Not able to configure pam Authentication

[vega82]

I try to configure Active Directory Login for Uyuni WebFrontend. So i followed the instructions for PAM Configuration. The System is also joined in AD and communication to AD should work, i think so.

While trying to login i got following errors:

[ajp-nio-0:0:0:0:0:0:0:1-8009-exec-8] WARN com.redhat.rhn.domain.user.legacy.UserImpl - PAM login for user User Testuser(id 5, org_id 1) failed with error unix2_chkpwd was inappropriately called from the command line or the password is incorrect.

[ajp-nio-0:0:0:0:0:0:0:1-8009-exec-8] ERROR com.suse.manager.webui.controllers.login.LoginController - LOCAL AUTH FAILURE: [Testuser]

cat /etc/pam.d/susemanager

#%PAM-1.0
auth     include        common-auth
account  include        common-account
password include        common-password
session  include        common-session

cat /etc/rhn/rhn.conf | grep pam_auth

pam_auth_service = susemanager

[slsnow]

@vega82

Hope you've already figured this out, but if not I have a few notes to share that have helped me in the past.

• Make sure that you have joined AD, and verify that the user is able to authenticate (just on the system itself, outside SUMA).
  • Here's a helpful configuration guide if you're having trouble joining the system to AD: https://www.suse.com/support/kb/doc/?id=000018831
  • I prefer sssd, but winbind works as well.
  • At the bottom you'll see examples for testing.
• Make sure that you have created the user within SUSE Manager.
  • Even if the system is able to use the AD user for authentication, that user doesn't get imported to SUMA automatically, it has to be created and configured within SUMA to use pam for authentication.
  • See steps 3 & 4: https://www.uyuni-project.org/uyuni-docs/en/uyuni/administration/auth-methods-pam.html
  • Sometimes I've had to create the username with the domain in it as well (like testuser@domain.com).
  • spacecmd -- help |grep user to see your options if you'd rather create the users via CLI.
  • satpasswd and satwho can be helpful sometimes.

---

If you're still having issues, you can share more information about how you joined AD, and your configuration, including:

• /etc/nsswitch.conf
• /etc/krb5.conf
• winbind or sssd configuration files
• pam configuration stack for i in /etc/pam.d/common-{account,auth,password,session}; do cat $i; done |grep -v "^#"
• spacecmd user_details user
  • output for the SUMA user you created
• You can add debugging to winbind or sssd if necessary (see pam-config --help for options, then restart the given service).
• Try to isolate the logs when you test your authentication (/var/log/messages.txt)
  • You can run date before and after testing to help with this
  • Or run logger -s "TESTING" to insert a timestamp into the logs.
• You can also test logging in with spacecmd -u <user>, if you'd rather do that than test from the webUI.

[krakazyabra]

Any news? also faced with same problem. Using FreeIPA as directory backend, can ssh with my FreeIPA user into Uyuni server. Followed the guide.

uyuni-server:~ # cat /etc/nsswitch.conf | grep -v "#"
passwd: compat sss
group: compat sss
shadow: compat sss
hosts:      files dns
networks:   files dns
aliases:    files usrfiles
ethers:     files usrfiles
gshadow:    files usrfiles
netgroup: files sss
protocols:  files usrfiles
publickey:  files
rpc:        files usrfiles
services:   files usrfiles
automount: files sss
bootparams: files
netmasks:   files
sudoers: files sss

uyuni-server:~ # cat /etc/krb5.conf
#File modified by ipa-client-install

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = DOMAIN.ORG
  dns_lookup_realm = true
  rdns = false
  dns_canonicalize_hostname = false
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
  DOMAIN.ORG = {
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
  }

[domain_realm]
  .dc1.domain.org = DOMAIN.ORG
  dc1.domain.org = DOMAIN.ORG
  uyuni-server.dc1.domain.org = DOMAIN.ORG

uyuni-server:~ # for i in /etc/pam.d/common-{account,auth,password,session}; do cat $i; done |grep -v "^#"
account requisite   pam_unix.so try_first_pass
account sufficient  pam_localuser.so
account required    pam_sss.so  use_first_pass
auth    required    pam_env.so
auth    sufficient  pam_unix.so try_first_pass
auth    required    pam_sss.so  use_first_pass
password    requisite   pam_cracklib.so
password    sufficient  pam_unix.so use_authtok nullok shadow try_first_pass
password    required    pam_sss.so  use_authtok
session  optional   pam_mkhomedir.so    umask=0077
session optional    pam_systemd.so
session required    pam_limits.so
session required    pam_unix.so try_first_pass
session optional    pam_sss.so
session optional    pam_umask.so
session optional    pam_env.so

uyuni-server:~ # tail -f /var/log/messages
2024-02-13T22:49:04.547296+00:00 Uyuni-Server unix2_chkpwd: pam_unix(susemanager:auth): authentication failure; logname= uid=472 euid=0 tty= ruser= rhost=  user=krakazyabra
2024-02-13T22:49:04.781555+00:00 Uyuni-Server unix2_chkpwd: pam_sss(susemanager:auth): authentication success; logname= uid=472 euid=0 tty= ruser= rhost= user=krakazyabra
2024-02-13T22:49:04.841542+00:00 Uyuni-Server unix2_chkpwd: pam_sss(susemanager:account): Access denied for user krakazyabra: 6 (Permission denied)
2024-02-13T22:49:04.841754+00:00 Uyuni-Server unix2_chkpwd[23347]: pam_acct_mgmt(susemanager, krakazyabra): Permission denied

uyuni-server:~ # satwho
admin
krakazyabra

UPD: I was able to login using my FreeIPA user by modifying /etc/pam.d/susemanager:

#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_sss.so
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

Maybe there is a lot of extra values, correct me if so.