Hello Lian, What errors do you see in the PAM logs (/var/log/secure, /var/log/messages) for this login attempt ?
Best, Sandeep On Tue, Jul 3, 2018 at 1:25 AM Lian Jiang <jiangok2...@gmail.com> wrote: > Thanks Larry. > > Setting "-Djava.io.tmpdir={other_tmp_folder} > -D*jna*.tmpdir={other_tmp_folder}" > in knoxcli.sh made it throw a different error. > > [lianjia@prod1-namenode knox-server]$ sudo bin/knoxcli.sh user-auth-test > --cluster ui --u guest --p "{PASSWORD}" --d > org.apache.shiro.authc.AuthenticationException: > org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication > failure > pam_authenticate failed : Authentication failure > org.apache.shiro.authc.AuthenticationException: > org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication > failure > at > org.apache.hadoop.gateway.shirorealm.KnoxPamRealm.handleAuthFailure(KnoxPamRealm.java:157) > at > org.apache.hadoop.gateway.shirorealm.KnoxPamRealm.doGetAuthenticationInfo(KnoxPamRealm.java:137) > at > org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568) > at > org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180) > at > org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267) > at > org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198) > at > org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) > at > org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270) > at > org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256) > at > org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:1171) > at > org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:1206) > at > org.apache.hadoop.gateway.util.KnoxCLI$LDAPAuthCommand.execute(KnoxCLI.java:1502) > at org.apache.hadoop.gateway.util.KnoxCLI.run(KnoxCLI.java:143) > at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76) > at org.apache.hadoop.gateway.util.KnoxCLI.main(KnoxCLI.java:1777) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70) > at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39) > at org.apache.hadoop.gateway.launcher.Command.run(Command.java:99) > at org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69) > at org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46) > Caused by: org.jvnet.libpam.PAMException: pam_authenticate failed : > Authentication failure > at org.jvnet.libpam.PAM.check(PAM.java:106) > at org.jvnet.libpam.PAM.authenticate(PAM.java:124) > at > org.apache.hadoop.gateway.shirorealm.KnoxPamRealm.doGetAuthenticationInfo(KnoxPamRealm.java:135) > ... 22 more > ERR: Unable to authenticate user: guest > > > > > Looks like the /tmp error is gone. However, I found no clue about > "Authentication > failure" even pamtest works: > > [lianjia@prod1-namenode knox-server]$ sudo pamtester -v login guest > authenticate > pamtester: invoking pam_start(login, guest, ...) > pamtester: performing operation - authenticate > Password: > pamtester: successfully authenticated > > Not sure how to go deeper. Still investigating. Any hint is highly > appreciated. > > On Mon, Jul 2, 2018 at 12:32 PM, larry mccay <larry.mc...@gmail.com> > wrote: > >> Hi Lian - >> >> I haven't encountered this before. You will likely need to dig into the >> shiro PAM support itself if not even lower into the Pam module code. >> >> I will try and find some time to dig a bit myself. >> >> Thanks, >> >> -larry >> >> On Mon, Jul 2, 2018, 2:58 PM Lian Jiang <jiangok2...@gmail.com> wrote: >> >>> Hi, >>> >>> When /tmp has noexec, Knox OS auth throws error: >>> >>> [lianjia@prod1-namenode knox-server]$ sudo bin/knoxcli.sh >>> user-auth-test --cluster ui --u guest --p "{PASSWORD}" --d >>> org.apache.shiro.authc.AuthenticationException: Authentication failed >>> for token submission [org.apache.shiro.authc.UsernamePasswordToken - guest, >>> rememberMe=false]. Possible unexpected error? (Typical or expected login >>> exceptions should extend from AuthenticationException). >>> /tmp/jna-3506402/jna4211705767471308463.tmp: >>> /tmp/jna-3506402/jna4211705767471308463.tmp: failed to map segment from >>> shared object: Operation not permitted >>> org.apache.shiro.authc.AuthenticationException: Authentication failed >>> for token submission [org.apache.shiro.authc.UsernamePasswordToken - guest, >>> rememberMe=false]. Possible unexpected error? (Typical or expected login >>> exceptions should extend from AuthenticationException). >>> at >>> org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:214) >>> at >>> org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) >>> at >>> org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270) >>> at >>> org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256) >>> at >>> org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:1171) >>> at >>> org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:1206) >>> at >>> org.apache.hadoop.gateway.util.KnoxCLI$LDAPAuthCommand.execute(KnoxCLI.java:1502) >>> at org.apache.hadoop.gateway.util.KnoxCLI.run(KnoxCLI.java:143) >>> at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76) >>> at org.apache.hadoop.gateway.util.KnoxCLI.main(KnoxCLI.java:1777) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:498) >>> at >>> org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70) >>> at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39) >>> at org.apache.hadoop.gateway.launcher.Command.run(Command.java:99) >>> at org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69) >>> at org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46) >>> Caused by: java.lang.UnsatisfiedLinkError: >>> /tmp/jna-3506402/jna4211705767471308463.tmp: >>> /tmp/jna-3506402/jna4211705767471308463.tmp: failed to map segment from >>> shared object: Operation not permitted >>> at java.lang.ClassLoader$NativeLibrary.load(Native Method) >>> at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1941) >>> at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1824) >>> at java.lang.Runtime.load0(Runtime.java:809) >>> at java.lang.System.load(System.java:1086) >>> at >>> com.sun.jna.Native.loadNativeDispatchLibraryFromClasspath(Native.java:761) >>> at com.sun.jna.Native.loadNativeDispatchLibrary(Native.java:736) >>> at com.sun.jna.Native.<clinit>(Native.java:131) >>> at com.sun.jna.Pointer.<clinit>(Pointer.java:41) >>> at com.sun.jna.Structure.<clinit>(Structure.java:1949) >>> at org.jvnet.libpam.PAM.<init>(PAM.java:73) >>> at >>> org.apache.hadoop.gateway.shirorealm.KnoxPamRealm.doGetAuthenticationInfo(KnoxPamRealm.java:135) >>> at >>> org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568) >>> at >>> org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180) >>> at >>> org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267) >>> at >>> org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198) >>> ... 18 more >>> ERR: Unable to authenticate user: guest >>> >>> Setting "-Djava.io.tmpdir={other_tmp_folder} >>> -D*jna*.tmpdir={other_tmp_folder}" >>> in gateway.sh did not help. >>> >>> I cannot remove noexec for /tmp since it is required for our production. >>> Any idea how to solve this issue? Thanks! >>> >> >