Hello Lian,
What errors do you see in the PAM logs (/var/log/secure, /var/log/messages)
for this login attempt ?
Best,
Sandeep
On Tue, Jul 3, 2018 at 1:25 AM Lian Jiang <jiangok2...@gmail.com> wrote:
> Thanks Larry.
>
> Setting "-Djava.io.tmpdir={other_tmp_folder}
> -D*jna*.tmpdir={other_tmp_folder}"
> in knoxcli.sh made it throw a different error.
>
> [lianjia@prod1-namenode knox-server]$ sudo bin/knoxcli.sh user-auth-test
> --cluster ui --u guest --p "{PASSWORD}" --d
> org.apache.shiro.authc.AuthenticationException:
> org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication
> failure
> pam_authenticate failed : Authentication failure
> org.apache.shiro.authc.AuthenticationException:
> org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication
> failure
> at
> org.apache.hadoop.gateway.shirorealm.KnoxPamRealm.handleAuthFailure(KnoxPamRealm.java:157)
> at
> org.apache.hadoop.gateway.shirorealm.KnoxPamRealm.doGetAuthenticationInfo(KnoxPamRealm.java:137)
> at
> org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
> at
> org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
> at
> org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
> at
> org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
> at
> org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
> at
> org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
> at
> org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
> at
> org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:1171)
> at
> org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:1206)
> at
> org.apache.hadoop.gateway.util.KnoxCLI$LDAPAuthCommand.execute(KnoxCLI.java:1502)
> at org.apache.hadoop.gateway.util.KnoxCLI.run(KnoxCLI.java:143)
> at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76)
> at org.apache.hadoop.gateway.util.KnoxCLI.main(KnoxCLI.java:1777)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70)
> at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39)
> at org.apache.hadoop.gateway.launcher.Command.run(Command.java:99)
> at org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69)
> at org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46)
> Caused by: org.jvnet.libpam.PAMException: pam_authenticate failed :
> Authentication failure
> at org.jvnet.libpam.PAM.check(PAM.java:106)
> at org.jvnet.libpam.PAM.authenticate(PAM.java:124)
> at
> org.apache.hadoop.gateway.shirorealm.KnoxPamRealm.doGetAuthenticationInfo(KnoxPamRealm.java:135)
> ... 22 more
> ERR: Unable to authenticate user: guest
>
>
>
>
> Looks like the /tmp error is gone. However, I found no clue about
> "Authentication
> failure" even pamtest works:
>
> [lianjia@prod1-namenode knox-server]$ sudo pamtester -v login guest
> authenticate
> pamtester: invoking pam_start(login, guest, ...)
> pamtester: performing operation - authenticate
> Password:
> pamtester: successfully authenticated
>
> Not sure how to go deeper. Still investigating. Any hint is highly
> appreciated.
>
> On Mon, Jul 2, 2018 at 12:32 PM, larry mccay <larry.mc...@gmail.com>
> wrote:
>
>> Hi Lian -
>>
>> I haven't encountered this before. You will likely need to dig into the
>> shiro PAM support itself if not even lower into the Pam module code.
>>
>> I will try and find some time to dig a bit myself.
>>
>> Thanks,
>>
>> -larry
>>
>> On Mon, Jul 2, 2018, 2:58 PM Lian Jiang <jiangok2...@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> When /tmp has noexec, Knox OS auth throws error:
>>>
>>> [lianjia@prod1-namenode knox-server]$ sudo bin/knoxcli.sh
>>> user-auth-test --cluster ui --u guest --p "{PASSWORD}" --d
>>> org.apache.shiro.authc.AuthenticationException: Authentication failed
>>> for token submission [org.apache.shiro.authc.UsernamePasswordToken - guest,
>>> rememberMe=false]. Possible unexpected error? (Typical or expected login
>>> exceptions should extend from AuthenticationException).
>>> /tmp/jna-3506402/jna4211705767471308463.tmp:
>>> /tmp/jna-3506402/jna4211705767471308463.tmp: failed to map segment from
>>> shared object: Operation not permitted
>>> org.apache.shiro.authc.AuthenticationException: Authentication failed
>>> for token submission [org.apache.shiro.authc.UsernamePasswordToken - guest,
>>> rememberMe=false]. Possible unexpected error? (Typical or expected login
>>> exceptions should extend from AuthenticationException).
>>> at
>>> org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:214)
>>> at
>>> org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
>>> at
>>> org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
>>> at
>>> org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
>>> at
>>> org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:1171)
>>> at
>>> org.apache.hadoop.gateway.util.KnoxCLI$LDAPCommand.authenticateUser(KnoxCLI.java:1206)
>>> at
>>> org.apache.hadoop.gateway.util.KnoxCLI$LDAPAuthCommand.execute(KnoxCLI.java:1502)
>>> at org.apache.hadoop.gateway.util.KnoxCLI.run(KnoxCLI.java:143)
>>> at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76)
>>> at org.apache.hadoop.gateway.util.KnoxCLI.main(KnoxCLI.java:1777)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>> at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>> at
>>> org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70)
>>> at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39)
>>> at org.apache.hadoop.gateway.launcher.Command.run(Command.java:99)
>>> at org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69)
>>> at org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46)
>>> Caused by: java.lang.UnsatisfiedLinkError:
>>> /tmp/jna-3506402/jna4211705767471308463.tmp:
>>> /tmp/jna-3506402/jna4211705767471308463.tmp: failed to map segment from
>>> shared object: Operation not permitted
>>> at java.lang.ClassLoader$NativeLibrary.load(Native Method)
>>> at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1941)
>>> at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1824)
>>> at java.lang.Runtime.load0(Runtime.java:809)
>>> at java.lang.System.load(System.java:1086)
>>> at
>>> com.sun.jna.Native.loadNativeDispatchLibraryFromClasspath(Native.java:761)
>>> at com.sun.jna.Native.loadNativeDispatchLibrary(Native.java:736)
>>> at com.sun.jna.Native.<clinit>(Native.java:131)
>>> at com.sun.jna.Pointer.<clinit>(Pointer.java:41)
>>> at com.sun.jna.Structure.<clinit>(Structure.java:1949)
>>> at org.jvnet.libpam.PAM.<init>(PAM.java:73)
>>> at
>>> org.apache.hadoop.gateway.shirorealm.KnoxPamRealm.doGetAuthenticationInfo(KnoxPamRealm.java:135)
>>> at
>>> org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568)
>>> at
>>> org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
>>> at
>>> org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
>>> at
>>> org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
>>> ... 18 more
>>> ERR: Unable to authenticate user: guest
>>>
>>> Setting "-Djava.io.tmpdir={other_tmp_folder}
>>> -D*jna*.tmpdir={other_tmp_folder}"
>>> in gateway.sh did not help.
>>>
>>> I cannot remove noexec for /tmp since it is required for our production.
>>> Any idea how to solve this issue? Thanks!
>>>
>>
>
