Re: Knox OS authentication fail due to "password check failed for user"

Sat, 30 Jun 2018 13:05:47 -0700 

It worked now. I guess I missed knox restarting somewhere.

On Sat, Jun 30, 2018 at 10:19 AM, Lian Jiang <[email protected]> wrote:

> Furthermore, knoxcli.sh shows guest authentication is ok:
>
> sudo bin/knoxcli.sh user-auth-test --cluster ui --u guest --p "{PASSWORD}"
> LDAP authentication successful!
>
> The output shows LDAP but OS auth is used:
>
> <provider>
>             <role>authentication</role>
>             <name>ShiroProvider</name>
>             <enabled>true</enabled>
>             <param>
>                 <name>sessionTimeout</name>
>                 <value>30</value>
>             </param>
>             <param>
>                 <name>main.pamRealm</name>
>                 <value>org.apache.hadoop.gateway.shirorealm.
> KnoxPamRealm</value>
>             </param>
>             <param>
>                 <name>main.pamRealm.service</name>
>                 <value>knox</value>
>             </param>
>             <param>
>                 <name>urls./**</name>
>                 <value>authcBasic</value>
>             </param>
>         </provider>
>         <provider>
>             <role>identity-assertion</role>
>             <name>Default</name>
>             <enabled>true</enabled>
>         </provider>
>         <provider>
>             <role>authorization</role>
>             <name>XASecurePDPKnox</name>
>             <enabled>true</enabled>
>         </provider>
>
> The knox pam service is:
>
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
> auth        required      pam_deny.so
>
> On Sat, Jun 30, 2018 at 9:21 AM, Lian Jiang <[email protected]> wrote:
>
>> yes. I do both pamtester and curl on the knox host.
>>
>> On Sat, Jun 30, 2018 at 6:36 AM, larry mccay <[email protected]> wrote:
>>
>>> Are you on the Knox host when testing with Pam tester? The accounts will
>>> need to be on the Knox host.
>>>
>>>
>>>
>>> On Sat, Jun 30, 2018, 2:22 AM Lian Jiang <[email protected]> wrote:
>>>
>>>> I am using OS auth for knox and have verified the username and password
>>>> work:
>>>>
>>>> sudo pamtester -v knox guest authenticate
>>>> pamtester: invoking pam_start(knox, guest, ...)
>>>> pamtester: performing operation - authenticate
>>>> Password:
>>>> pamtester: successfully authenticated
>>>>
>>>> However, my curl command failed:
>>>>
>>>> curl -ik  -u guest:"{PASSWORD}" http://test-namenode.subnet1.h
>>>> adoop.oraclevcn.com:8443/gateway/ui/webhdfs/v1/user/?op=LISTSTATUS
>>>>
>>>> The error is:
>>>> Jun 30 06:16:03 test-namenode unix_chkpwd[37385]: check pass; user
>>>> unknown
>>>> Jun 30 06:16:03 test-namenode unix_chkpwd[37385]: password check failed
>>>> for user (guest)
>>>> Jun 30 06:16:03 test-namenode java: pam_unix(knox:auth): authentication
>>>> failure; logname= uid=2018 euid=2018 tty= ruser= rhost=  user=guest
>>>>
>>>>
>>>> Any idea how I can debug? Appreciate any help.
>>>>
>>>>
>>>>
>>
>

Reply via email to