Hi, That did the trick, many thanks!
May I ask you, why did it work? In another of our systems (Centos5, slurm-2.3.2) PAM is working properly, and we have the pam_slurm entry only in these files: [root@n1 ~]# find /etc/pam.d/ | xargs grep slurm /etc/pam.d/system-auth-ac:account required /lib64/security/pam_slurm.so /etc/pam.d/system-auth:account required /lib64/security/pam_slurm.so And then we have the /etc/pam.d/slurm file. I couldn't find the /etc/pam.d/sshd mention in this guide: https://computing.llnl.gov/linux/slurm/faq.html#pam On 2013-03-06 17:11, Karl Schulz wrote: > > I may have missed it, but did you update your pam config for sshd? > > # grep slurm /etc/pam.d/sshd > account required /lib64/security/pam_slurm.so > > -k > > On Mar 6, 2013, at 7:48 AM, Marco Passerini <[email protected]> > wrote: > >> >> Hi, >> >> I'm configuring a new cluster, with the latest development version of >> Slurm. I'd like to have PAM configured to normally prevent users from >> logging into the compute nodes, and allow them to log into the nodes >> only when they have a valid allocation. I tried to configure Slurm-PAM >> but it didn't work. >> >> The computing nodes run CentOS 6.3, are configured in the following way: >> >> [root@c2 ~]# rpm -qa | grep slurm >> slurm-devel-2.6.0-0pre1.el6.x86_64 >> slurm-lua-2.6.0-0pre1.el6.x86_64 >> slurm-sql-2.6.0-0pre1.el6.x86_64 >> slurm-slurmdbd-2.4.3-1.el6.x86_64 >> slurm-plugins-2.6.0-0pre1.el6.x86_64 >> slurm-pam_slurm-2.6.0-0pre1.el6.x86_64 >> slurm-munge-2.6.0-0pre1.el6.x86_64 >> slurm-spank-x11-debuginfo-0.2.5-1.x86_64 >> slurm-2.6.0-0pre1.el6.x86_64 >> slurm-sjobexit-2.6.0-0pre1.el6.x86_64 >> slurm-sjstat-2.6.0-0pre1.el6.x86_64 >> slurm-perlapi-2.6.0-0pre1.el6.x86_64 >> slurm-torque-2.6.0-0pre1.el6.x86_64 >> slurm-spank-x11-0.2.5-1.x86_64 >> >> [root@c2 ~]# rpm -ql slurm-pam_slurm >> /lib64/security/pam_slurm.so >> >> [root@c2 ~]# cat /etc/pam.d/slurm >> auth required pam_localuser.so >> account required pam_unix.so >> session required pam_limits.so >> >> >> [root@c2 ~]# cat /etc/pam.d/system-auth >> #%PAM-1.0 >> # This file is auto-generated. >> # User changes will be destroyed the next time authconfig is run. >> auth required pam_env.so >> auth sufficient pam_unix.so try_first_pass nullok >> auth required pam_deny.so >> >> account required pam_unix.so broken_shadow >> account required pam_slurm.so >> >> password requisite pam_cracklib.so try_first_pass retry=3 type= >> password sufficient pam_unix.so try_first_pass use_authtok nullok >> sha512 shadow >> password required pam_deny.so >> >> session optional pam_keyinit.so revoke >> session required pam_limits.so >> session [success=1 default=ignore] pam_succeed_if.so service in >> crond quiet use_uid >> session required pam_unix.so >> >> >> [root@c2 ~]# ls -lah /etc/pam.d/slurm >> -rw-r--r-- 1 root root 101 Aug 8 2012 /etc/pam.d/slurm >> >> [root@c2 ~]# ls -lah /etc/pam.d/system-auth >> -rw-r--r-- 1 root root 745 Aug 8 2012 /etc/pam.d/system-auth >> >> >> [root@c2 ~]# cat /etc/slurm/slurm.conf | grep -i pam >> UsePAM=1 >> >> [root@c2 ~]# cat /etc/slurm/slurm.conf | grep -i PropagateRes >> PropagateResourceLimitsExcept=MEMLOCK,RLIMIT_AS,RLIMIT_CPU,RLIMIT_NPROC,RLIMIT_CORE,RLIMIT_DATA,RLIMIT_RSS,STACK >> >> There's a copy of my ssh-key in the .ssh/authorized_keys in my home folder. >> >> On the nodes there's my user identity in /etc/passwd and /etc/group, but >> there's not shadow file. >> >> If I login with my account to a node I can enter with no problems and >> /var/log/secure says the following: >> >> Mar 6 15:22:35 c2 sshd[64542]: Accepted publickey for myusername from >> 10.10.0.13 port 54821 ssh2 >> Mar 6 15:22:35 c2 sshd[64542]: pam_unix(sshd:session): session opened >> for user myusername by (uid=0) >> >> So, how can I prevent normal users to enter into the nodes if there's no >> allocation? Am I doing something wrong? >> >> Thanks in advance, >> Marco -- Marco Passerini System Specialist CSC IT Center for Science Mobile: +358 50 381 8424 E-Mail: [email protected]
