Ansible Unlock Accounts

elalexluna83 · 05-29-2019, 02:52 PM

Hello There!

I am trying to unlock accounts using ansible, Below is the playbook i am using. and the error i am getting. Any idea?

Code:

---
- name: check locked account
  hosts: localhost
  gather_facts: no
  remote_user: root
  become: no

  tasks:
  - name: Is Locked?
    shell: "passwd --status {{ item }} | grep locked"
    # ignore_errors: yes
    # failed_when: false
    register: locked_output
    #changed_when: locked_output.rc == 0
    with_items:
            - user1
            - user2
    notify: unlock

  - debug: var=locked_output.results

  handlers:
  - name: unlock
    shell: "passwd --unlock {{ item }}"
    when: item.changed
    with_items: "{{ locked_output.results }}"

Code:

[root@localhost playbooks]# ansible-playbook unlock.yml

PLAY [check locked account] **********************************************************************************************************

TASK [Is Locked?] ********************************************************************************************************************
changed: [localhost] => (item=user1)
failed: [localhost] (item=user2) => {"changed": true, "cmd": "passwd --status user2 | grep locked", "delta": "0:00:00.010328", "end": "2019-05-29 14:49:38.503500", "item": "user2", "msg": "non-zero return code", "rc": 1, "start": "2019-05-29 14:49:38.493172", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}

PLAY RECAP ***************************************************************************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=1

dc.901 · 05-30-2019, 08:26 AM

Have you checked the accounts manually; outside of ansible?
Both accounts exists?
Both accounts are locked?

In another terminal window, tail -f /var/log/messages (or equivalent file for your OS)... Does that give you a better hint?

asv · 06-04-2019, 07:19 AM

Quote:

Originally Posted by elalexluna83

Hello There!

I am trying to unlock accounts using ansible

Hi. Just to clarify - "unlock" in `passwd` won't prevent user from logging-in via other means.
Is that something you are indeed trying to achieve?

vincix · 06-09-2019, 04:06 PM

I don't understand the logic asv is employing - I'm guessing he's trying to say exactly the opposite.

First question is: what distribution are you using?
Different distributions output quite different things when using passwd --status. On ubuntu you won't get the "locked" string as far as I can tell, for instance.

vincix · 06-09-2019, 04:31 PM

You're supposed to be telling us what distro you're using, but let's assume it's redhat based. On Centos "locked" is going to show up in passwd --status if that's the case. So I'm guessing you're using such a distro anyhow.

Your first problem is that grep is going to output an error code of 1 if it doesn't find the string you're searching for. Ansible doesn't tell the difference between different types of errors if you don't tell it explicitly to do so, so it's simply going to say that the command failed. This is how it should work. That's why the 'ignore_errors' directive shouldn't be commented, so that you can move further if you come across a user who's already unlocked.

You're clearly trying to run a playbook without knowing the basics of ansible, so I'd suggest starting with https://serversforhackers.com/c/an-ansible2-tutorial

When you reach - debug: var=locked_output.results you'll have seen that this variable is actually a whole array of things:

Quote:

ok: [some_public_ip] => {
"locked_output.results": [
{
"_ansible_ignore_errors": true,
"_ansible_item_label": "vinci",
"_ansible_item_result": true,
"_ansible_no_log": false,
"_ansible_notify": [
"unlock"
],
"_ansible_parsed": true,
"changed": true,
"cmd": "passwd --status vinci | grep locked",
"delta": "0:00:00.010490",
"end": "2019-06-09 23:21:19.801301",
"failed": false,
"invocation": {
"module_args": {
"_raw_params": "passwd --status vinci | grep locked",
"_uses_shell": true,
"argv": null,
"chdir": null,
"creates": null,
"executable": null,
"removes": null,
"stdin": null,
"warn": true
}
},
"item": "vinci",
"rc": 0,
"start": "2019-06-09 23:21:19.790811",
"stderr": "",
"stderr_lines": [],
"stdout": "vinci LK 2016-09-04 0 99999 7 -1 (Password locked.)",
"stdout_lines": [
"vinci LK 2016-09-04 0 99999 7 -1 (Password locked.)"
]
}
]
}

and that you're trying to run passwd --unlock on this whole thing, which doesn't make any sense whatsoever.
This is why you eventually get:

Quote:

"stderr_lines": ["passwd: Only one user name may be specified."]