Hi,
This is what I'm getting:-
Working without sudo. But not with sudo option.
ansibledir$ ansible all -m command -a 'whoami'
<hostname> | SUCCESS | rc=0 >>
pranjan
ansibledir$ ansible all -m command -a 'whoami' --sudo -K
SUDO password:
<hostname> | FAILED! => {
"changed": false,
"failed": true,
"module_stderr": "Shared connection to dc1-io-new closed.\r\n",
"module_stdout": "\r\nSorry, user pranjan is not allowed to execute
'/bin/sh -c echo BECOME-SUCCESS-bgclrmmybsvnbasemntshqvjavcnqvjf;
/usr/bin/python
/home/pranjan/.ansible/tmp/ansible-tmp-1504636239.12-238251240956861/command.py;
rm -rf
\"/home/pranjan/.ansible/tmp/ansible-tmp-1504636239.12-238251240956861/\" >
/dev/null 2>&1' as root on <hostname>\r\n",
"msg": "MODULE FAILURE",
"rc": 1
}
Please help on this.
Thanks
Prakash
On Wednesday, January 21, 2015 at 8:51:46 AM UTC-8, tkuratomi wrote:
>
> On Wed, Jan 21, 2015 at 8:05 AM, Stuart Budd <[email protected]
> <javascript:>> wrote:
> > I still do not understand this.
> >
> >
> > Example 1:
> >
> > Ansible Local Server Remote server
> > local-01 remote-01
> > ------------------- --------------------
> > Local user foo --> ssh --> Remote user foo
> >
> >
> > I do not understand how Ansible knows what user account to use on the
> local
> > and remote servers for the purposes of the SSH connection if no user
> account
> > is specified within the command line ( ansible_ssh_user=foo ) or
> > /etc/ansible/hosts file.
> >
>
> Ansible (and the ssh commandline) defaults to using the same username
> on the remote server as you are logged into on the local server.
>
> So if nothing is specified, If you invoke ansible from the local user
> foo account, ansible will attempt to connect to a remote user foo
> account.
>
> > I will ask a new separate question.
> >
> >
> > Example 2:
> >
> > Ansible Local Server Remote server
> > local-01 remote-01
> > ------------------- --------------------
> > Local user foo --> ssh --> Remote user foo
> > bar
> > (foo user uses sudo to run command as bar)
> >
> > I still can not get this to work. The SSH connection is working fine for
> > user foo and if the foo user uses sudo to run a command as user bar on
> the
> > remote server it works fine but I still can not get Ansible to glue it
> > together.
> >
> This should work. Try something like this:
>
> $ ansible rhel7-test --sudo -K -a 'whoami'
> sudo password:
> rhel7-test | success | rc=0 >>
> root
>
> $ sudo vim /etc/ansible/ansible.cfg
> $ # Edit the sudo_user config so that: sudo_user = ansibletest1
> $ ansible rhel7-test --sudo -K -a 'whoami'
> sudo password:
> rhel7-test | success | rc=0 >>
> ansibletest1
>
> > I will ask a separate question about this.
> > This was my main question really. I have one non-root user that allows
> SSH,
> > but can not use sudo for root access.
> > So I can not use the same example as above.
> >
> This sounds slightly problematic
> * To be able to administrate this box at all you'll need a chain of
> accounts from the account you ssh in as to an account that has all of
> the privileges that you need (usually the root account so that you can
> do anything you need).
> * To be able to run ansible efficiently you should have an account
> that can ssh in and either has the privileges you need or be one sudo
> or su login away from the account that has all the privileges you
> need.
>
> However all is not lost because:
> * You can be more than one sudo login away (as bcoca's explanation was
> showing) but that is harder to achieve, has many caveats, and is much
> harder to explain clearly :-)
> * If you have an account that can sudo to root you should be able to
> either add the account you can ssh in as to /etc/sudoers or add SSH
> keys to the account that you can sudo to root from so that you can SSH
> into the box as the aaccount that's only one sudo step away from root.
>
> -Toshio
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/64573e96-886a-4ae8-abfa-2421a7b87519%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
