nrser is the user on my machine. i understood ansible_ssh_user=sysadmin to mean it would connect as sysadmin.
this works fine from my machine to the target: ssh [email protected] i'm able to execute non-sudo tasks just fine, and nrser doesn't exist as a user on the target machine, so it can't be connecting as nrser... i'm pretty sure it's connecting as sysadmin On Thu, Sep 24, 2015, at 11:28 AM, Joanna Delaporte wrote: > Hi Neil, > > From the debug output, it's trying to connect as nruser: debug1: > Reading configuration data /Users/nrser/.ssh/config > > Do you know where have you specified that ansible should connect > as nruser? > > Joanna > > On Thursday, September 24, 2015 at 10:58:36 AM UTC-5, nrser wrote: >> hey, i'm having issues with privilege escalation on OSX (all machines >> at version 10.10 with ansible ): >> >> we are using ansible to help manage our workstations, and when i >> execute playbooks locally using ansible_connection=local on the >> target as the user (josh in this case), tasks with sudo: true >> work fine >> >> when executing from my machine any sudo tasks fail with permissions >> errors. >> >> i'm using an inventory line like >> >> josh ansible_ssh_host=Joshs-MacBook-Pro.local >> ansible_ssh_user=sysadmin ansible_become_user=josh >> >> Josh's machine has a sysadmin user that i can log into using my ssh >> key that is part of the admin group and has >> >> sysadmin ALL=(ALL) NOPASSWD:ALL >> >> in the /etc/sudoers file. the josh user is also in admin and has "no >> password" setup in sudoers. >> >> when executing from my machine, i get errors like >> >> failed: [josh] => {"failed": true, "parsed": false} BECOME-SUCCESS- >> bcpvkbjdbokqphwizmnpqwllqehnwiyh Traceback (most recent call last): >> File "/tmp/ansible-tmp-1443108894.49-142723340060191/lineinfile", >> line 2217, in <module> main() File "/tmp/ansible-tmp-1443108894.49- >> 142723340060191/lineinfile", line 394, in main ins_aft, ins_bef, >> create, backup, backrefs) File "/tmp/ansible-tmp-1443108894.49- >> 142723340060191/lineinfile", line 201, in present f = open(dest, >> 'rb') IOError: [Errno 13] Permission denied: '/etc/sudoers' >> OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 debug1: Reading >> configuration data /Users/nrser/.ssh/config debug1: Reading >> configuration data /etc/ssh_config debug1: /etc/ssh_config line 20: >> Applying options for * debug1: /etc/ssh_config line 53: Applying >> options for * debug1: auto-mux: Trying existing master debug1: >> mux_client_request_session: master session id: 2 Shared connection to >> Joshs-MacBook-Pro.local closed. >> >> >> FATAL: all hosts have already failed -- aborting >> >> i also get errors when trying anything with sudo or become_user, not >> just touching /etc/sudoers. >> >> all the users involved have no-password sudo permissions... i don't >> understand why they can't escalate. >> >> anyone have any info / ideas / suggestions? >> >> thanks, Neil. >> > > -- > You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group. > To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/0R5zJFy_ywQ/unsubscribe. > To unsubscribe from this group and all its topics, send an email to ansible- [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0bc61abd-1f38-43c1-8db3-37ca8d476381%40googlegroups.com[1]. > For more options, visit https://groups.google.com/d/optout. Links: 1. https://groups.google.com/d/msgid/ansible-project/0bc61abd-1f38-43c1-8db3-37ca8d476381%40googlegroups.com?utm_medium=email&utm_source=footer -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1443116106.2035999.392714513.75039CAC%40webmail.messagingengine.com. For more options, visit https://groups.google.com/d/optout.
