I think I've figured out what is causing the issue. I don't know what to do solve the issue. Sudosh has been configured to only allow certain commands via remote shell. On a test system running more or less the same setup I can configure sudosh (/etc/sudosh.conf) to allow all commands. I don't want to do that on this machine as it would undermine security. I'd rather figure out what Ansible needs and request that. Any ideas what commands would need to be allowed to let Ansible do its thing?
Cyclists of the World unite - you have nothing to lose but your chains! On 12 July 2017 at 20:41, Rod Oliver <[email protected]> wrote: > Hi Brian, > > The command and output is below. > > The thing that I find odd is that, to the best of my knowledge, ansible > uses the ssh client config of user by default. The same user that runs > ansible (root in this case) gets the correct username (not root) and SSH > key from ~/.ssh/config and is able to log in the cost against which the ad > hoc play is run. I'm wondering if there's something funny about this host. > > root@WDFN34201151A:/mnt/c/Users/user/Documents/Projects/Ansible_Playbooks/Automation# > ansible -vvv -m ping control > Using /mnt/c/Users/D069683/Documents/Projects/Ansible_ > Playbooks/Automation/ansible.cfg as config file > META: ran handlers > Using module file /root/.local/lib/python2.7/ > site-packages/ansible/modules/system/ping.py > <clts.rot.od.sap.biz> ESTABLISH SSH CONNECTION FOR USER: user > <clts.rot.od.sap.biz> SSH: EXEC ssh -C -o ControlMaster=auto -o > ControlPersist=60s -o StrictHostKeyChecking=no -o > KbdInteractiveAuthentication=no -o PreferredAuthentications= > gssapi-with-mic,gssapi-keyex,hostbased,publickey -o > PasswordAuthentication=no -o User=user -o ConnectTimeout=10 -o > ControlPath=/root/.ansible/cp/7dd2444b86 clts '/bin/sh -c '"'"'echo ~ && > sleep 0'"'"'' > <clts> (1, '', n\n"/bin/sh" isn\'t allowed to be executed.\n') > <clts> ESTABLISH SSH CONNECTION FOR USER: user > <clts> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o > StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o > PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey > -o PasswordAuthentication=no -o User=user -o ConnectTimeout=10 -o > ControlPath=/root/.ansible/cp/7dd2444b86 clts.rot.od.sap.biz '/bin/sh -c > '"'"'( umask 77 && mkdir -p "` echo > ~/.ansible/tmp/ansible-tmp-1499884456.62-175962548351199 > `" && echo ansible-tmp-1499884456.62-175962548351199="` echo > ~/.ansible/tmp/ansible-tmp-1499884456.62-175962548351199 `" ) && sleep > 0'"'"'' > <clts> (1, '', '"/bin/sh" isn\'t allowed to be executed.\n') > clts | UNREACHABLE! => { > "changed": false, > "msg": "Authentication or permission failure. In some cases, you may > have been able to authenticate and did not have permissions on the remote > directory. Consider changing the remote temp path in ansible.cfg to a path > rooted in \"/tmp\". Failed command was: ( umask 77 && mkdir -p \"` echo > ~/.ansible/tmp/ansible-tmp-1499884456.62-175962548351199 `\" && echo > ansible-tmp-1499884456.62-175962548351199=\"` echo > ~/.ansible/tmp/ansible-tmp-1499884456.62-175962548351199 `\" ), exited > with result 1", > "unreachable": true > } > root@WDFN34201151A:/mnt/c/Users/user/Documents/Projects/ > Ansible_Playbooks/Automation# > > Best regards > > Rod > > Cyclists of the World unite - you have nothing to lose but your chains! > > On 12 July 2017 at 18:20, Brian Coca <[email protected]> wrote: > >> It would help if you show the commands attempted and the full error, >> even using -vvv to make the output verbose. >> >> >> --------- >> Brian Coca >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Ansible Project" group. >> To unsubscribe from this topic, visit https://groups.google.com/d/to >> pic/ansible-project/tHfhe0kmmhE/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To post to this group, send email to [email protected]. >> To view this discussion on the web visit https://groups.google.com/d/ms >> gid/ansible-project/CACVha7dtaQV71i2QxDNnUfR1q9JGsT% >> 3DB78k3hhM7Q0DG6XaZrA%40mail.gmail.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAGaNFzObHKgYwK_niC%2Bg8JkK-hfcqHNPVAexKib8vHCPRM2J4A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
