Sudo auth fails in the middle of playbook

Archives Ansible Project
1

Hi,

I’m having weird problems where sudo authentication seems to fail in the middle of a playbook.

The playbook is run like this:

ansible-playbook … -b --ask-become-pass … myplaybook.yml

The playbook includes this bit that I’m using to reproduce an actual problem:

  • name: test123
    command: touch /tmp/test/{{item.key}}
    with_dict: “{{users | combine(ext_users | default({})) }}”

When I run the playbook I get this error:

TASK [playbook1 : test123] ***********************************************
fatal: [foo.bar.baz]: FAILED! => {“failed”: true, “msg”: “ERROR! Incorrect sudo password”}

The strange part is that only some of the expected files get created (and owned by root), but the task appears to fail in the middle of iterating dictionary keys.
Since some files get created I assume 1) sudo password is correctly entered and 2) the task is run as root.

Any ideas why this happens?

marko

2

This seems to be related with our use of the pam_tally2 module.
I’ve the fillowing configuration:

auth required pam_tally2.so file=/var/log/tallylog deny=5 even_deny_root unlock_time=1200

When I disable this the playbook gets executed without errors.

After running the playbook tally2 counts 14 failed logins for my account, though the sudo password should’ve

been correctly entered (since some files do get created as root).

3

After running the playbook tally2 counts 14 failed logins for my account, though the sudo password should’ve

been correctly entered (since some files do get created as root).

Do you have more that one auth backend in PAM? like pam_unix + pam_ldap? Do those have different passwords? A fail in one doesn’t necessarily mean that login fails.

Cheers,
Paul

4

I’m only using the pam_unix authentication method.
Apart from pam_tally2 my pam config is just the default Ubuntu 16.04 config.

thanks,

marko

5

The explanation seems to be that pam_tally2 records a failed login when
login command is started, even before a password is entered. Normally, the
failed logins counter is reset when the user enters the correct password.

For login this works correctly when the following line is added in pam
config (common-auth):

auth required pam_tally2.so file=/var/log/tallylog deny=5 even_deny_root
unlock_time=1200 serialize

However, when using sudo, the counter only gets reset when the following
line is added to pam configuration (common-account):

account required pam_tally2.so

So, the workaround is to add the above line in pam config.