Hmmm.... You don't need to restart for topology changes. Glad It us working for you now though!
On Sat, Jun 30, 2018, 4:05 PM Lian Jiang <[email protected]> wrote: > It worked now. I guess I missed knox restarting somewhere. > > On Sat, Jun 30, 2018 at 10:19 AM, Lian Jiang <[email protected]> > wrote: > >> Furthermore, knoxcli.sh shows guest authentication is ok: >> >> sudo bin/knoxcli.sh user-auth-test --cluster ui --u guest --p "{PASSWORD}" >> LDAP authentication successful! >> >> The output shows LDAP but OS auth is used: >> >> <provider> >> <role>authentication</role> >> <name>ShiroProvider</name> >> <enabled>true</enabled> >> <param> >> <name>sessionTimeout</name> >> <value>30</value> >> </param> >> <param> >> <name>main.pamRealm</name> >> >> <value>org.apache.hadoop.gateway.shirorealm.KnoxPamRealm</value> >> </param> >> <param> >> <name>main.pamRealm.service</name> >> <value>knox</value> >> </param> >> <param> >> <name>urls./**</name> >> <value>authcBasic</value> >> </param> >> </provider> >> <provider> >> <role>identity-assertion</role> >> <name>Default</name> >> <enabled>true</enabled> >> </provider> >> <provider> >> <role>authorization</role> >> <name>XASecurePDPKnox</name> >> <enabled>true</enabled> >> </provider> >> >> The knox pam service is: >> >> auth required pam_env.so >> auth sufficient pam_unix.so nullok try_first_pass >> auth requisite pam_succeed_if.so uid >= 1000 quiet_success >> auth required pam_deny.so >> >> On Sat, Jun 30, 2018 at 9:21 AM, Lian Jiang <[email protected]> >> wrote: >> >>> yes. I do both pamtester and curl on the knox host. >>> >>> On Sat, Jun 30, 2018 at 6:36 AM, larry mccay <[email protected]> wrote: >>> >>>> Are you on the Knox host when testing with Pam tester? The accounts >>>> will need to be on the Knox host. >>>> >>>> >>>> >>>> On Sat, Jun 30, 2018, 2:22 AM Lian Jiang <[email protected]> wrote: >>>> >>>>> I am using OS auth for knox and have verified the username and >>>>> password work: >>>>> >>>>> sudo pamtester -v knox guest authenticate >>>>> pamtester: invoking pam_start(knox, guest, ...) >>>>> pamtester: performing operation - authenticate >>>>> Password: >>>>> pamtester: successfully authenticated >>>>> >>>>> However, my curl command failed: >>>>> >>>>> curl -ik -u guest:"{PASSWORD}" >>>>> http://test-namenode.subnet1.hadoop.oraclevcn.com:8443/gateway/ui/webhdfs/v1/user/?op=LISTSTATUS >>>>> >>>>> The error is: >>>>> Jun 30 06:16:03 test-namenode unix_chkpwd[37385]: check pass; user >>>>> unknown >>>>> Jun 30 06:16:03 test-namenode unix_chkpwd[37385]: password check >>>>> failed for user (guest) >>>>> Jun 30 06:16:03 test-namenode java: pam_unix(knox:auth): >>>>> authentication failure; logname= uid=2018 euid=2018 tty= ruser= rhost= >>>>> user=guest >>>>> >>>>> >>>>> Any idea how I can debug? Appreciate any help. >>>>> >>>>> >>>>> >>> >> >
