-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
openSUSE 11.4 x86_64
Oracle Java 1.6.0u45
Apache Tomcat 6.0.32
We use NIS authentication to unix servers.
I tried to configure Jenkins to authenticated via PAM plugin.
I logon successful with local user, but if I try logon with user defined on NIS server, logon failed.
Exception in catalina.out:
13.7.2013 0:09:04 hudson.security.AuthenticationProcessingFilter2 onUnsuccessfulAuthentication
INFO: Login attempt failed
org.acegisecurity.BadCredentialsException: pam_authenticate failed : Authentication failure; nested exception is org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at hudson.security.PAMSecurityRealm.authenticate(PAMSecurityRealm.java:78)
at hudson.security.AbstractPasswordBasedSecurityRealm$Authenticator.retrieveUser(AbstractPasswordBasedSecurityRealm.java:136)
at org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:122)
at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:200)
at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:47)
at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:74)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:174)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:64)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:47)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:300)
at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:433)
at org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:384)
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1665)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at org.jvnet.libpam.PAM.check(PAM.java:106)
at org.jvnet.libpam.PAM.authenticate(PAM.java:124)
at hudson.security.PAMSecurityRealm.authenticate(PAMSecurityRealm.java:73)
... 35 more
[JENKINS-18736] PAM authertication over NIS server does not work
Petr Prochazka
created issue -
Petr Prochazka
added a comment - Thanks for your reply.
I debug authentication in IDE and sshd service name only works, but I got this localized message from called callback (object pam_message in class PAM) Přístupová práva k databázi hesel jsou možná příliš přísná., English text is Permissions on the password database may be too restrictive.
And return code of called native method pam_authenticate is 7.
I think that problem can be in configuration of PAM modules or anything else, but where 
.
Petr Prochazka
added a comment - Thanks for your reply.
I debug authentication in IDE and sshd service name only works, but I got this localized message from called callback (object pam_message in class PAM) Přístupová práva k databázi hesel jsou možná příliš přísná. , English text is Permissions on the password database may be too restrictive .
And return code of called native method pam_authenticate is 7.
I think that problem can be in configuration of PAM modules or anything else, but where . 
lacostej
added a comment - What about "check the user running jenkins can read the shadow file." ?
What are the file permissions on your shadow file ?
lacostej
added a comment - What about "check the user running jenkins can read the shadow file." ?
What are the file permissions on your shadow file ? Petr Prochazka
added a comment - Permissions of shadow file is rw-r---- 1 root shadow 570 Jul 30 13:54 /etc/shadow. User tomcat is in group shadow.
Petr Prochazka
added a comment - Permissions of shadow file is rw-r ---- 1 root shadow 570 Jul 30 13:54 /etc/shadow . User tomcat is in group shadow . lacostej
added a comment - Anything special in /var/log/messages on the Linux side of it ? (see http://doc.opensuse.org/documentation/html/openSUSE/opensuse-security/cha.pam.html#sec.pam.pam-config for configuring debug if you lack information). Maybe you will find some discrepancy there, between what you think happens and what happens.
lacostej
added a comment - Anything special in /var/log/messages on the Linux side of it ? (see http://doc.opensuse.org/documentation/html/openSUSE/opensuse-security/cha.pam.html#sec.pam.pam-config for configuring debug if you lack information). Maybe you will find some discrepancy there, between what you think happens and what happens. 
. Petr Prochazka
added a comment - Thanks for advice, I will look at later . I have the same problem and followed the same route (googling, reading stack overflew)… but still unable to fix it.
I would say that the plugin is broken, or at least that it's configuration notes are broken if so many people fail to enable it.
My case: Debian with NIS/LDAO auth activated, added the jenkins user to proper group so it can read the /etc/shadow and verified it, still the plugin complains about the same error.
Even so, I have quite some doubts that reading the /etc/shadow would solve the problem, because there are listed only the local system accounts and not the NIS accounts.
Also the only configurable parameter "service" is completely undocumented. We do have to guess and google to find out what we are supposed to put there. Now I guess that we are supposed to put one of the file names from inside /etc/pam.d/ – but it still doesn't work and the logs do not contain any hints on why.
David Catanho
added a comment - Hi Sorin
I had the same problem as you, although a different configuration (LDAP/KRB5). What ended working for me was setting up the min_id parameter to 1000 in sssd.conf. That way the jenkins user was ignored for LDAP queries (id<1000). It might work for you too
David Catanho
added a comment - Hi Sorin
I had the same problem as you, although a different configuration (LDAP/KRB5). What ended working for me was setting up the min_id parameter to 1000 in sssd.conf. That way the jenkins user was ignored for LDAP queries (id<1000). It might work for you too
Hi,
I got success with PAM/SSS and sshd on RHEL 6.2/JRE 1.7u45/Winston
I suggest to dig secure /var/log/secure for understanding possible issues of java and PAM
Roman G
added a comment - - edited Hi,
I got success with PAM/SSS and sshd on RHEL 6.2/JRE 1.7u45/Winston
I suggest to dig secure /var/log/secure for understanding possible issues of java and PAM
You might want to try changing your service name to ssh or sshd and check the user running jenkins can read the shadow file.
http://stackoverflow.com/questions/4666305/hudson-fails-to-use-unix-user-group-to-do-authentication