Odd "Authentication or permission failure" error with initial Ansible play

[David Reagan]

I'm still new to Ansible, but over the past couple days I've been trying to use it to setup a couple new vm's. I start by cloning a vmware VM that has a basic sudo user, and configuring it's networking/dns/firewall. Once all that was set up, I tried running my playbook. Ended up with this: 

/path/to/ansible/stuff/$ ansible-playbook --check --ask-sudo-pass --ask-pass --sudo -i prod firstrun.yml
SSH password: 
sudo password [defaults to SSH password]: 
PLAY [hostname.edu] ***************************************** 
GATHERING FACTS *************************************************************** 
fatal: [hostname.edu] => Authentication or permission failure.  In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in "/tmp". Failed command was: mkdir -p $HOME/.ansible/tmp/ansible-1382136077.67-208472098868660 && chmod a+rx $HOME/.ansible/tmp/ansible-1382136077.67-208472098868660 && echo $HOME/.ansible/tmp/ansible-1382136077.67-208472098868660, exited with result 6
TASK: [update apt cache] ****************************************************** 
FATAL: no hosts matched or all hosts have already failed -- aborting

PLAY RECAP ******************************************************************** 
           to retry, use: --limit @/home/username/firstrun.retry
hostname.edu : ok=0    changed=0    unreachable=1    failed=0  

Yesterday I ran into the same thing with another server, but it randomly started working. I don't remember doing anything different.

My user works fine. I can ssh in and run sudo commands as normal.

Running:

mkdir -p $HOME/.ansible/tmp/ansible-1382136077.67-208472098868660 && chmod a+rx $HOME/.ansible/tmp/ansible-1382136077.67-208472098868660 && echo $HOME/.ansible/tmp/ansible-1382136077.67-208472098868660

Works fine if I do it manually.

I checked the auth.log on the new server and found this appearing when I try to run ansible:

Oct 18 15:41:11 ws-prod-pathways-01 sshd[10314]: Connection closed by mydesktopstaticip [preauth]

I'd think something was bad on my local desktop. But I can run ansible playbooks just find on several other vm's that have ssh key authentication set up. It's just this initial run with the password auth that fails. 

I guess I'll try changing the ansible.cfg file like the error message suggests, but it still seems weird that my user can't seem to auth.

Any suggestions?

[David Reagan]

Set

remote_tmp     = /tmp

in ansible.cfg, and it still failed.

[Richard Clayton]

I once encountered a similar issue and it had to do with connecting with a machine for the first time and having to accept the SSH signature.  I wonder if this is the same issue?

On Friday, October 18, 2013 4:01:31 PM UTC-7, David Reagan wrote:

[David Reagan]

Hmm.. I've already ssh'd into it several times. So it's definitely in the known_hosts file. I can't think of another place that Ansible would look for the signature. I guess I could try that no host key checking flag, once I remember what it was... We'll see if that works Monday. :) Yay for the weekend!

--David Reagan

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/oj6hr5YY5hE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Michael DeHaan]

"I once encountered a similar issue and it had to do with connecting with a machine for the first time and having to accept the SSH signature.  I wonder if this is the same issue"

Ansible will present prompts in those cases so you can add them.

If you are using the SSH connection type, 1.4 allows you to get low level debugging from openssh with the "-vvvv" flag (yes, 4 v's)

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.

--

Michael DeHaan <mic...@ansibleworks.com>
CTO, AnsibleWorks, Inc.
http://www.ansibleworks.com/

[David Birdsong]

I recently ran into this and found simply ssh-ing into the box to not help to indicate anything.

Turns out I'd let / fill and no new files could be written.

..rule it out at least.

On Friday, October 18, 2013 4:01:31 PM UTC-7, David Reagan wrote:

[David Reagan]

Ok, So I uncommented 

> # host_key_checking = False

And it got past the previous error. And it still gets past that error after I commented the line out again. So Ansible definitely started to accept the host key...

Ansible checks the users known_hosts file, right? So why would host_key_checking even matter when I've already accepted the host key for this server? Or does that flag do more?

--David Reagan

[David Reagan]

Ok, I've tracked down what was going on.

I was initially signing in with the ip address of the server and accepting the ECDSA key for the ip address, instead of the fqdn. Since my ansible hosts file used the fqdn, ssh didn't know I accepted the ECDSA key.

What I'm confused on, is that ansible doesn't ask me to accept the ECDSA keys. Isn't it supposed to? Or do I have to manually ssh into every server first?

--David Reagan

[David Reagan]

Ran into this again. Ansible 1.3.3 does NOT prompt me for the ECDSA key, it just errors. The confirmed work around is to just ssh into the box with the correct hostname/ipaddress/whatever and accept the key that way.

Hopefully newer versions have this fixed. I guess I'll find out once the http://ppa.launchpad.net/rquillo/ansible/ubuntu updates to the newest Ansible...

--David Reagan

[Michael DeHaan]

1.3.4 is current and only contains two small fixes.

I'd suggest you play with the devel branch, there's really nothing preventing experimentation because it requires no installation and definitely nothing to install on the remote nodes either.

I should point out that "it just errors" is not helpful to the mailing list as we can't see what error you are seeing.

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.

[David Reagan]

Ah, replace "it just errors" with "it just throws the same error as in the OP". 

Trying the devel branch is on my todo list, but I haven't had time yet. 

--David Reagan

[Anthony Green]

GATHERING FACTS *************************************************************** 
fatal: [hostname.edu] => Authentication or permission failure.  In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in "/tmp". Failed command was: mkdir -p $HOME/.ansible/tmp/ansible-1382136077.67-208472098868660 && chmod a+rx $HOME/.ansible/tmp/ansible-1382136077.67-208472098868660 && echo $HOME/.ansible/tmp/ansible-1382136077.67-208472098868660, exited with result 6
TASK: [update apt cache] ****************************************************** 
FATAL: no hosts matched or all hosts have already failed -- aborting

I'm seeing this error after a previous ansible-playbook to install a docker container failed

[David Reagan]

I don't remember exactly what the issue was, but are you trying to use --ask-pass (or ansible_ssh_pass) when you have ssh-key auth set up? I do that every once in a while, and Ansible tries to force password authentication, rather than try ssh-key, then drop to password auth. When that happens, a similar error pops up for me. Or at least it used to. Been a while...

--David Reagan

--

You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/oj6hr5YY5hE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/891f9494-7527-4535-a86b-73ba1bb278b3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.