ansible - shell module using expect

1,624 views
Skip to first unread message

Troy Cosson

unread,
Oct 7, 2019, 4:19:22 PM10/7/19
to Ansible Project
I'm trying to get a Red Hat server (RHEL7) to join a Windows Active Directory domain and I can't seem to get the expect command to send a password.

The playbook asks for the username and password and should then put the username at the end of the adcl command
    adcli join example.com -U administratorName
This returns a prompt of  
    Password for administ...@EXAMPLE.COM
The expect portion 'should'  see this and send the password
The ansible example is here     https://docs.ansible.com/ansible/latest/modules/shell_module.html#shell-module     (# You can use shell to run other executables to perform actions inline)

I've added -v to the adcli command to try and check whats happening, but it didn't really shed any light.
Neither did ansible-playbook -vvv filename.yml, but maybe I just can't read it well. 
The example below has example.com instead of my actual domain but otherwise is identical.
Does anyone have any suggestions on why the expect/send portion isn't working?:

---
 - hosts: 127.0.0.1
   vars_prompt:
     - name: username
       prompt: "What is your Active Directory administrator username?"
       private: no
      
     - name: password
       prompt: "What is your administrator password?"
       private: yes    
       
   tasks:
    - name: join the domain
      shell: | 
        set timeout 300
        spawn /usr/sbin/adcli -v join example.com -U {{username}}
        expect "Password for {{username}}@EXAMPLE.COM: "  
        send "{{password}}\r"
        interact
        exit 0
      args:
        executable: /usr/bin/expect
      delegate_to: localhost



James Cassell

unread,
Oct 7, 2019, 5:12:36 PM10/7/19
to Ansible List
Try \n instead of \r. This is more a question about expect than ansible. You'll also have to worry about special chars in the password, as parsed by TCL. (Obviously you need the expect command available on the target system.)

A better approach might be to pass the password in args: stdin and use --stdin-password

V/r,
James Cassell

Troy Cosson

unread,
Oct 8, 2019, 8:58:31 AM10/8/19
to Ansible Project
I skimmed right over the --stdin-password from the man page.
That's way simpler.
- Thanks

---
 - hosts: 127.0.0.1
   vars_prompt:
     - name: username
       prompt: "What is your Active Directory administrator username?"
       private: no

     - name: password
       prompt: "What is your administrator password?"
       private: yes

   tasks:
    - name: join the domain
      shell: echo -n "{{password}}" | adcli join --stdin-password example.com.com -U {{username}}
>  expect "Password for {{usern...@EXAMPLE.COM: "

James Cassell

unread,
Oct 8, 2019, 9:24:56 AM10/8/19
to Ansible List
On Tue, Oct 8, 2019, at 8:58 AM, Troy Cosson wrote:
[re-ordered]
better to avoid password being (briefly) accessible to all on the system, and to skip escaping worries:
command: adcli join --stdin-password example.com.com -U {{username}}
args:
stdin: "{{password}}"
stdin_add_newline: no


V/r,
James Cassell
Reply all
Reply to author
Forward
0 new messages