Sudo auth fails in the middle of playbook

738 views
Skip to first unread message

marko

unread,
Nov 24, 2016, 12:50:56 PM11/24/16
to Ansible Project
Hi,

I'm having weird problems where sudo authentication seems to fail in the middle of a playbook.

The playbook is run like this:

ansible-playbook ... -b --ask-become-pass ... myplaybook.yml

The playbook includes this bit that I'm using to reproduce an actual problem:

- name: test123
  command: touch /tmp/test/{{item.key}}
  with_dict: "{{users | combine(ext_users | default({})) }}"

When I run the playbook I get this error:

TASK [playbook1 : test123] ***********************************************
fatal: [foo.bar.baz]: FAILED! => {"failed": true, "msg": "ERROR! Incorrect sudo password"}

The strange part is that only some of the expected files get created (and owned by root), but the task appears to fail in the middle of iterating dictionary keys.
Since some files get created I assume 1) sudo password is correctly entered and 2) the task is run as root.

Any ideas why this happens?

marko

marko

unread,
Nov 25, 2016, 3:08:17 AM11/25/16
to Ansible Project
This seems to be related with our use of the pam_tally2 module.
I've the fillowing configuration:

auth  required  pam_tally2.so  file=/var/log/tallylog deny=5 even_deny_root unlock_time=1200

When I disable this the playbook gets executed without errors.

After running the playbook tally2 counts 14 failed logins for my account, though the sudo password should've
been correctly entered (since some files do get created as root).

Paul Tötterman

unread,
Nov 25, 2016, 4:24:28 AM11/25/16
to Ansible Project
After running the playbook tally2 counts 14 failed logins for my account, though the sudo password should've
been correctly entered (since some files do get created as root).

Do you have more that one auth backend in PAM? like pam_unix + pam_ldap? Do those have different passwords? A fail in one doesn't necessarily mean that login fails.

Cheers,
Paul 

marko

unread,
Nov 25, 2016, 4:51:26 AM11/25/16
to Ansible Project

On Friday, November 25, 2016 at 11:24:28 AM UTC+2, Paul Tötterman wrote:
Do you have more that one auth backend in PAM? like pam_unix + pam_ldap? Do those have different passwords? A fail in one doesn't necessarily mean that login fails.

I'm only using the pam_unix authentication method.
Apart from pam_tally2 my pam config is just the default Ubuntu 16.04 config.

thanks,

marko

marko

unread,
Dec 1, 2016, 3:31:16 AM12/1/16
to Ansible Project
The explanation seems to be that pam_tally2 records a failed login when login command is started, even before a password is entered. Normally, the failed logins counter is reset when the user enters the correct password.

For login this works correctly when the following line is added in pam config (common-auth):

auth  required  pam_tally2.so  file=/var/log/tallylog deny=5 even_deny_root unlock_time=1200 serialize

However, when using sudo, the counter only gets reset when the following line is added to pam configuration (common-account):

account        required        pam_tally2.so

So, the workaround is to add the above line in pam config.
Reply all
Reply to author
Forward
0 new messages