inconsistent behaviour with user module
27 views
Skip to first unread message
bretgi...@gmail.com
Apr 11, 2014, 8:33:06 AM4/11/14
to ansible...@googlegroups.com
I am trying to use a simple ansible playbook to
automate changing the root password. However, on 4 of my hosts, the
password is changed each time I run the playbook. So, with the simple playbook password.yml consisting of
---
- hosts: all
vars:
tasks:
- name: Change root password
user: name=root password='$6$salt$etcetc.'
Running this on selected hosts gives
# ansible-playbook password.yml -l host1,host2
PLAY [all] ********************************************************************
GATHERING FACTS ***************************************************************
ok: [host1]
ok: [host2]
TASK: [Change root password] **************************************************
ok: [host1]
changed: [host2]
PLAY RECAP ********************************************************************
host1 : ok=2 changed=0 unreachable=0 failed=0
host2 : ok=2 changed=1 unreachable=0 failed=0
No
matter how many times I run this, host2 is always changed - despite the
new encrypted password already being in the shadow file on host2 as it actually worked the first time I ran the playbook.---
- hosts: all
vars:
tasks:
- name: Change root password
user: name=root password='$6$salt$etcetc.'
Running this on selected hosts gives
# ansible-playbook password.yml -l host1,host2
PLAY [all] ********************************************************************
GATHERING FACTS ***************************************************************
ok: [host1]
ok: [host2]
TASK: [Change root password] **************************************************
ok: [host1]
changed: [host2]
PLAY RECAP ********************************************************************
host1 : ok=2 changed=0 unreachable=0 failed=0
host2 : ok=2 changed=1 unreachable=0 failed=0
Bret
Bret Giddings
Apr 14, 2014, 10:20:12 AM4/14/14
to ansible...@googlegroups.com
SOLVED.
I'm not sure that it will help anyone else, but I found the cause of the problem. The 4 problem hosts had both passwd and shadow files and for some historical reason had a password hash in both files. As ansible was using getpwnam to lookup the user details, it was getting the password hash from /etc/passwd. I'm guessing that getpwnam doesn't look in /etc/shadow if the password field isn't 'x'. However, ansible uses usermod to change the password. This must just detect that there is an /etc/shadow file and updates the password field in this. The result was that it was always different and needed updating.
I'm not sure that it will help anyone else, but I found the cause of the problem. The 4 problem hosts had both passwd and shadow files and for some historical reason had a password hash in both files. As ansible was using getpwnam to lookup the user details, it was getting the password hash from /etc/passwd. I'm guessing that getpwnam doesn't look in /etc/shadow if the password field isn't 'x'. However, ansible uses usermod to change the password. This must just detect that there is an /etc/shadow file and updates the password field in this. The result was that it was always different and needed updating.
Setting /etc/passwd to use 'x' (as it should) cures the problem.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/336cc0f4-699c-430d-babc-2056e3d72124%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages