-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
openSUSE 11.4 x86_64
Oracle Java 1.6.0u45
Apache Tomcat 6.0.32
We use NIS authentication to unix servers.
I tried to configure Jenkins to authenticated via PAM plugin.
I logon successful with local user, but if I try logon with user defined on NIS server, logon failed.
Exception in catalina.out:
13.7.2013 0:09:04 hudson.security.AuthenticationProcessingFilter2 onUnsuccessfulAuthentication
INFO: Login attempt failed
org.acegisecurity.BadCredentialsException: pam_authenticate failed : Authentication failure; nested exception is org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at hudson.security.PAMSecurityRealm.authenticate(PAMSecurityRealm.java:78)
at hudson.security.AbstractPasswordBasedSecurityRealm$Authenticator.retrieveUser(AbstractPasswordBasedSecurityRealm.java:136)
at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122)
at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200)
at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47)
at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:74)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:174)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:64)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:47)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:300)
at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:433)
at org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:384)
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1665)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at org.jvnet.libpam.PAM.check(PAM.java:106)
at org.jvnet.libpam.PAM.authenticate(PAM.java:124)
at hudson.security.PAMSecurityRealm.authenticate(PAMSecurityRealm.java:73)
... 35 more
[JENKINS-18736] PAM authertication over NIS server does not work
lacostej
added a comment - Anything special in /var/log/messages on the Linux side of it ? (see http://doc.opensuse.org/documentation/html/openSUSE/opensuse-security/cha.pam.html#sec.pam.pam-config for configuring debug if you lack information). Maybe you will find some discrepancy there, between what you think happens and what happens.
lacostej
added a comment - Anything special in /var/log/messages on the Linux side of it ? (see http://doc.opensuse.org/documentation/html/openSUSE/opensuse-security/cha.pam.html#sec.pam.pam-config for configuring debug if you lack information). Maybe you will find some discrepancy there, between what you think happens and what happens. 
.
Petr Prochazka
added a comment - Thanks for advice, I will look at later . I have the same problem and followed the same route (googling, reading stack overflew)… but still unable to fix it.
I would say that the plugin is broken, or at least that it's configuration notes are broken if so many people fail to enable it.
My case: Debian with NIS/LDAO auth activated, added the jenkins user to proper group so it can read the /etc/shadow and verified it, still the plugin complains about the same error.
Even so, I have quite some doubts that reading the /etc/shadow would solve the problem, because there are listed only the local system accounts and not the NIS accounts.
Also the only configurable parameter "service" is completely undocumented. We do have to guess and google to find out what we are supposed to put there. Now I guess that we are supposed to put one of the file names from inside /etc/pam.d/ – but it still doesn't work and the logs do not contain any hints on why.
David Catanho
added a comment - Hi Sorin
I had the same problem as you, although a different configuration (LDAP/KRB5). What ended working for me was setting up the min_id parameter to 1000 in sssd.conf. That way the jenkins user was ignored for LDAP queries (id<1000). It might work for you too
David Catanho
added a comment - Hi Sorin
I had the same problem as you, although a different configuration (LDAP/KRB5). What ended working for me was setting up the min_id parameter to 1000 in sssd.conf. That way the jenkins user was ignored for LDAP queries (id<1000). It might work for you too
Hi,
I got success with PAM/SSS and sshd on RHEL 6.2/JRE 1.7u45/Winston
I suggest to dig secure /var/log/secure for understanding possible issues of java and PAM
Roman G
added a comment - - edited Hi,
I got success with PAM/SSS and sshd on RHEL 6.2/JRE 1.7u45/Winston
I suggest to dig secure /var/log/secure for understanding possible issues of java and PAM I am seeing them same problem after everything was working properly for months. We starting seeing this issue yesterday immediately following a reboot to install EnvInject PLugin(which is now uninstalled, without fixing the error) We originally had "Unix user/group database" configured with "Service sshd" and "jenkins" user was NOT part of linux group "shadow". We have tried changing "service" to "ssh"(now back to "sshd") and have added jenkins user to linux group "shadow" Nothing has had any affect. The linux credentials are indeed valid, and we can ssh directly to the box without any problem.
OS is Ubuntu 12.04.2 LTS
We really need authentication working, so any help is GREATLY appreciated.
Nov 27, 2013 5:32:27 PM hudson.security.AuthenticationProcessingFilter2 onUnsuccessfulAuthentication
INFO: Login attempt failed
org.acegisecurity.BadCredentialsException: pam_authenticate failed : Authentication failure; nested exception is org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at hudson.security.PAMSecurityRealm.authenticate(PAMSecurityRealm.java:78)
at hudson.security.AbstractPasswordBasedSecurityRealm$Authenticator.retrieveUser(AbstractPasswordBasedSecurityRealm.java:135)
at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122)
at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200)
at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47)
at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:74)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:174)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:64)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:679)
Caused by: org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at org.jvnet.libpam.PAM.check(PAM.java:106)
at org.jvnet.libpam.PAM.authenticate(PAM.java:124)
at hudson.security.PAMSecurityRealm.authenticate(PAMSecurityRealm.java:73)
... 44 more
Scott MacDonald
added a comment - - edited I am seeing them same problem after everything was working properly for months. We starting seeing this issue yesterday immediately following a reboot to install EnvInject PLugin(which is now uninstalled, without fixing the error) We originally had "Unix user/group database" configured with "Service sshd" and "jenkins" user was NOT part of linux group "shadow". We have tried changing "service" to "ssh"(now back to "sshd") and have added jenkins user to linux group "shadow" Nothing has had any affect. The linux credentials are indeed valid, and we can ssh directly to the box without any problem.
OS is Ubuntu 12.04.2 LTS
We really need authentication working, so any help is GREATLY appreciated.
Nov 27, 2013 5:32:27 PM hudson.security.AuthenticationProcessingFilter2 onUnsuccessfulAuthentication
INFO: Login attempt failed
org.acegisecurity.BadCredentialsException: pam_authenticate failed : Authentication failure; nested exception is org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at hudson.security.PAMSecurityRealm.authenticate(PAMSecurityRealm.java:78)
at hudson.security.AbstractPasswordBasedSecurityRealm$Authenticator.retrieveUser(AbstractPasswordBasedSecurityRealm.java:135)
at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122)
at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200)
at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47)
at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:74)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:174)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:64)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:679)
Caused by: org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at org.jvnet.libpam.PAM.check(PAM.java:106)
at org.jvnet.libpam.PAM.authenticate(PAM.java:124)
at hudson.security.PAMSecurityRealm.authenticate(PAMSecurityRealm.java:73)
... 44 more Scott MacDonald
added a comment - Still scowering the net for a solutiojn..not much out there. Found this old, failry definiative blog post from 2009..
############################################
Jon Schewe wrote:
> Yes, this is the case if you have shadow passwords, which most people
> do. You can either run hudson as root or give access to /etc/shadow to a
> group, perhaps called 'shadow', and then add the hudson user to that
> group. Then it'll work.
>
> Kohsuke Kawaguchi wrote:
>> I've heard from some users that PAM auth can only authenticate the user
>> that Hudson is running as, unless Hudson is run as root.
>>
##########################################
So if I change jenkins to run as root, authentication does indeed work (although I see other breakages launching slaves due which I would now have to sort out)
Considering that I have been running for 6 months as jenkins without any problems, I having a hard time buying that running as root is a hard requirement PAM auth. At least it has not been true for us for about 6 months. There's got to be something else going on.
Scott MacDonald
added a comment - Still scowering the net for a solutiojn..not much out there. Found this old, failry definiative blog post from 2009..
############################################
Jon Schewe wrote:
> Yes, this is the case if you have shadow passwords, which most people
> do. You can either run hudson as root or give access to /etc/shadow to a
> group, perhaps called 'shadow', and then add the hudson user to that
> group. Then it'll work.
>
> Kohsuke Kawaguchi wrote:
>> I've heard from some users that PAM auth can only authenticate the user
>> that Hudson is running as, unless Hudson is run as root.
>>
##########################################
So if I change jenkins to run as root, authentication does indeed work (although I see other breakages launching slaves due which I would now have to sort out)
Considering that I have been running for 6 months as jenkins without any problems, I having a hard time buying that running as root is a hard requirement PAM auth. At least it has not been true for us for about 6 months. There's got to be something else going on. Roman G
added a comment - I confirm - I execute jenkins as root Scott MacDonald
added a comment - I do not want to run as root if I don't have to. We had been running our jenkins server as "jenkins" user for 6+ months with "Unix user/group database" PAM based authentication. This broke on us following a reboot after installing a plugin. I just don;t see how running as root can be considered requirement, when it clearly wasn't the case for us over the last 6 months.
Scott MacDonald
added a comment - I do not want to run as root if I don't have to. We had been running our jenkins server as "jenkins" user for 6+ months with "Unix user/group database" PAM based authentication. This broke on us following a reboot after installing a plugin. I just don;t see how running as root can be considered requirement, when it clearly wasn't the case for us over the last 6 months. 
Permissions of shadow file is
rw-r---- 1 root shadow 570 Jul 30 13:54 /etc/shadow. User tomcat is in group shadow.