I am on server A logged in as user A with sudo permissions. I am attempting to run a privileged command on server b as user A. User A on server b also has sudo permissions. However I am getting permission errors:
- Inventory File
[rhershkow@if21d0002 ansible]$ more inventory if21d0001 ansible_ssh_user=rhershkow- Config File
[rhershkow@if21d0002 ansible]$ more ansible.cfg [defaults] inventory = /home/rhershkow/demo/ansible/inventory [privilege_escalation] become=true become_method=sudo become_user=rhershkow become_ask_pass=False- Example.yml
[rhershkow@if21d0002 ansible]$ more example.yml name: New user is created hosts: if21d0001 become: true tasks: - name: User gets created user: name: test state: present- Execution Errors
[rhershkow@if21d0002 ansible]$ ansible-playbook example.yml PLAY [New user is created] ************************************************************************************** TASK [Gathering Facts] ****************************************************************************************** ok: [if21d0001] TASK [User gets created] **************************************************************************************** fatal: [if21d0001]: FAILED! => {“changed”: false, “msg”: “useradd: Permission denied.\nuseradd: cannot lock /etc/passwd; try again later.\n”, “name”: “test”, “rc”: 1} to retry, use: --limit @/home/rhershkow/demo/ansible/example.retry PLAY RECAP ****************************************************************************************************** if21d0001 : ok=1 changed=0 unreachable=0 failed=1
If I am reading this correctly, it appears that you are using an ssh user of rhershkow from your inventory but then in your ansible.cfg file you are using become_user=rhershkow. This would tell ansible to sudo into the user rhershkow (i.e. sudo -u rhershkow ). Doe the rhershkow user have permissions to run useradd? You likely want to just omit the become_user value as that would let Ansible try and user sudo without the -u option. Please let us know if this helps.
In addition, this sounds more like a general Ansible question (instead of an AWX question). Please refer to https://www.ansible.com/community for some of the other mailing lists available, most likely a question like this should be sent to ansible-project mailing list.
-John
rhershkow does not have adduser permissions by itself but does have sudo. Question is how can I get Ansible to use sudo when running the useradd?
Not sure if you checked the documentation on the topic already (https://docs.ansible.com/ansible/latest/user_guide/become.html)
Your goal is to ssh with the user rhershkow and for privilege escalation you want to use sudo.
To achieve that you wouldn’t need to configure anything in the ansible.cfg since sudo would be the default become plugin, that is used.
ansible.cfg:
[defaults]
inventory = /home/rhershkow/demo/ansible/inventory
[privilege_escalation]
become=true makes every task run with escalated privileges and doesn’t make a difference, since you also defined ‘become: true’ in your playbook
become_method=sudo default
become_user=rhershkow this is probably what causes your error
become_ask_pass=False default
So, you can remove the whole [privilege_escalation] section from your config and it should do what you expect.
As John also described already, at the moment you are basically using sudo to become the rhershkow instead of root - that’s why you aren’t allowed to create the user.
Tried this but still getting errors:
[rhershkow@if21d0002 ansible]$ more ansible.cfg
[defaults]
inventory = /home/rhershkow/demo/ansible/inventory
[rhershkow@if21d0002 ansible]$ ansible-playbook example.yml
PLAY [New user is created] **************************************************************************************
TASK [Gathering Facts] ******************************************************************************************
fatal: [if21d0001]: FAILED! => {“changed”: false, “module_stderr”: “Shared connection to if21d0001 closed.\r\n”, “module_stdout”: “Sorry, user rhershkow is not allowed to execute ‘/bin/sh -c echo BECOME-SUCCESS-mtbaqhdtglwsyaknythnllvxiexciehc; /usr/bin/python /home/rhershkow/.ansible/tmp/ansible-tmp-1644519085.4-23992700985121/setup.py; rm -rf "/home/rhershkow/.ansible/tmp/ansible-tmp-1644519085.4-23992700985121/" > /dev/null 2>&1’ as root on if21d0001.\r\n”, “msg”: “MODULE FAILURE”, “rc”: 1}
to retry, use: --limit @/home/rhershkow/demo/ansible/example.retry
PLAY RECAP ******************************************************************************************************
if21d0001 : ok=0 changed=0 unreachable=0 failed=1
[rhershkow@if21d0002 ansible]$
Well, can the user create a user if you try it manually?
also you are failing at gathering tasks now, which was working previously.
Is there a restrictive sudoers config in place, that only allows for certain commands?
you might want to try and move the ‘become: true’ line to only the user task. That’s where you actually need it. At the moment you have it set for the whole play.
- name: New user is created
hosts: if21d0001
tasks:
- name: User gets created
user:
name: test
state: present
become: true
however, it should generally still work no matter where you define it. If your user is only allowed to run certain commands via sudo this will obviously cause some problems tho.