[ansible-project] Re: HELP: Problem with 'become' and pbrun

Nitin Thakur Thu, 13 Dec 2018 08:10:47 -0800

Even I have issues running ansible with powerbroker.
Can you please advise?


The output from ansible server  is
************TRUNCATED**********************
<bonnie.corp.toronto.ca> ESTABLISH SSH CONNECTION FOR USER: ithakur
<bonnie.corp.toronto.ca> SSH: EXEC sshpass -d14 ssh -C -o 
ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 
User=ithakur -o ConnectTimeout=10 -o 
ControlPath=/home/ithakur/.ansible/cp/f7a7b94991 bonnie.corp.toronto.ca 
'/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo 
/home/ithakur/.ansible/tmp/ansible-tmp-1544716066.76-279050599284853 `" && 
echo ansible-tmp-1544716066.76-279050599284853="` echo 
/home/ithakur/.ansible/tmp/ansible-tmp-1544716066.76-279050599284853 `" ) 
&& sleep 0'"'"''
<bonnie.corp.toronto.ca> (0, 
'ansible-tmp-1544716066.76-279050599284853=/home/ithakur/.ansible/tmp/ansible-tmp-1544716066.76-279050599284853\n',
 
'')
Using module file 
/usr/lib/python2.7/site-packages/ansible/modules/commands/command.py
<bonnie.corp.toronto.ca> PUT 
/home/ithakur/.ansible/tmp/ansible-local-99556TgIARg/tmpq1ZjQE TO 
/home/ithakur/.ansible/tmp/ansible-tmp-1544716066.76-279050599284853/command.py
<bonnie.corp.toronto.ca> SSH: EXEC sshpass -d14 sftp -o BatchMode=no -b - 
-C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no 
-o User=ithakur -o ConnectTimeout=10 -o 
ControlPath=/home/ithakur/.ansible/cp/f7a7b94991 '[bonnie.corp.toronto.ca]'
<bonnie.corp.toronto.ca> (0, 'sftp> put 
/home/ithakur/.ansible/tmp/ansible-local-99556TgIARg/tmpq1ZjQE 
/home/ithakur/.ansible/tmp/ansible-tmp-1544716066.76-279050599284853/command.py\n',
 
'')
<bonnie.corp.toronto.ca> ESTABLISH SSH CONNECTION FOR USER: ithakur
<bonnie.corp.toronto.ca> SSH: EXEC sshpass -d14 ssh -C -o 
ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 
User=ithakur -o ConnectTimeout=10 -o 
ControlPath=/home/ithakur/.ansible/cp/f7a7b94991 bonnie.corp.toronto.ca 
'/bin/sh -c '"'"'chmod u+x 
/home/ithakur/.ansible/tmp/ansible-tmp-1544716066.76-279050599284853/ 
/home/ithakur/.ansible/tmp/ansible-tmp-1544716066.76-279050599284853/command.py 
&& sleep 0'"'"''
<bonnie.corp.toronto.ca> (0, '', '')
<bonnie.corp.toronto.ca> ESTABLISH SSH CONNECTION FOR USER: ithakur
<bonnie.corp.toronto.ca> SSH: EXEC sshpass -d14 ssh -C -o 
ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 
User=ithakur -o ConnectTimeout=10 -o 
ControlPath=/home/ithakur/.ansible/cp/f7a7b94991 -tt bonnie.corp.toronto.ca 
'/bin/sh -c '"'"'pbrun  -u root '"'"'"'"'"'"'"'"'echo 
BECOME-SUCCESS-mqwghadmolrcjovmnwvtcsmcbeorgfzs; /usr/bin/python 
/home/ithakur/.ansible/tmp/ansible-tmp-1544716066.76-279050599284853/command.py'"'"'"'"'"'"'"'"'
 
&& sleep 0'"'"''
<bonnie.corp.toronto.ca> (127, 'Command rejected !\r\n\r\nYou can run the 
following commands on bonnie.corp.toronto.ca :\r\npbrun su -\r\npbrun 
gentok username token YYYY/MM/DD YYYY/MM/DD server1 server2 
...\r\n\r\npbrun9.4.3-18[119443]: If you need further help, please contact 
SysAdmin!\r\n', 'Shared connection to bonnie.corp.toronto.ca closed.\r\n')
<bonnie.corp.toronto.ca> ESTABLISH SSH CONNECTION FOR USER: ithakur
<bonnie.corp.toronto.ca> SSH: EXEC sshpass -d14 ssh -C -o 
ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 
User=ithakur -o ConnectTimeout=10 -o 
ControlPath=/home/ithakur/.ansible/cp/f7a7b94991 bonnie.corp.toronto.ca 
'/bin/sh -c '"'"'rm -f -r 
/home/ithakur/.ansible/tmp/ansible-tmp-1544716066.76-279050599284853/ > 
/dev/null 2>&1 && sleep 0'"'"''
<bonnie.corp.toronto.ca> (0, '', '')
fatal: [bonnie.corp.toronto.ca]: FAILED! => {
    "changed": false, 
    "module_stderr": "Shared connection to bonnie.corp.toronto.ca 
closed.\r\n", 

#####################################
tHE POWER BROKER CONF FILE IS 
AnsibleUsers = {"ansible", "ithakur"}; AnsibleCommands = {"/bin/sh" , 
"/usr/bin/python"};

if ( user in AnsibleUsers && command in AnsibleCommands ) {
    if ( ( runargv[1] == "-c" && runargv[2] == "echo" ) || ( 
glob("~/.ansible/tmp/ansible-tmp-*/command.py", runargv[1]) == 0 ) ) {
    runuser = "root";
    rungroup = "!g!";
    rungroups = {"!G!"};
    runcommand = command;
#    runcommand = basename(command);
#    setenv("PATH", "/sbin:/bin:/usr/bin:/usr/local/bin:/usr/sbin");
#    iolog = logmktemp("/tmp/" + user + "/pb." + user + "." + command + 
"."+ strftime("%m-%d-%y.%H-%M-%S")+ ".XXXXXX");
#    print("This request will be logged in:", iolog);
    accept;
    }
}

cAN YOU ADVISE WHY IT FAILS.
THERE IS A GLOBAL POLICY WHER I HAVE pbrun su - 
On Friday, April 1, 2016 at 7:18:16 PM UTC-4, phillip....@gmail.com wrote:
>
> I'm relatively experienced with Ansible 1.3, but just now trying to bring 
> Ansible 2.0 for the first time in a new project (and hoping to displace 
> chef). I Have round 1k servers to manage that use pbrun, but others 
> installed and control pbrun,
> I have traditional sudo in a few of these hosts as well, but pbrun is the 
> preferred privilege elevation method
>
> I use all ssh-config auth in the following example.
>
> HELP - I really need to figure this out, as ansible will be mostly useless 
> to me unless I can reliably use it with pbrun
>
>  $ ansible all -i myhosts -o -m shell -a 'uptime' -b --become-method pbrun
> c00413.mydom.com | FAILED! => {"changed": false, "failed": true, 
> "module_stderr": "", "module_stdout": "/bin/bash: pbrun: command not 
> found\r\n", "msg": "MODULE FAILURE",                "parsed": false}
> c00414.mydom.com | FAILED! => {"changed": false, "failed": true, 
> "module_stderr": "", "module_stdout": "/bin/bash: pbrun: command not 
> found\r\n", "msg": "MODULE FAILURE",                "parsed": false}
> c00415.mydom.com | FAILED! => {"changed": false, "failed": true, 
> "module_stderr": "", "module_stdout": "/bin/bash: pbrun: command not 
> found\r\n", "msg": "MODULE FAILURE",                "parsed": false}
> c00416.mydom.com | FAILED! => {"changed": false, "failed": true, 
> "module_stderr": "", "module_stdout": "/bin/bash: pbrun: command not 
> found\r\n", "msg": "MODULE FAILURE",                "parsed": false}
> c00417.mydom.com | FAILED! => {"changed": false, "failed": true, 
> "module_stderr": "", "module_stdout": "/bin/bash: pbrun: command not 
> found\r\n", "msg": "MODULE FAILURE",                "parsed": false}
> c00418.mydom.com | FAILED! => {"changed": false, "failed": true, 
> "module_stderr": "", "module_stdout": "/bin/bash: pbrun: command not 
> found\r\n", "msg": "MODULE FAILURE",                "parsed": false}
>
>
>  $  ansible all -i myhosts -o -m shell -a 'uptime' -b --become-method 
> '/opt/pb/bin/pbrun'
> c00413.mydom.com | FAILED! => {"failed": true, "msg": "Privilege 
> escalation method not found: /opt/pb/bin/pbrun"}
> c00414.mydom.com | FAILED! => {"failed": true, "msg": "Privilege 
> escalation method not found: /opt/pb/bin/pbrun"}
> c00415.mydom.com | FAILED! => {"failed": true, "msg": "Privilege 
> escalation method not found: /opt/pb/bin/pbrun"}
> c00416.mydom.com | FAILED! => {"failed": true, "msg": "Privilege 
> escalation method not found: /opt/pb/bin/pbrun"}
> c00417.mydom.com | FAILED! => {"failed": true, "msg": "Privilege 
> escalation method not found: /opt/pb/bin/pbrun"}
> c00418.mydom.com | FAILED! => {"failed": true, "msg": "Privilege 
> escalation method not found: /opt/pb/bin/pbrun"}
>
> *Here is my cfg file  ... i did make a few changes trying to troubleshoot 
> this*
>
> [defaults]
>
> # some basic default values...
>
> hostfile       = ./hosts
> inventory      = ./hosts
> library        = /usr/share/ansible
> remote_tmp     = $HOME/.ansible/tmp
> pattern        = *
> forks          = 20
> poll_interval  = 10
> sudo_user      = root
> transport      = ssh
> remote_port    = 22
> module_lang    = C
>
> gathering = implicit
>
> # change this for alternative sudo implementations
> #sudo_exe = sudo         <<changed this
> #module_name = shell     <<changed this
> #ask_sudo_pass= true     <<changed this
>
> executable = /bin/bash   <<added this
> # the message changed when I made that change
> #FAILED! => {"changed": false, "failed": true, "module_stderr": "", 
> "module_stdout": "/bin/sh: pbrun: command not found\r\n", "msg": "MODULE 
> FAILURE", "p               arsed": false}
>
> # SSH timeout
> timeout = 3
>
> [ssh_connection]
>
> # ssh arguments to use
> # Leaving off ControlPersist will result in poor performance, so use
> # paramiko on older platforms rather than removing it
> ssh_args = -o ControlMaster=auto -o ControlPersist=1800s
> #1800 seconds is 30min
>
>
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/cd189d54-265a-43c8-8224-cccbb3154adc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ansible-project] Re: HELP: Problem with 'become' and pbrun

Reply via email to