subject:"Re\: \[ClusterLabs\] pcs cluster auth returns authentication error"

Re: [ClusterLabs] pcs cluster auth returns authentication error

2016-09-05 Thread Jan Pokorný

On 26/08/16 02:14 +, Jason A Ramsey wrote:
> Well, I got around the problem, but I don’t understand the solution…
> 
> I edited /etc/pam.d/password-auth and commented out the following line:
> 
> authrequiredpam_tally2.so onerr=fail audit silent 
> deny=5 unlock_time=900
> 
> Anyone have any idea why this was interfering?

No clear idea, but...

> On 08/25/2016 03:04 PM, Jason A Ramsey wrote:
>> type=USER_AUTH msg=audit(1472154922.415:69): user pid=1138 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
>> msg='op=PAM:authentication acct="hacluster" exe="/usr/bin/ruby"
>> hostname=? addr=? terminal=? res=failed'

First, this definitely has nothing to do with SELinux (as opposed to
"AVC" type of audit record).

As a wild guess, if you want to continue using pam_tally2 module
(seems like a good idea), I'd suggest giving magic_root option
a try (and perhaps evaluate if that would be an acceptable compromise).

-- 
Jan (Poki)


pgpkU739TmiC1.pgp
Description: PGP signature
___
Users mailing list: Users@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org

Re: [ClusterLabs] pcs cluster auth returns authentication error

2016-08-25 Thread Jason A Ramsey

Well, I got around the problem, but I don’t understand the solution…

I edited /etc/pam.d/password-auth and commented out the following line:

authrequiredpam_tally2.so onerr=fail audit silent 
deny=5 unlock_time=900

Anyone have any idea why this was interfering?

--
 
[ jR ]
  @: ja...@eramsey.org
 
  there is no path to greatness; greatness is the path


On 8/25/16, 9:50 PM, "Jason A Ramsey"  wrote:

Still stuck, but here’s the output of the command with --debug turned on:

Error: node1: Username and/or password is incorrect
Error: node2: Username and/or password is incorrect
Running: /usr/bin/ruby -I/usr/lib/pcsd/ /usr/lib/pcsd/pcsd-cli.rb auth
--Debug Input Start--
{"username": "hacluster", "local": false, "nodes": ["node1", "node2"], 
"password": "", "force": false}
--Debug Input End--
Return Value: 0
--Debug Output Start--
{
  "status": "ok",
  "data": {
"sync_responses": {
},
"sync_nodes_err": [

],
"auth_responses": {
  "node2": {
"status": "bad_password"
  },
  "node1": {
"status": "bad_password"
  }
},
"sync_successful": true
  },
  "log": [
"I, [2016-08-25T21:46:40.848381 #4825]  INFO -- : PCSD Debugging 
enabled\n",
"D, [2016-08-25T21:46:40.848448 #4825] DEBUG -- : Detected RHEL 6\n",
"I, [2016-08-25T21:46:40.848489 #4825]  INFO -- : Running: 
/usr/sbin/corosync-objctl cluster\n",
"I, [2016-08-25T21:46:40.848526 #4825]  INFO -- : CIB USER: hacluster, 
groups: \n",
"D, [2016-08-25T21:46:40.850328 #4825] DEBUG -- : []\n",
"D, [2016-08-25T21:46:40.850378 #4825] DEBUG -- : [\"Failed to 
initialize the objdb API. Error 6\\n\"]\n",
"D, [2016-08-25T21:46:40.850429 #4825] DEBUG -- : Duration: 
0.001807s\n",
"I, [2016-08-25T21:46:40.850501 #4825]  INFO -- : Return Value: 1\n",
"W, [2016-08-25T21:46:40.850555 #4825]  WARN -- : Cannot read config 
'cluster.conf' from '/etc/cluster/cluster.conf': No such file\n",
"W, [2016-08-25T21:46:40.850609 #4825]  WARN -- : Cannot read config 
'cluster.conf' from '/etc/cluster/cluster.conf': No such file or directory - 
/etc/cluster/cluster.conf\n",
"I, [2016-08-25T21:46:40.851457 #4825]  INFO -- : SRWT Node: node1 
Request: check_auth\n",
"I, [2016-08-25T21:46:40.851554 #4825]  INFO -- : SRWT Node: node2 
Request: check_auth\n"
  ]
}
--Debug Output End--


--
 
[ jR ]
  @: ja...@eramsey.org
 
  there is no path to greatness; greatness is the path


On 8/25/16, 5:36 PM, "Jason A Ramsey"  wrote:

Thanks for the response, Ken. I thought that might be the case, so I 
tried it with selinux disabled (setenforce=0). Same exact error. :-/

--
 
[ jR ]
  M: +1 (703) 628-2621
  @: ja...@eramsey.org
 
  there is no path to greatness; greatness is the path


On 8/25/16, 5:29 PM, "Ken Gaillot"  wrote:

On 08/25/2016 03:04 PM, Jason A Ramsey wrote:
> Please help. Just getting this thing stood up on a new set of 
servers
> and getting stymied right out the gate:
> 
>  
> 
> # pcs cluster auth node1 node2
> 
> Username: hacluster
> 
> Password:
> 
>  
> 
> I am **certain** that the password I’m providing is correct. Even 
still
> I get:
> 
>  
> 
> Error: node1: Username and/or password is incorrect
> 
> Error: node2: Username and/or password is incorrect
> 
>  
> 
> I also see this is /var/log/audit/audit.log:
> 
>  
> 
> type=USER_AUTH msg=audit(1472154922.415:69): user pid=1138 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
> msg='op=PAM:authentication acct="hacluster" exe="/usr/bin/ruby"
> hostname=? addr=? terminal=? res=failed'

That's an SELinux error. To confirm, try again with SELinux 
disabled.

I think distributions that package pcs also provide any SELinux 
policies
it needs. I'm not sure what those are, or the best way to specify 
them
if you're building pcs yourself, but it shouldn't be difficult to 
figure
out.

> I’ve gone so far as to change the password to ensure that it 
didn’t have
> any “weird” characters in it, but the error persists. Appreciate 
the help!
> 
>

Re: [ClusterLabs] pcs cluster auth returns authentication error

2016-08-25 Thread Jason A Ramsey

Still stuck, but here’s the output of the command with --debug turned on:

Error: node1: Username and/or password is incorrect
Error: node2: Username and/or password is incorrect
Running: /usr/bin/ruby -I/usr/lib/pcsd/ /usr/lib/pcsd/pcsd-cli.rb auth
--Debug Input Start--
{"username": "hacluster", "local": false, "nodes": ["node1", "node2"], 
"password": "", "force": false}
--Debug Input End--
Return Value: 0
--Debug Output Start--
{
  "status": "ok",
  "data": {
"sync_responses": {
},
"sync_nodes_err": [

],
"auth_responses": {
  "node2": {
"status": "bad_password"
  },
  "node1": {
"status": "bad_password"
  }
},
"sync_successful": true
  },
  "log": [
"I, [2016-08-25T21:46:40.848381 #4825]  INFO -- : PCSD Debugging enabled\n",
"D, [2016-08-25T21:46:40.848448 #4825] DEBUG -- : Detected RHEL 6\n",
"I, [2016-08-25T21:46:40.848489 #4825]  INFO -- : Running: 
/usr/sbin/corosync-objctl cluster\n",
"I, [2016-08-25T21:46:40.848526 #4825]  INFO -- : CIB USER: hacluster, 
groups: \n",
"D, [2016-08-25T21:46:40.850328 #4825] DEBUG -- : []\n",
"D, [2016-08-25T21:46:40.850378 #4825] DEBUG -- : [\"Failed to initialize 
the objdb API. Error 6\\n\"]\n",
"D, [2016-08-25T21:46:40.850429 #4825] DEBUG -- : Duration: 0.001807s\n",
"I, [2016-08-25T21:46:40.850501 #4825]  INFO -- : Return Value: 1\n",
"W, [2016-08-25T21:46:40.850555 #4825]  WARN -- : Cannot read config 
'cluster.conf' from '/etc/cluster/cluster.conf': No such file\n",
"W, [2016-08-25T21:46:40.850609 #4825]  WARN -- : Cannot read config 
'cluster.conf' from '/etc/cluster/cluster.conf': No such file or directory - 
/etc/cluster/cluster.conf\n",
"I, [2016-08-25T21:46:40.851457 #4825]  INFO -- : SRWT Node: node1 Request: 
check_auth\n",
"I, [2016-08-25T21:46:40.851554 #4825]  INFO -- : SRWT Node: node2 Request: 
check_auth\n"
  ]
}
--Debug Output End--


--
 
[ jR ]
  @: ja...@eramsey.org
 
  there is no path to greatness; greatness is the path


On 8/25/16, 5:36 PM, "Jason A Ramsey"  wrote:

Thanks for the response, Ken. I thought that might be the case, so I tried 
it with selinux disabled (setenforce=0). Same exact error. :-/

--
 
[ jR ]
  M: +1 (703) 628-2621
  @: ja...@eramsey.org
 
  there is no path to greatness; greatness is the path


On 8/25/16, 5:29 PM, "Ken Gaillot"  wrote:

On 08/25/2016 03:04 PM, Jason A Ramsey wrote:
> Please help. Just getting this thing stood up on a new set of servers
> and getting stymied right out the gate:
> 
>  
> 
> # pcs cluster auth node1 node2
> 
> Username: hacluster
> 
> Password:
> 
>  
> 
> I am **certain** that the password I’m providing is correct. Even 
still
> I get:
> 
>  
> 
> Error: node1: Username and/or password is incorrect
> 
> Error: node2: Username and/or password is incorrect
> 
>  
> 
> I also see this is /var/log/audit/audit.log:
> 
>  
> 
> type=USER_AUTH msg=audit(1472154922.415:69): user pid=1138 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
> msg='op=PAM:authentication acct="hacluster" exe="/usr/bin/ruby"
> hostname=? addr=? terminal=? res=failed'

That's an SELinux error. To confirm, try again with SELinux disabled.

I think distributions that package pcs also provide any SELinux policies
it needs. I'm not sure what those are, or the best way to specify them
if you're building pcs yourself, but it shouldn't be difficult to figure
out.

> I’ve gone so far as to change the password to ensure that it didn’t 
have
> any “weird” characters in it, but the error persists. Appreciate the 
help!
> 
>  
> 
> --
> 
>  
> 
> *[ jR ]*
> 
>   @: ja...@eramsey.org 
> 
>  
> 
>   /there is no path to greatness; greatness is the path/

___
Users mailing list: Users@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org



___
Users mailing list: Users@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs:

Re: [ClusterLabs] pcs cluster auth returns authentication error

2016-08-25 Thread Jason A Ramsey

Thanks for the response, Ken. I thought that might be the case, so I tried it 
with selinux disabled (setenforce=0). Same exact error. :-/

--
 
[ jR ]
  M: +1 (703) 628-2621
  @: ja...@eramsey.org
 
  there is no path to greatness; greatness is the path


On 8/25/16, 5:29 PM, "Ken Gaillot"  wrote:

On 08/25/2016 03:04 PM, Jason A Ramsey wrote:
> Please help. Just getting this thing stood up on a new set of servers
> and getting stymied right out the gate:
> 
>  
> 
> # pcs cluster auth node1 node2
> 
> Username: hacluster
> 
> Password:
> 
>  
> 
> I am **certain** that the password I’m providing is correct. Even still
> I get:
> 
>  
> 
> Error: node1: Username and/or password is incorrect
> 
> Error: node2: Username and/or password is incorrect
> 
>  
> 
> I also see this is /var/log/audit/audit.log:
> 
>  
> 
> type=USER_AUTH msg=audit(1472154922.415:69): user pid=1138 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
> msg='op=PAM:authentication acct="hacluster" exe="/usr/bin/ruby"
> hostname=? addr=? terminal=? res=failed'

That's an SELinux error. To confirm, try again with SELinux disabled.

I think distributions that package pcs also provide any SELinux policies
it needs. I'm not sure what those are, or the best way to specify them
if you're building pcs yourself, but it shouldn't be difficult to figure
out.

> I’ve gone so far as to change the password to ensure that it didn’t have
> any “weird” characters in it, but the error persists. Appreciate the help!
> 
>  
> 
> --
> 
>  
> 
> *[ jR ]*
> 
>   @: ja...@eramsey.org 
> 
>  
> 
>   /there is no path to greatness; greatness is the path/

___
Users mailing list: Users@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org



___
Users mailing list: Users@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org

Re: [ClusterLabs] pcs cluster auth returns authentication error

2016-08-25 Thread Ken Gaillot

On 08/25/2016 03:04 PM, Jason A Ramsey wrote:
> Please help. Just getting this thing stood up on a new set of servers
> and getting stymied right out the gate:
> 
>  
> 
> # pcs cluster auth node1 node2
> 
> Username: hacluster
> 
> Password:
> 
>  
> 
> I am **certain** that the password I’m providing is correct. Even still
> I get:
> 
>  
> 
> Error: node1: Username and/or password is incorrect
> 
> Error: node2: Username and/or password is incorrect
> 
>  
> 
> I also see this is /var/log/audit/audit.log:
> 
>  
> 
> type=USER_AUTH msg=audit(1472154922.415:69): user pid=1138 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
> msg='op=PAM:authentication acct="hacluster" exe="/usr/bin/ruby"
> hostname=? addr=? terminal=? res=failed'

That's an SELinux error. To confirm, try again with SELinux disabled.

I think distributions that package pcs also provide any SELinux policies
it needs. I'm not sure what those are, or the best way to specify them
if you're building pcs yourself, but it shouldn't be difficult to figure
out.

> I’ve gone so far as to change the password to ensure that it didn’t have
> any “weird” characters in it, but the error persists. Appreciate the help!
> 
>  
> 
> --
> 
>  
> 
> *[ jR ]*
> 
>   @: ja...@eramsey.org 
> 
>  
> 
>   /there is no path to greatness; greatness is the path/

___
Users mailing list: Users@clusterlabs.org
http://clusterlabs.org/mailman/listinfo/users

Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org

Re: [ClusterLabs] pcs cluster auth returns authentication error

Re: [ClusterLabs] pcs cluster auth returns authentication error

Re: [ClusterLabs] pcs cluster auth returns authentication error

Re: [ClusterLabs] pcs cluster auth returns authentication error

Re: [ClusterLabs] pcs cluster auth returns authentication error

5 matches

Site Navigation

Mail list logo

Footer information