SOLVED. I'm not sure that it will help anyone else, but I found the cause of the problem. The 4 problem hosts had both passwd and shadow files and for some historical reason had a password hash in both files. As ansible was using getpwnam to lookup the user details, it was getting the password hash from /etc/passwd. I'm guessing that getpwnam doesn't look in /etc/shadow if the password field isn't 'x'. However, ansible uses usermod to change the password. This must just detect that there is an /etc/shadow file and updates the password field in this. The result was that it was always different and needed updating.
Setting /etc/passwd to use 'x' (as it should) cures the problem. On 11 April 2014 13:33, <[email protected]> wrote: > I am trying to use a simple ansible playbook to automate changing the root > password. However, on 4 of my hosts, the password is changed each time I > run the playbook. So, with the simple playbook password.yml consisting of > > --- > - hosts: all > vars: > > tasks: > - name: Change root password > user: name=root password='$6$salt$etcetc.' > > Running this on selected hosts gives > > # ansible-playbook password.yml -l host1,host2 > > PLAY [all] > ******************************************************************** > > GATHERING FACTS > *************************************************************** > ok: [host1] > ok: [host2] > > TASK: [Change root password] > ************************************************** > ok: [host1] > changed: [host2] > > PLAY RECAP > ******************************************************************** > host1 : ok=2 changed=0 unreachable=0 failed=0 > host2 : ok=2 changed=1 unreachable=0 failed=0 > > No matter how many times I run this, host2 is always changed - despite the > new encrypted password already being in the shadow file on host2 as it > actually worked the first time I ran the playbook. > > All 4 problems hosts are debian squeeze, but I have plenty of other debian > squeeze hosts that are working just fine - e.g. host1. > > Anyone have any insight into what might be wrong? > > Thanks, > > Bret > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/336cc0f4-699c-430d-babc-2056e3d72124%40googlegroups.com<https://groups.google.com/d/msgid/ansible-project/336cc0f4-699c-430d-babc-2056e3d72124%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAG5Xc1K4sDXvU%3Dd1tQWCWhhdWPNVXYvWJaVrHRaha%3DVt-6E9Hg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
