Hi, Thanks for the link, unfortunately the instructions in that page didn't work for my system. Only once I added the following line to /etc/pam.d/sshd the system worked correctly:
account required pam_slurm.so I could find no instructions in those pages about editing the /etc/pam.d/sshd file, maybe they should be reviewed. On 2013-03-07 01:38, Moe Jette wrote: > > See the Slurm documents at schedmd.com. They are two years newer than > the documents at llnl.gov > > www.schedmd.com/slurmdocs/faq.html#pam > > > > Quoting Marco Passerini <[email protected]>: > >> >> Hi, >> >> That did the trick, many thanks! >> >> May I ask you, why did it work? >> >> In another of our systems (Centos5, slurm-2.3.2) PAM is working >> properly, and we have the pam_slurm entry only in these files: >> [root@n1 ~]# find /etc/pam.d/ | xargs grep slurm >> /etc/pam.d/system-auth-ac:account required >> /lib64/security/pam_slurm.so >> /etc/pam.d/system-auth:account required >> /lib64/security/pam_slurm.so >> >> And then we have the /etc/pam.d/slurm file. >> >> >> I couldn't find the /etc/pam.d/sshd mention in this guide: >> http://lists.schedmd.com/cgi-bin/dada/mail.cgi/r/slurmdev/713622400776/ >> >> >> >> >> On 2013-03-06 17:11, Karl Schulz wrote: >>> >>> I may have missed it, but did you update your pam config for sshd? >>> >>> # grep slurm /etc/pam.d/sshd >>> account required /lib64/security/pam_slurm.so >>> >>> -k >>> >>> On Mar 6, 2013, at 7:48 AM, Marco Passerini <[email protected]> >>> wrote: >>> >>>> >>>> Hi, >>>> >>>> I'm configuring a new cluster, with the latest development version of >>>> Slurm. I'd like to have PAM configured to normally prevent users from >>>> logging into the compute nodes, and allow them to log into the nodes >>>> only when they have a valid allocation. I tried to configure Slurm-PAM >>>> but it didn't work. >>>> >>>> The computing nodes run CentOS 6.3, are configured in the following way: >>>> >>>> [root@c2 ~]# rpm -qa | grep slurm >>>> slurm-devel-2.6.0-0pre1.el6.x86_64 >>>> slurm-lua-2.6.0-0pre1.el6.x86_64 >>>> slurm-sql-2.6.0-0pre1.el6.x86_64 >>>> slurm-slurmdbd-2.4.3-1.el6.x86_64 >>>> slurm-plugins-2.6.0-0pre1.el6.x86_64 >>>> slurm-pam_slurm-2.6.0-0pre1.el6.x86_64 >>>> slurm-munge-2.6.0-0pre1.el6.x86_64 >>>> slurm-spank-x11-debuginfo-0.2.5-1.x86_64 >>>> slurm-2.6.0-0pre1.el6.x86_64 >>>> slurm-sjobexit-2.6.0-0pre1.el6.x86_64 >>>> slurm-sjstat-2.6.0-0pre1.el6.x86_64 >>>> slurm-perlapi-2.6.0-0pre1.el6.x86_64 >>>> slurm-torque-2.6.0-0pre1.el6.x86_64 >>>> slurm-spank-x11-0.2.5-1.x86_64 >>>> >>>> [root@c2 ~]# rpm -ql slurm-pam_slurm >>>> /lib64/security/pam_slurm.so >>>> >>>> [root@c2 ~]# cat /etc/pam.d/slurm >>>> auth required pam_localuser.so >>>> account required pam_unix.so >>>> session required pam_limits.so >>>> >>>> >>>> [root@c2 ~]# cat /etc/pam.d/system-auth >>>> #%PAM-1.0 >>>> # This file is auto-generated. >>>> # User changes will be destroyed the next time authconfig is run. >>>> auth required pam_env.so >>>> auth sufficient pam_unix.so try_first_pass nullok >>>> auth required pam_deny.so >>>> >>>> account required pam_unix.so broken_shadow >>>> account required pam_slurm.so >>>> >>>> password requisite pam_cracklib.so try_first_pass retry=3 type= >>>> password sufficient pam_unix.so try_first_pass use_authtok nullok >>>> sha512 shadow >>>> password required pam_deny.so >>>> >>>> session optional pam_keyinit.so revoke >>>> session required pam_limits.so >>>> session [success=1 default=ignore] pam_succeed_if.so service in >>>> crond quiet use_uid >>>> session required pam_unix.so >>>> >>>> >>>> [root@c2 ~]# ls -lah /etc/pam.d/slurm >>>> -rw-r--r-- 1 root root 101 Aug 8 2012 /etc/pam.d/slurm >>>> >>>> [root@c2 ~]# ls -lah /etc/pam.d/system-auth >>>> -rw-r--r-- 1 root root 745 Aug 8 2012 /etc/pam.d/system-auth >>>> >>>> >>>> [root@c2 ~]# cat /etc/slurm/slurm.conf | grep -i pam >>>> UsePAM=1 >>>> >>>> [root@c2 ~]# cat /etc/slurm/slurm.conf | grep -i PropagateRes >>>> PropagateResourceLimitsExcept=MEMLOCK,RLIMIT_AS,RLIMIT_CPU,RLIMIT_NPROC,RLIMIT_CORE,RLIMIT_DATA,RLIMIT_RSS,STACK >>>> >>>> There's a copy of my ssh-key in the .ssh/authorized_keys in my home folder. >>>> >>>> On the nodes there's my user identity in /etc/passwd and /etc/group, but >>>> there's not shadow file. >>>> >>>> If I login with my account to a node I can enter with no problems and >>>> /var/log/secure says the following: >>>> >>>> Mar 6 15:22:35 c2 sshd[64542]: Accepted publickey for myusername from >>>> 10.10.0.13 port 54821 ssh2 >>>> Mar 6 15:22:35 c2 sshd[64542]: pam_unix(sshd:session): session opened >>>> for user myusername by (uid=0) >>>> >>>> So, how can I prevent normal users to enter into the nodes if there's no >>>> allocation? Am I doing something wrong? >>>> >>>> Thanks in advance, >>>> Marco
