How do I pass a password as an argument?

[Gilberto Valentin]

I have a playbook that installs the appropriate packages for Active Directory Authentication. When it gets to the "join" portion, Ansible just sits there because the join process is asking the user for the password of the account that has access to join the system to Active Directory. How can I pass my password from vars_prompt? I have highlighted where I call the variable but I know that is the wrong place since it's going to try to pass it to my "realm join" command, which isn't supported. I only added it there to show I want to call it after the "realm join" portion is called.

Here is my playbook:

---

## This playbook installs and configures AD authentication

- name: Install and configure AD authentication

  hosts: linux

  remote_user: root

  vars_prompt:

    - name: "ad_password"

      prompt: "Enter AD Domain User Password"

      private: yes

  tasks:

    - name: install ad_auth required tools

      yum: pkg={{ item }} state=installed

      with_items:

        - realmd

        - sssd

        - oddjob-mkhomedir

        - adcli

        - samba-common-tools

    - name: discover and join domain

      shell: realm discover AD.DOMAIN.TLD && realm join AD.DOMAIN.TLD

                --computer-ou=OU=LINUX,DC=DOMAIN,DC=TLD --user=user_name {{ ad_password }}

    - name: modify /etc/sssd/sssd.conf

      template: src=/home/user_name/git/system_configs/ansible/templates/sssd.j2 dest=/etc/sssd/sssd.conf

      notify:

        - restart sssd

  handlers:

    - name: restart sssd

      service: name=sssd state=restarted

This is the error I get after running it:

[user_name@server_name playbooks]$ ansible-playbook adAuth_asRoot.yaml --user=root --ask-pass

SSH password:

Enter AD Domain User Password:

PLAY [Install and configure AD authentication] ********************************

GATHERING FACTS ***************************************************************

ok: [ansible]

TASK: [install ad_auth required tools] ****************************************

ok: [ansible] => (item=realmd,sssd,oddjob-mkhomedir,adcli,samba-common-tools)

TASK: [discover and join domain] **********************************************

failed: [ansible] => {"changed": true, "cmd": "realm discover AD.DOMAIN.TLD && realm join AD.DOMAIN.TLD --computer-ou=OU=LINUX,DC=DOMAIN,DC=TLD --user=user_name ad_password", "delta": "0:00:00.053695", "end": "2016-02-29 20:39:40.764101", "rc": 2, "start": "2016-02-29 20:39:40.710406", "warnings": []}

stderr: realm: Specify one realm to join

stdout: domain.tld

  type: kerberos

  realm-name: DOMAIN.TLD

  domain-name: domain.tld

  configured: no

  server-software: active-directory

  client-software: sssd

  required-package: oddjob

  required-package: oddjob-mkhomedir

  required-package: sssd

  required-package: adcli

  required-package: samba-common

FATAL: all hosts have already failed -- aborting

PLAY RECAP ********************************************************************

           to retry, use: --limit @/home/user_name/adAuth_asRoot.yaml.retry

ansible                    : ok=2    changed=0    unreachable=0    failed=1

Is there a better way to provide passwords when certain tasks call for it?

[Gilberto Valentin]

I changed this a bit by removing the vars_prompt and using expect. Here is what I did:

---

## This playbook installs and configures AD authentication

- name: Install and configure AD authentication

 hosts: linux

 remote_user: root

  vars_prompt:

   - name: "ad_password"

     prompt: "Enter AD Domain User Password"

     private: yes

  tasks:

   - name: install ad_auth required tools

     yum: pkg={{ item }} state=installed

     with_items:

       - realmd

       - sssd

       - oddjob-mkhomedir

       - adcli

       - samba-common-tools
       - pexpect

 
 - expect:

       command: /bin/bash -c "/usr/bin/realm realm discover ADS.DOMAIN.TLD && realm join ADS.DOMAIN.TLD --computer-ou=OU=LINUX,DC=domain,DC=tld --user=admin_user"

       responses:

         Password for admin_user: "password123"

    - name: modify /etc/sssd/sssd.conf

     template: src=/home/user_name/git/system_configs/ansible/templates/sssd.j2 dest=/etc/sssd/sssd.conf

     notify:

       - restart sssd

  handlers:

   - name: restart sssd

     service: name=sssd state=restarted

However, I now get the following error:

[user_name@server_name playbooks]$ ansible-playbook adAuth_asRoot.yaml --user=root --ask-pass

SSH password:

PLAY [Install and configure AD authentication] *********************************

TASK [setup] *******************************************************************

ok: [ansible]

TASK [install ad_auth required tools] ******************************************

changed: [ansible] => (item=[u'realmd', u'sssd', u'oddjob-mkhomedir', u'adcli', u'samba-common-tools', u'pexpect'])

TASK [expect] ******************************************************************

fatal: [ansible]: FAILED! => {"changed": false, "failed": true, "module_stderr": "", "module_stdout": "Traceback (most recent call last):\r\n  File \"/root/.ansible/tmp/ansible-tmp-1456847930.05-180606353311954/expect\", line 2136, in <module>\r\n    main()\r\n  File \"/root/.ansible/tmp/ansible-tmp-1456847930.05-180606353311954/expect\", line 154, in main\r\n    out, rc = pexpect.runu(args, timeout=timeout, withexitstatus=True,\r\nAttributeError: 'module' object has no attribute 'runu'\r\n", "msg": "MODULE FAILURE", "parsed": false}

NO MORE HOSTS LEFT *************************************************************

       to retry, use: --limit @adAuth_asRoot.retry

PLAY RECAP *********************************************************************

ansible                    : ok=2    changed=1    unreachable=0    failed=1

[Gilberto Valentin]

Ok, I figured this out. This is how I did it:

---

## This playbook installs and configures AD authentication

- name: Install and configure AD authentication

  hosts: linux

  remote_user: root

  tasks:

    - name: install ad_auth required tools

      yum: pkg={{ item }} state=installed

      with_items:

        - realmd

        - sssd

        - oddjob-mkhomedir

        - adcli

        - samba-common-tools

        - python-pip

    - name: install pexpect using pip

      shell: /bin/bash -c "pip install pexpect"

    - name: discover realm

      shell: /bin/bash -c "/usr/sbin/realm discover AD.DOMAIN.TLD"

    - name: join system to UNIX OU

      expect:

        command: /bin/bash -c "/usr/sbin/realm join AD.DOMAIN.TLD --computer-ou=OU=LINUX,DC=domain,DC=tld --user=admin_user"

        responses:

          Password for Administrator: "password123"

    - name: modify /etc/sssd/sssd.conf

      template: src=/home/user/git/system_configs/ansible/templates/sssd.j2 dest=/etc/sssd/sssd.conf

      notify:

        - restart sssd

  handlers:

    - name: restart sssd

      service: name=sssd state=restarted

Now I just have to figure out how to encrypt the password.

On Monday, February 29, 2016 at 10:43:08 PM UTC-5, Gilberto Valentin wrote:

[Chris Helming]

Thanks, I was just looking for this tonight. Awesome timing!

For encrypting your password, use Ansible Vault. Here's a quick example:

https://gist.github.com/tristanfisher/e5a306144a637dc739e7

I have a vars file called bind_creds.yml with bind_user and bind_password defined.

[Gilberto Valentin]

Glad this post helped you. Also, thank you very much for the Ansible Vault info!!

[Cyriel R]

Ohh thank you for this tips ;)

[Jacob brown]

Hi guys,

Do you do anything for "pre flight checks"? Or is this a one-off playbook your run on newly provisioned servers?

Wouldn't mind something that goes "am I joined? notify: join ad"

Cheers

Jacob

[Chris Helming]

- name: Check if machine is bound
  shell: /bin/bash -c "realm list | grep sssd"
  register: realmd_bound
  changed_when: false
  ignore_errors: true

- name: Join using realmd

  expect:
    command: "/bin/bash -c '/usr/sbin/realm join -U {{ bind_user }} {{ bind_domain }}'"
    responses:
      Password for.*: "{{ bind_password }}"
  when: realmd_bound|failed

I'm planning on getting away from realmd but that's one way to do it with realm.

[Jacob brown]

That's awesome Chris, thank you very much!

I'm still learning Ansible so that's a huge help. Thanks again!

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/L0Es3aGAKV8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/84fe76c3-78da-4817-9ef6-4711fa82cb9e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.