-
Bug
-
Resolution: Unresolved
-
Blocker
-
None
-
Ubuntu 20.04
NIS users are unable to authenticate unless Jenkins services is started as root:
Jun 1 unix_chkpwd[5063]: check pass; user unknown
Jun 1 unix_chkpwd[5064]: check pass; user unknown
Jun 1 unix_chkpwd[5064]: password check failed for user
I have tried adding "jenkins" to group "shadow" and granting read permissions to /etc/shadow for the group but having no luck. Tried also to downgrade to v1.6 but that didn't help. We do have it working on a Redhat box when run as "jenkins" with Jenkins v2.204.6. Do we need to downgrade Jenkins on the Ubuntu box to the older version?
[JENKINS-68663] PAM fails with NIS when jenkins not run as root
David Hartje
created issue -
David Hartje
made changes -
| Description |
Original:
NIS users are unable to authenticate unless Jenkins services is started as root:
Jun 1 11:00:48 flsm-jenkins01-lxu unix_chkpwd[5063]: check pass; user unknown Jun 1 11:00:48 flsm-jenkins01-lxu unix_chkpwd[5064]: check pass; user unknown Jun 1 11:00:48 flsm-jenkins01-lxu unix_chkpwd[5064]: password check failed for user I have tried adding "jenkins" to group "shadow" and granting read permissions to /etc/shadow for the group but having no luck. Tried also to downgrade to v1.6 but that didn't help. We do have it working on a Redhat box when run as "jenkins" with Jenkins v2.204.6. Do we need to downgrade Jenkins on the Ubuntu box to the older version? |
New:
NIS users are unable to authenticate unless Jenkins services is started as root:
Jun 1 unix_chkpwd[5063]: check pass; user unknown Jun 1 unix_chkpwd[5064]: check pass; user unknown Jun 1 unix_chkpwd[5064]: password check failed for user I have tried adding "jenkins" to group "shadow" and granting read permissions to /etc/shadow for the group but having no luck. Tried also to downgrade to v1.6 but that didn't help. We do have it working on a Redhat box when run as "jenkins" with Jenkins v2.204.6. Do we need to downgrade Jenkins on the Ubuntu box to the older version? |
David Hartje
made changes -
| Assignee | Original: Matt Sicker [ jvz ] | New: Mark Waite [ markewaite ] |
Mark Waite, I admit surprise with having the ability to change the Assignee on tickets (even ones I didn't create it would seem). I only assigned it to you because it appears that Matt Sicker was no longer participating based on how long it has been since he last posted a comment on a ticket...
David Hartje
added a comment - - edited Mark Waite, I admit surprise with having the ability to change the Assignee on tickets (even ones I didn't create it would seem). I only assigned it to you because it appears that Matt Sicker was no longer participating based on how long it has been since he last posted a comment on a ticket... | Assignee | Original: Mark Waite [ markewaite ] |
davidhartje I have no experience using NIS to authenticate with Jenkins. I've unassigned myself.
Jonathan Rogers
added a comment - I'm trying to use pam_exec.so to authenticate using a script. I created a PAM service called "jenkins" (/etc/pam.d/jenkins) with "auth" and "account" lines. Authentication succeeds, but I see this in the Jenkins log: "org.jvnet.libpam.PAMException: Authentication succeeded but no user information is available". I believe the problem described in this ticket is not unique to NIS, but results from the fact that libpam4j attempts to retrieve an account record using the libc function getpwnam() rather than relying solely on PAM calls.
I have been using the Security Realm by custom script (script-realm) Jenkins plugin to authenticate via script, which has been working fine without any entries in /etc/passwd. However, that plugin is unmaintained and pulls in the deprecated WMI Windows Agents Plugin, so I tried replacing it with a PAM configuration. Since I don't want to have to modify /etc/passwd, I'll probably find a different solution.
Jonathan Rogers
added a comment - I'm trying to use pam_exec.so to authenticate using a script. I created a PAM service called "jenkins" (/etc/pam.d/jenkins) with "auth" and "account" lines. Authentication succeeds, but I see this in the Jenkins log: "org.jvnet.libpam.PAMException: Authentication succeeded but no user information is available". I believe the problem described in this ticket is not unique to NIS, but results from the fact that libpam4j attempts to retrieve an account record using the libc function getpwnam() rather than relying solely on PAM calls.
https://github.com/kohsuke/libpam4j/blob/377d71a2b73c11b7c21bea0fb4ac5050ba8fc5c9/src/main/java/org/jvnet/libpam/PAM.java
I have been using the Security Realm by custom script (script-realm) Jenkins plugin to authenticate via script, which has been working fine without any entries in /etc/passwd. However, that plugin is unmaintained and pulls in the deprecated WMI Windows Agents Plugin, so I tried replacing it with a PAM configuration. Since I don't want to have to modify /etc/passwd, I'll probably find a different solution.
FYI, both "sshd" and "passwd" tests pass under the "Advanced" setting. From what I can tell, PAM is not checking or unable to check NIS. Accounts that exist in /etc/passwd can login to jenkiins though.