The Netherlands. UK branch address:
City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK.

[Bairava Surya]

Hi Visser

I just configured sudo_exe=/usr/local/bin/sudo su - sudousername in ansible.cfg now am getting timeout error as it expects AD account password.

In Solaris machine which is my target machine it uses QAS authentication service so when we login into machine using putty software we will login two stepsi.e first step as ssh into solaris via our username,password and second step enter sudo to other user by entering password so finally we are entering two times password which we are trying it in ansible.

My end goal is to sudo to target machine.

[Dick Visser]

On Mon, 29 Oct 2018 at 15:09, Bairava Surya <surya...@gmail.com> wrote:
>
> Hi Visser
>
> I just configured sudo_exe=/usr/local/bin/sudo su - sudousername in ansible.cfg now am getting timeout error as it expects AD account password.
>
> In Solaris machine which is my target machine it uses QAS authentication service so when we login into machine using putty software we will login two stepsi.e first step as ssh into solaris via our username,password and second step enter sudo to other user by entering password so finally we are entering two times password which we are trying it in ansible.
>
> My end goal is to sudo to target machine.

You keep mixing up things here.
By "end goal" I meant really a target situation, whereby something is
changed/configured.
Just "sudo to target machine" doesn't make sense.

You SSH *to* a machine. And then you run a command, or a series of
commands, etc.
This is what ansible can automate for you.
Since most commands require elevated privileges, some ways to do that
are available when you're on the machine.
For instance sudo. Which optionally requires a username to sudo to
(default root). And optionally a password.

But all of this is done to run some useful task/program.
This is what you still have not told yet.
The new thread you started has yet again a confusing and insecure
playbook to find out what username you are using.

So can you please share what you are trying to achieve?
Since this appears to not be clear, here are some examples of what
Ansible is usually used for:

* Make sure a package is installed
* Make sure a configuration file is available
* Make sure a directory/file structure exists

Thanks!


Dick

[Bairava Surya]

Hi Visser,

  Let me explain each and every step.

 

   With our solaris box so generally we try to login as our user by entering username and password and again we run sudo command to other user by entering password.

So here sudo expects password in interactively prompt way so how we can achieve this using ansible.

[Bairava Surya]

Adding more logs to understand the issue.

<server> ESTABLISH SSH CONNECTION FOR USER: xxxx

<server> SSH: EXEC sshpass -d12 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o U

ser=xxxx -o ConnectTimeout=10 -o ControlPath=/home/vagrant/.ansible/cp/305901ab16 nj12mhf5685 '/bin/sh -c '

"'"'chmod a+rx /var/tmp/ansible-tmp-1540918785.12-245644937797326/ /var/tmp/ansible-tmp-1540918785.12-245644937797326/se

tup.py && sleep 0'"'"''

<server> (0, '', '')

<server> ESTABLISH SSH CONNECTION FOR USER:xxxx

<server> SSH: EXEC sshpass -d12 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o U

ser=surya_subramanian -o ConnectTimeout=10 -o ControlPath=/home/vagrant/.ansible/cp/305901ab16 -tt nj12mhf5685 '/bin/sh

-c '"'"'/usr/local/bin/sudo su  -p "[sudo via ansible, key=mkqlqucvkvgamlynmqitnoknuevmiges] password: " -u wlsrghf /bin

/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-mkqlqucvkvgamlynmqitnoknuevmiges; /usr/bin/python /var/tmp/ansible-tmp-15409

18785.12-245644937797326/setup.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''

fatal: [server]: FAILED! => {

    "msg": "Timeout (12s) waiting for privilege escalation prompt: "

}

        to retry, use: --limit @/home/vagrant/ansible-mysudo-imple/ansible-Sudo/rg_repo/server_control.retry

PLAY RECAP *************************************************************************************************************

Am facing above issue when am executing using become module.can anyone help me on it as i tried multiple approach to fix it.

On Saturday, October 20, 2018 at 1:17:41 PM UTC+5:30, Bairava Surya wrote:

[Brian Coca]

this is a problem `'/usr/local/bin/sudo su -p ` as 'su' does not take
-p parameter for prompting, its for 'preserve environment', you are
mixing privilege escalation tools and that is something that is not
supported by Ansible itself.
https://docs.ansible.com/ansible/latest/user_guide/become.html




--
----------
Brian Coca

[cyril thankappan]

Hi All

I am also facing similar issues with pbrun 

Trying to find more details on the workaround in 

https://github.com/ansible/ansible/issues/14934

Thanks

Cyril

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CACVha7e7ZRKg6xgnmRQkLwU_3A2%3Da97ByPiuwvsDMWHHyxjojw%40mail.gmail.com.