sudo not working when using ansible_ssh_user and ansible_become_user

[nrser]

hey, i'm having issues with privilege escalation on OSX (all machines at version 10.10 with ansible ):

we are using ansible to help manage our workstations, and when i execute playbooks locally using ansible_connection=local on the target as the user (josh in this case), tasks with sudo: true work fine

when executing from my machine any sudo tasks fail with permissions errors.

i'm using an inventory line like

josh ansible_ssh_host=Joshs-MacBook-Pro.local ansible_ssh_user=sysadmin ansible_become_user=josh

Josh's machine has a sysadmin user that i can log into using my ssh key that is part of the admin group and has 

sysadmin ALL=(ALL) NOPASSWD:ALL

in the /etc/sudoers file. the josh user is also in admin and has "no password" setup in sudoers.

when executing from my machine, i get errors like

failed: [josh] => {"failed": true, "parsed": false}

BECOME-SUCCESS-bcpvkbjdbokqphwizmnpqwllqehnwiyh

Traceback (most recent call last):

  File "/tmp/ansible-tmp-1443108894.49-142723340060191/lineinfile", line 2217, in <module>

    main()

  File "/tmp/ansible-tmp-1443108894.49-142723340060191/lineinfile", line 394, in main

    ins_aft, ins_bef, create, backup, backrefs)

  File "/tmp/ansible-tmp-1443108894.49-142723340060191/lineinfile", line 201, in present

    f = open(dest, 'rb')

IOError: [Errno 13] Permission denied: '/etc/sudoers'

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011

debug1: Reading configuration data /Users/nrser/.ssh/config

debug1: Reading configuration data /etc/ssh_config

debug1: /etc/ssh_config line 20: Applying options for *

debug1: /etc/ssh_config line 53: Applying options for *

debug1: auto-mux: Trying existing master

debug1: mux_client_request_session: master session id: 2

Shared connection to Joshs-MacBook-Pro.local closed.

FATAL: all hosts have already failed -- aborting

i also get errors when trying anything with sudo or become_user, not just touching /etc/sudoers.

all the users involved have no-password sudo permissions... i don't understand why they can't escalate.

anyone have any info / ideas / suggestions?

thanks, Neil.

[Joanna Delaporte]

Hi Neil,

From the debug output, it's trying to connect as nruser:

debug1: Reading configuration data /Users/nrser/.ssh/config

Do you know where have you specified that ansible should connect as nruser?

Joanna

[nr...@ztkae.com]

nrser is the user on my machine. i understood ansible_ssh_user=sysadmin to mean it would connect as sysadmin.

 

this works fine from my machine to the target:

 

ssh sysa...@Joshs-MacBook-Pro.local

 

i'm able to execute non-sudo tasks just fine, and nrser doesn't exist as a user on the target machine, so it can't be connecting as nrser... i'm pretty sure it's connecting as sysadmin

--

You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/0R5zJFy_ywQ/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0bc61abd-1f38-43c1-8db3-37ca8d476381%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

 

[nr...@ztkae.com]

i believe the reason we're seeing /Users/nrser/.ssh is because that's the user i'm logged in as on the master and where theid_rsa key that it's using to connect is.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1443116106.2035999.392714513.75039CAC%40webmail.messagingengine.com.