[ansible-project] Re: HELP: Problem with 'become' and pbrun

Nitin Thakur Thu, 13 Dec 2018 08:10:47 -0800

Even I have issues running ansible with powerbroker.
Can you please advise?


The output from ansible server  is
************TRUNCATED**********************
<bonnie.corp.toronto.ca> ESTABLISH SSH CONNECTION FOR USER: ithakur
<bonnie.corp.toronto.ca> SSH: EXEC sshpass -d14 ssh -C -o 
ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 
User=ithakur -o ConnectTimeout=10 -o 
ControlPath=/home/ithakur/.ansible/cp/f7a7b94991 bonnie.corp.toronto.ca 
'/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo 
/home/ithakur/.ansible/tmp/ansible-tmp-1544716066.76-279050599284853 `" && 
echo ansible-tmp-1544716066.76-279050599284853="` echo 
/home/ithakur/.ansible/tmp/ansible-tmp-1544716066.76-279050599284853 `" ) 
&& sleep 0'"'"''
<bonnie.corp.toronto.ca> (0, 
'ansible-tmp-1544716066.76-279050599284853=/home/ithakur/.ansible/tmp/ansible-tmp-1544716066.76-279050599284853\n',
 
'')
Using module file 
/usr/lib/python2.7/site-packages/ansible/modules/commands/command.py
<bonnie.corp.toronto.ca> PUT 
/home/ithakur/.ansible/tmp/ansible-local-99556TgIARg/tmpq1ZjQE TO 
/home/ithakur/.ansible/tmp/ansible-tmp-1544716066.76-279050599284853/command.py
<bonnie.corp.toronto.ca> SSH: EXEC sshpass -d14 sftp -o BatchMode=no -b - 
-C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no 
-o User=ithakur -o ConnectTimeout=10 -o 
ControlPath=/home/ithakur/.ansible/cp/f7a7b94991 '[bonnie.corp.toronto.ca]'
<bonnie.corp.toronto.ca> (0, 'sftp> put 
/home/ithakur/.ansible/tmp/ansible-local-99556TgIARg/tmpq1ZjQE 
/home/ithakur/.ansible/tmp/ansible-tmp-1544716066.76-279050599284853/command.py\n',
 
'')
<bonnie.corp.toronto.ca> ESTABLISH SSH CONNECTION FOR USER: ithakur
<bonnie.corp.toronto.ca> SSH: EXEC sshpass -d14 ssh -C -o 
ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 
User=ithakur -o ConnectTimeout=10 -o 
ControlPath=/home/ithakur/.ansible/cp/f7a7b94991 bonnie.corp.toronto.ca 
'/bin/sh -c '"'"'chmod u+x 
/home/ithakur/.ansible/tmp/ansible-tmp-1544716066.76-279050599284853/ 
/home/ithakur/.ansible/tmp/ansible-tmp-1544716066.76-279050599284853/command.py 
&& sleep 0'"'"''
<bonnie.corp.toronto.ca> (0, '', '')
<bonnie.corp.toronto.ca> ESTABLISH SSH CONNECTION FOR USER: ithakur
<bonnie.corp.toronto.ca> SSH: EXEC sshpass -d14 ssh -C -o 
ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 
User=ithakur -o ConnectTimeout=10 -o 
ControlPath=/home/ithakur/.ansible/cp/f7a7b94991 -tt bonnie.corp.toronto.ca 
'/bin/sh -c '"'"'pbrun  -u root '"'"'"'"'"'"'"'"'echo 
BECOME-SUCCESS-mqwghadmolrcjovmnwvtcsmcbeorgfzs; /usr/bin/python 
/home/ithakur/.ansible/tmp/ansible-tmp-1544716066.76-279050599284853/command.py'"'"'"'"'"'"'"'"'
 
&& sleep 0'"'"''
<bonnie.corp.toronto.ca> (127, 'Command rejected !\r\n\r\nYou can run the 
following commands on bonnie.corp.toronto.ca :\r\npbrun su -\r\npbrun 
gentok username token YYYY/MM/DD YYYY/MM/DD server1 server2 
...\r\n\r\npbrun9.4.3-18[119443]: If you need further help, please contact 
SysAdmin!\r\n', 'Shared connection to bonnie.corp.toronto.ca closed.\r\n')
<bonnie.corp.toronto.ca> ESTABLISH SSH CONNECTION FOR USER: ithakur
<bonnie.corp.toronto.ca> SSH: EXEC sshpass -d14 ssh -C -o 
ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 
User=ithakur -o ConnectTimeout=10 -o 
ControlPath=/home/ithakur/.ansible/cp/f7a7b94991 bonnie.corp.toronto.ca 
'/bin/sh -c '"'"'rm -f -r 
/home/ithakur/.ansible/tmp/ansible-tmp-1544716066.76-279050599284853/ > 
/dev/null 2>&1 && sleep 0'"'"''
<bonnie.corp.toronto.ca> (0, '', '')
fatal: [bonnie.corp.toronto.ca]: FAILED! => {
    "changed": false, 
    "module_stderr": "Shared connection to bonnie.corp.toronto.ca 
closed.\r\n", 

#####################################
tHE POWER BROKER CONF FILE IS 
AnsibleUsers = {"ansible", "ithakur"}; AnsibleCommands = {"/bin/sh" , 
"/usr/bin/python"};

if ( user in AnsibleUsers && command in AnsibleCommands ) {
    if ( ( runargv[1] == "-c" && runargv[2] == "echo" ) || ( 
glob("~/.ansible/tmp/ansible-tmp-*/command.py", runargv[1]) == 0 ) ) {
    runuser = "root";
    rungroup = "!g!";
    rungroups = {"!G!"};
    runcommand = command;
#    runcommand = basename(command);
#    setenv("PATH", "/sbin:/bin:/usr/bin:/usr/local/bin:/usr/sbin");
#    iolog = logmktemp("/tmp/" + user + "/pb." + user + "." + command + 
"."+ strftime("%m-%d-%y.%H-%M-%S")+ ".XXXXXX");
#    print("This request will be logged in:", iolog);
    accept;
    }
}

cAN YOU ADVISE WHY IT FAILS.
THERE IS A GLOBAL POLICY WHER I HAVE pbrun su - 
On Friday, April 1, 2016 at 7:18:16 PM UTC-4, [email protected] wrote:
>
> I'm relatively experienced with Ansible 1.3, but just now trying to bring 
> Ansible 2.0 for the first time in a new project (and hoping to displace 
> chef). I Have round 1k servers to manage that use pbrun, but others 
> installed and control pbrun,
> I have traditional sudo in a few of these hosts as well, but pbrun is the 
> preferred privilege elevation method
>
> I use all ssh-config auth in the following example.
>
> HELP - I really need to figure this out, as ansible will be mostly useless 
> to me unless I can reliably use it with pbrun
>
>  $ ansible all -i myhosts -o -m shell -a 'uptime' -b --become-method pbrun
> c00413.mydom.com | FAILED! => {"changed": false, "failed": true, 
> "module_stderr": "", "module_stdout": "/bin/bash: pbrun: command not 
> found\r\n", "msg": "MODULE FAILURE",                "parsed": false}
> c00414.mydom.com | FAILED! => {"changed": false, "failed": true, 
> "module_stderr": "", "module_stdout": "/bin/bash: pbrun: command not 
> found\r\n", "msg": "MODULE FAILURE",                "parsed": false}
> c00415.mydom.com | FAILED! => {"changed": false, "failed": true, 
> "module_stderr": "", "module_stdout": "/bin/bash: pbrun: command not 
> found\r\n", "msg": "MODULE FAILURE",                "parsed": false}
> c00416.mydom.com | FAILED! => {"changed": false, "failed": true, 
> "module_stderr": "", "module_stdout": "/bin/bash: pbrun: command not 
> found\r\n", "msg": "MODULE FAILURE",                "parsed": false}
> c00417.mydom.com | FAILED! => {"changed": false, "failed": true, 
> "module_stderr": "", "module_stdout": "/bin/bash: pbrun: command not 
> found\r\n", "msg": "MODULE FAILURE",                "parsed": false}
> c00418.mydom.com | FAILED! => {"changed": false, "failed": true, 
> "module_stderr": "", "module_stdout": "/bin/bash: pbrun: command not 
> found\r\n", "msg": "MODULE FAILURE",                "parsed": false}
>
>
>  $  ansible all -i myhosts -o -m shell -a 'uptime' -b --become-method 
> '/opt/pb/bin/pbrun'
> c00413.mydom.com | FAILED! => {"failed": true, "msg": "Privilege 
> escalation method not found: /opt/pb/bin/pbrun"}
> c00414.mydom.com | FAILED! => {"failed": true, "msg": "Privilege 
> escalation method not found: /opt/pb/bin/pbrun"}
> c00415.mydom.com | FAILED! => {"failed": true, "msg": "Privilege 
> escalation method not found: /opt/pb/bin/pbrun"}
> c00416.mydom.com | FAILED! => {"failed": true, "msg": "Privilege 
> escalation method not found: /opt/pb/bin/pbrun"}
> c00417.mydom.com | FAILED! => {"failed": true, "msg": "Privilege 
> escalation method not found: /opt/pb/bin/pbrun"}
> c00418.mydom.com | FAILED! => {"failed": true, "msg": "Privilege 
> escalation method not found: /opt/pb/bin/pbrun"}
>
> *Here is my cfg file  ... i did make a few changes trying to troubleshoot 
> this*
>
> [defaults]
>
> # some basic default values...
>
> hostfile       = ./hosts
> inventory      = ./hosts
> library        = /usr/share/ansible
> remote_tmp     = $HOME/.ansible/tmp
> pattern        = *
> forks          = 20
> poll_interval  = 10
> sudo_user      = root
> transport      = ssh
> remote_port    = 22
> module_lang    = C
>
> gathering = implicit
>
> # change this for alternative sudo implementations
> #sudo_exe = sudo         <<changed this
> #module_name = shell     <<changed this
> #ask_sudo_pass= true     <<changed this
>
> executable = /bin/bash   <<added this
> # the message changed when I made that change
> #FAILED! => {"changed": false, "failed": true, "module_stderr": "", 
> "module_stdout": "/bin/sh: pbrun: command not found\r\n", "msg": "MODULE 
> FAILURE", "p               arsed": false}
>
> # SSH timeout
> timeout = 3
>
> [ssh_connection]
>
> # ssh arguments to use
> # Leaving off ControlPersist will result in poor performance, so use
> # paramiko on older platforms rather than removing it
> ssh_args = -o ControlMaster=auto -o ControlPersist=1800s
> #1800 seconds is 30min
>
>
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/cd189d54-265a-43c8-8224-cccbb3154adc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: HELP: Problem with 'become' and pbrun

Reply via email to