LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-29-2019, 02:52 PM   #1
elalexluna83
Member
 
Registered: Mar 2012
Posts: 54

Rep: Reputation: Disabled
Ansible Unlock Accounts


Hello There!

I am trying to unlock accounts using ansible, Below is the playbook i am using. and the error i am getting. Any idea?

Code:
---
- name: check locked account
  hosts: localhost
  gather_facts: no
  remote_user: root
  become: no

  tasks:
  - name: Is Locked?
    shell: "passwd --status {{ item }} | grep locked"
    # ignore_errors: yes
    # failed_when: false
    register: locked_output
    #changed_when: locked_output.rc == 0
    with_items:
            - user1
            - user2
    notify: unlock

  - debug: var=locked_output.results

  handlers:
  - name: unlock
    shell: "passwd --unlock {{ item }}"
    when: item.changed
    with_items: "{{ locked_output.results }}"
Code:
[root@localhost playbooks]# ansible-playbook unlock.yml

PLAY [check locked account] **********************************************************************************************************

TASK [Is Locked?] ********************************************************************************************************************
changed: [localhost] => (item=user1)
failed: [localhost] (item=user2) => {"changed": true, "cmd": "passwd --status user2 | grep locked", "delta": "0:00:00.010328", "end": "2019-05-29 14:49:38.503500", "item": "user2", "msg": "non-zero return code", "rc": 1, "start": "2019-05-29 14:49:38.493172", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}

PLAY RECAP ***************************************************************************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=1
 
Old 05-30-2019, 08:26 AM   #2
dc.901
Member
 
Registered: Aug 2018
Location: Atlanta, GA - USA
Distribution: CentOS 6-7; SuSE 8-12
Posts: 599

Rep: Reputation: 174Reputation: 174
Have you checked the accounts manually; outside of ansible?
Both accounts exists?
Both accounts are locked?

In another terminal window, tail -f /var/log/messages (or equivalent file for your OS)... Does that give you a better hint?
 
Old 06-04-2019, 07:19 AM   #3
asv
LQ Newbie
 
Registered: Jun 2019
Distribution: Debian
Posts: 9

Rep: Reputation: Disabled
Quote:
Originally Posted by elalexluna83 View Post
Hello There!

I am trying to unlock accounts using ansible
Hi. Just to clarify - "unlock" in `passwd` won't prevent user from logging-in via other means.
Is that something you are indeed trying to achieve?
 
Old 06-09-2019, 04:06 PM   #4
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,032

Rep: Reputation: 76
I don't understand the logic asv is employing - I'm guessing he's trying to say exactly the opposite.

First question is: what distribution are you using?
Different distributions output quite different things when using passwd --status. On ubuntu you won't get the "locked" string as far as I can tell, for instance.
 
Old 06-09-2019, 04:31 PM   #5
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,032

Rep: Reputation: 76
You're supposed to be telling us what distro you're using, but let's assume it's redhat based. On Centos "locked" is going to show up in passwd --status if that's the case. So I'm guessing you're using such a distro anyhow.

Your first problem is that grep is going to output an error code of 1 if it doesn't find the string you're searching for. Ansible doesn't tell the difference between different types of errors if you don't tell it explicitly to do so, so it's simply going to say that the command failed. This is how it should work. That's why the 'ignore_errors' directive shouldn't be commented, so that you can move further if you come across a user who's already unlocked.

You're clearly trying to run a playbook without knowing the basics of ansible, so I'd suggest starting with https://serversforhackers.com/c/an-ansible2-tutorial

When you reach - debug: var=locked_output.results you'll have seen that this variable is actually a whole array of things:
Quote:
ok: [some_public_ip] => {
"locked_output.results": [
{
"_ansible_ignore_errors": true,
"_ansible_item_label": "vinci",
"_ansible_item_result": true,
"_ansible_no_log": false,
"_ansible_notify": [
"unlock"
],
"_ansible_parsed": true,
"changed": true,
"cmd": "passwd --status vinci | grep locked",
"delta": "0:00:00.010490",
"end": "2019-06-09 23:21:19.801301",
"failed": false,
"invocation": {
"module_args": {
"_raw_params": "passwd --status vinci | grep locked",
"_uses_shell": true,
"argv": null,
"chdir": null,
"creates": null,
"executable": null,
"removes": null,
"stdin": null,
"warn": true
}
},
"item": "vinci",
"rc": 0,
"start": "2019-06-09 23:21:19.790811",
"stderr": "",
"stderr_lines": [],
"stdout": "vinci LK 2016-09-04 0 99999 7 -1 (Password locked.)",
"stdout_lines": [
"vinci LK 2016-09-04 0 99999 7 -1 (Password locked.)"
]
}
]
}
and that you're trying to run passwd --unlock on this whole thing, which doesn't make any sense whatsoever.
This is why you eventually get:
Quote:
"stderr_lines": ["passwd: Only one user name may be specified."]
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Ansible Guide: Manage Files using Ansible LXer Syndicated Linux News 0 04-26-2019 10:32 AM
LXer: Ansible Guide: Create Ansible Playbook for LEMP Stack LXer Syndicated Linux News 0 04-13-2019 05:03 AM
LXer: Ansible Tutorial: Introduction to simple Ansible commands LXer Syndicated Linux News 0 05-21-2018 10:28 AM
LXer: Ansible Tutorial: Intorduction to simple Ansible commands LXer Syndicated Linux News 0 01-14-2018 05:37 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration