Ansible 2.1.0: "Interactive authentication required." when operating with sudo ?

[TJG]

Hi all;

Just looking for a little help to spot what I might be missing. Against a Centos 7 box, using Ansible 2.1.0, this task:

 - name: restart httpd
      service:
        name: httpd
        state: restarted

is giving me an "Interactive authentication required." error when run under Ansible 2.1.0 via:

ansible-playbook -i inventory test.yml --sudo --ask-sudo-pass --ask-become-pass --sudo -vvvv

My playbook is set with:

  # The user that logs into the machine
  remote_user: apps

  # Indicates that we also want to be become the user we log in as, for running tasks
  # (otherwise the user defaults to root)
  become: yes
  become_user: apps

and on the Centos 7 box, my "apps" user is in the "wheel" group, and the wheel group is covered with sudoer permissions as follows:

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
%wheel  ALL=(ALL)       NOPASSWD: ALL

I understood that with my playbook set to use "become", and "become_user", that this task would run as sudo? 

So, why the "Interactive authentication required" error? 

Of course, I can resort to:

    - name: Restart apache
      shell: sudo systemctl restart httpd

which doesn't prompt me, but I'd like to understand why the advocated method isn't observing that I'm running under sudo? 

Many thanks,

Tim

[John Favorite]

comment out

#%wheel ALL=(ALL) ALL

## Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL

> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/3946a8b4-7869-499f-b139-d33c8478ca30%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[TJG]

Hi John;

Thanks for the suggestion, but nope: with that line commented out in sudoers (so that only the one with NOPASSWD is in effect", the error is the same. 

"Failed to stop httpd.service: Interactive authentication required."

Besides, I'd have thought that the latter statement would have overridden the former statement anyways, in a top-to-bottom processing. 

So, still scratching my head...

Tim

[John Favorite]

What happens when you run the command as that user? If it still asks for a password either your sudoers file is an issue or user/group might be.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/fe9501e5-8c46-41b9-a9c2-ab961430d8de%40googlegroups.com.

[Tim Griffin]

Hi John,

I very much appreciate your attention.

When I run "sudo systemctl restart httpd" directly, when logged in as my 'apps' user, I am not prompted for a password.

Bizarre, eh?

My guess is my httpd configuration... perhaps how Ansible is telling it to restart or how it's choosing to restart. I'll play with its service config and report back.

Tim

You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/NHM3zEiRWxU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAKsMCESoL%2B-qTtMiAbAS8itAQHuW7Ak0vp8CYDa3m7UfYb715A%40mail.gmail.com.

[Uditha Desilva]

Try adding 

Defaults:username !requiretty

to /etc/sudoers.

[Deepak Raj]

Hi Tim,

I am a newbee to Ansible and I am facing the same problem. Did you resolve this?

Regards

Deepak

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/fe9501e5-8c46-41b9-a9c2-ab961430d8de%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/NHM3zEiRWxU/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.

[Tim Griffin]

No, Sorry Deepak; I was also working on RHEL SELinux and that environment, I'm sure was complicating things. I had to abandon my efforts with Ansible. 

T

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/db8a02b7-9a66-49ff-8c6a-98412f81e9b1%40googlegroups.com.

[Kavita Goel]

Deepak, its already been a year. But I ran into this issue. Adding the following lines resoved:

FAILED:

      - name: PostgreSQL service stop

        service:

         name: postgresql-9.5

         state: stopped

RESOLVED:

      - name: PostgreSQL service stop

        sudo: yes

        sudo_user: root

        service:

         name: postgresql-9.5

         state: stopped

To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

[middlewareinventory]

adding a become and become_user in the playbook has resolved our issue.

handlers:
    - name: restart apache
      become: yes
      become_user: root
      service: name=httpd state=restarted