我的公司使用 Ansible(我是新手),我们有一个剧本和一个相关角色,用于将新的 Linux 机器加入 AD。我们的管理员账户每天密码更新三次,我们无法自行设置。只要有不是密码中不能包含单引号'。可能还有其他字符也会导致密码破解,但我知道这'肯定会导致密码破解。
以下是脚本的相关部分:
cat setup-ad.yml
---
- hosts: "{{ hosts }}"
vars_prompt:
- name: "username"
prompt: "Enter admin account"
private: no
- name: "password"
prompt: "Enter Password"
unsafe: yes
private: yes
vars:
domain: "{{ 'mycompany.com' }}"
passwd: "{{ password | regex_escape() }}"
roles:
- join-ad
grep -B2 -A3 'passwd' ./roles/join-ad/tasks/main.yml
- name: join to active directory
command: net ads join MYCOMPANY.COM -U {{ username }}@MYCOMPANY.COM%'{{ passwd }}' createcomputer=Restricted/Servers/Unix --request-timeout=120 --no-dns-updates
no_log: false
when: ansible_distribution_major_version >= 6
- name: join to active directory
command: net ads join MYCOMPANY.COM -U {{ username }}@MYCOMPANY.COM%'{{ passwd }}' createcomputer=Restricted/Servers/Unix --request-timeout=120
no_log: false
when: ansible_distribution_major_version <= 5
我们得到的错误是:
TASK [join-ad : join to active directory] ************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: No closing quotation
fatal: [newserver.mycompany.com]: FAILED! => {"changed": false, "module_stderr": "Shared connection to newserver.mycompany.com closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/root/.ansible/tmp/ansible-tmp-1590785720.2-224244797633747/AnsiballZ_command.py\", line 102, in <module>\r\n _ansiballz_main()\r\n File \"/root/.ansible/tmp/ansible-tmp-1590785720.2-224244797633747/AnsiballZ_command.py\", line 94, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/root/.ansible/tmp/ansible-tmp-1590785720.2-224244797633747/AnsiballZ_command.py\", line 40, in invoke_module\r\n runpy.run_module(mod_name='ansible.modules.commands.command', init_globals=None, run_name='__main__', alter_sys=True)\r\n File \"/usr/lib64/python2.7/runpy.py\", line 176, in run_module\r\n fname, loader, pkg_name)\r\n File \"/usr/lib64/python2.7/runpy.py\", line 82, in _run_module_code\r\n mod_name, mod_fname, mod_loader, pkg_name)\r\n File \"/usr/lib64/python2.7/runpy.py\", line 72, in _run_code\r\n exec code in run_globals\r\n File \"/tmp/ansible_command_payload_4D4oFT/ansible_command_payload.zip/ansible/modules/commands/command.py\", line 344, in <module>\r\n File \"/tmp/ansible_command_payload_4D4oFT/ansible_command_payload.zip/ansible/modules/commands/command.py\", line 263, in main\r\n File \"/usr/lib64/python2.7/shlex.py\", line 279, in split\r\n return list(lex)\r\n File \"/usr/lib64/python2.7/shlex.py\", line 269, in next\r\n token = self.get_token()\r\n File \"/usr/lib64/python2.7/shlex.py\", line 96, in get_token\r\n raw = self.read_token()\r\n File \"/usr/lib64/python2.7/shlex.py\", line 172, in read_token\r\n raise ValueError, \"No closing quotation\"\r\nValueError: No closing quotation\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
PLAY RECAP *******************************************************************************************************
newserver.mycompany.com : ok=9 changed=0 unreachable=0 failed=1 skipped=2 rescued=0 ignored=0
好的,所以问题是,在某些时候, 被'解释为一系列带引号的字符的开头,而不是密码的一部分。我的问题是我不知道如何让 Ansible?Python?YAML?Jinja?将用户输入的字符串视为字符串。“字符串文字”在这里是正确的术语吗?
如果我通过 ssh 连接到目标服务器并手动运行net ads join命令,并让它提示输入我的密码,那么即使'密码中有,它也会起作用,所以至少我知道问题不是 Samba 命令。
我尝试过的方法(但没有帮助)是:
- 添加“硬引号”
{{ passwd }} - 添加
unsafe: yes到密码定义 - 添加
passwd: "{{ password | regex_escape() }}"转义元字符 - 在 Stack 和 Google 上进行大量互联网搜索
任何帮助都将不胜感激。