CODEWITHSUNDEEP
ansibleansible-2.x
ali haider
ali haider

Reputation: 20182

password not being accepted for sudo user with ansible

I am running an ansible playbook as a sudo user (forcing the sudo password) - however, I am getting a response stating that the su password is incorrect even though I can do the following on the remote server (with the same password that I tried with ansible):

sudo su - root

error message

 fatal: [testserver]: FAILED! => {"failed": true, "msg": "Incorrect su password"}

hosts

[webservers]
testserver ansible_ssh_host=ec2-52-87-166-241.compute-1.amazonaws.com ansible_ssh_port=9876

ansible command

ansible-playbook test_playbook.yml -i hosts --ask-become-pass -vvv

test_playbook

---
- hosts: all
  gather_facts: no
  remote_user: testuser
  become: yes
  become_method: su
  become_user: root
  any_errors_fatal: true

  tasks: 
  - group: 
       name: devops
       state: present
  - name: create devops user with admin privileges

    user: 
      name: devops
      comment: "Devops User"
      uid: 2001
      groups: devops

Any thoughts on what I might be doing wrong?

Upvotes: 11

Views: 18575

Answers (2)

Xiong Chiamiov
Xiong Chiamiov

Reputation: 13694

sudo su - root is not the same thing as become_method: su.

su tries to switch to another user (by default, root) and requires you to authenticate as them (that is, enter their password). sudo is similar, except that it prompts for your password. To prevent this from being a security catastrophic issue, sudo only works for users who have been explicitly given access to it via /etc/sudoers.

When you use sudo su - root, you are saying:

  1. Elevate my privileges to root via sudo.
  2. With those elevated privileges, switch to the root user account.

Now, when you specify become_method: su in Ansible, you are telling Ansible to use su instead of sudo. The actual command will be different, but you can think of it as running the command su - root. See how that's different?

You should use become_method: sudo instead, or remove it entirely, as it's the default.

Upvotes: 9

Leon
Leon

Reputation: 32454

In 'sudo su - root' the root privilege is gained by sudo rather than su (that is why the latter doesn't ask for the root password, since it is invoked by a process already in the role of the root user).

However, in your setup you have specified become_method: su, which expects root's password.

So the fix will be to change become_method to sudo (or, if you know root's password, enter that one instead of your user's password).

Upvotes: 10

Related Questions