I am trying to use a simple ansible playbook to automate changing the root password. However, on 4 of my hosts, the password is changed each time I run the playbook. So, with the simple playbook password.yml consisting of
SOLVED.
I’m not sure that it will help anyone else, but I found the cause of the problem. The 4 problem hosts had both passwd and shadow files and for some historical reason had a password hash in both files. As ansible was using getpwnam to lookup the user details, it was getting the password hash from /etc/passwd. I’m guessing that getpwnam doesn’t look in /etc/shadow if the password field isn’t ‘x’. However, ansible uses usermod to change the password. This must just detect that there is an /etc/shadow file and updates the password field in this. The result was that it was always different and needed updating.
Setting /etc/passwd to use ‘x’ (as it should) cures the problem.