2

I am having trouble with configuring Ansible and sudo to allow me to SSH into a server and run a command as another user.

I have gone through the questions / answers below and the Ansible documentation here: http://docs.ansible.com/intro_inventory.html

but I still can not get it to work.

Please can someone put me on the right track.

References:

https://stackoverflow.com/questions/24743085/ansible-ssh-as-one-user-and-sudo-as-another Ansible : using different sudo user for different hosts

I am trying to do this:

server-01                  client-01
---------                  -----------
foo      ----> ssh --->    foo
                           bar      - sudo as root user

Using Ansible, connect from: server-01 to: client-01

using the user foo and then use sudo to run a command as user bar User bar is setup to be able to run any command.

However, I am not sure where the problem is, with sudo or Ansible. I think the problem is with sudo but I am not sure where.

This ansible command works:

[foo@server-01 ~]$ **ansible client-01 -m raw -a "touch /var/tmp/testfile" --ask-sudo-pass**

sudo password:     *********  ( password for foo user ) 
client-01 | success | rc=0 >>

This one does not work:

[foo@server-01 ~]$ ansible client-01 -m raw -a "touch /etc/testfile" --ask-sudo-pass

sudo password:    *********  ( password for foo user ) 
client-01 | FAILED | rc=1 >>
touch: cannot touch `/etc/testfile': Permission denied

I have SSH authentication without a password setup between server-01 and client-01 for user foo and it works OK.

[foo@server-01 ~]$ id
uid=96(foo) gid=96(foo) groups=96(foo)
[foo@server-01 ~]$ su - foo
Password:
[foo@server-01 ~]$
[foo@server-01 ~]$
[foo@server-01 ~]$ ssh client-01
Last login: Thu Jan 15 16:32:05 2015 from server-01
[foo@client-01 ~]$

This is my setup:

server-01:  /etc/ansible/hosts
-------------------------------------
[clients]
client-01 ansible_sudo=true ansible_ssh_user=foo ansible_sudo_user=bar


client-01:  /etc/sudoers
-------------------------------------
[root@client-01 ~]# cat /etc/sudoers
#
root          ALL=(ALL)                           ALL
bar           ALL=(ALL)                           ALL
foo           ALL=(bar) NOPASSWD:                 ALL

When on the destination server ( client-01 ) I can test sudo. I think that sudo is the part that is not working, but due to this I can not setup any of the Ansible Playbooks.

[root@client-01 ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@client-01 ~]# su - bar
[bar@client-01 ~]$ sudo -l
[sudo] password for bar:
User bar may run the following commands on this host:
    (ALL) ALL
[bar@client-01 ~]$ sudo touch /etc/tempfile
[bar@client-01 ~]$ ls -alp /etc/tempfile
-rw-r--r-- 1 root root 0 Jan 15 17:08 /etc/tempfile
[bar@client-01 ~]$ sudo rm /etc/tempfile
[bar@client-01 ~]$ exit
logout
[root@client-01 ~]# su - foo
[foo@client-01 ~]$ sudo -l
User foo may run the following commands on this host:
    (bar) NOPASSWD: ALL
[foo@client-01 ~]$ sudo touch /etc/tempfile
[sudo] password for foo:
Sorry, user foo is not allowed to execute '/bin/touch /etc/tempfile' as root on client-01.
[foo@client-01 ~]$ exit
logout

Maybe this is the line that is failing: 

  foo           ALL=(bar) NOPASSWD:                 ALL

I thank you for any help.

Community
  • 1
Stuart
  • 23
  • 1
  • 5

1 Answers1

1
  • Can you SSH into the box normally and run both of those commands? Given the only difference is that path you're trying to touch, I'd guess it's a filesystem issue and not an ansible one.

UPDATE:

Try replacing the (bar) in your Sudoers' file with ALL, for now, and see if that works?

shearn89
  • 3,143
  • 2
  • 14
  • 39
  • Thanks for the quick reply. I am really sorry about the formatting of the question. This site seems dreadful for formatting. I will try and tidy it up. It looks fine when editing it though. At the moment it looks unreadable. – Stuart Jan 15 '15 at 16:58
  • No worries! You can use `ctrl-k` to turn text into `code` block, so that it preserves spacing and line breaks. – shearn89 Jan 15 '15 at 17:02
  • 1
    Thank you. I will edit the question to make it readable. – Stuart Jan 15 '15 at 17:04
  • There. My question is more readable now. Thank you. I think that problem is the sudo configuration "foo ALL=(bar) NOPASSWD: ALL" but I obtained this from two answers to questions on this site (references above). – Stuart Jan 15 '15 at 17:15
  • Excellent! I've updated my answer - your suspicion about the (bar) line is probably correct. – shearn89 Jan 15 '15 at 17:16
  • Thanks shearn89 Yes, that is the issue, The line in the sudo file does not work. This fails to have the permissions of user bar: foo ALL=(bar) NOPASSWD: ALL This works for giving user foo all commands as root: foo ALL=(ALL) NOPASSWD: ALL However, in Ansible I am using user foo for SSH and then another user has the ability to use root commands within the sudo file. This is the same as this question, but the answer given (my problem) does not work. http://stackoverflow.com/questions/24743085/ansible-ssh-as-one-user-and-sudo-as-another – Stuart Jan 15 '15 at 17:25
  • Thanks shearn89 Yes, that is the issue, The line in the sudo file does not work. – Stuart Jan 15 '15 at 17:31
  • This fails to have the permissions of user bar: foo ALL=(bar) NOPASSWD: ALL – Stuart Jan 15 '15 at 17:33
  • This works for giving user foo all commands as root: foo ALL=(ALL) NOPASSWD: ALL – Stuart Jan 15 '15 at 17:34
  • However, in Ansible I am using user foo for SSH and then another user has the ability to use root commands within the sudo file. This is the same as this question, but the answer given (my problem) does not work. – Stuart Jan 15 '15 at 17:34
  • http://stackoverflow.com/questions/24743085/ansible-ssh-as-one-user-and-sudo-as-another – Stuart Jan 15 '15 at 17:35
  • Thank you shearn89 That answers the question reference sudo, though this is an Ansible problem. I think that I am not understanding Ansible, so asking on the Google Ansible site. Thanks for your help. – Stuart Jan 15 '15 at 20:28