Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-71972

Authentication Failed with Docker image Jenkins LTS (2.414.1)

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Blocker Blocker
    • pam-auth-plugin
    • None

      We are using Jenkins docker image in our CI.

      On 23/08/2023 ( LTS 2.414.1 ), the image is updated from Debian 11 to Debian 12.
      In this update, libpam-runtime move from 1.4.0 to 1.5.0 and the plugin PAM is the same
      Since this date, LDAP Authentication Failed.

      We suspect an incompatibility with the new libpam-runtime.

          [JENKINS-71972] Authentication Failed with Docker image Jenkins LTS (2.414.1)

          Thank you gilbertboyer .

          I've updated everything I could in the plugin and created a pull request for it.

          However, it seems that it wasn't sufficient, as mentioned by Abderrazak.

          Bruno Verachten added a comment - Thank you gilbertboyer . I've updated everything I could in the plugin and created a pull request for it. However, it seems that it wasn't sufficient, as mentioned by Abderrazak.

          Abderrazak added a comment -

           Hi Bruno,

          Let me know please if the way  to test this new plugin build I explain help you for reproduce.

          Thks

          Abderrazak added a comment -  Hi Bruno, Let me know please if the way  to test this new plugin build I explain help you for reproduce. Thks

          James Nord added a comment -

          this does not fully surprise me - the container may well be missing some libraries required to do PAM authentication as this is not that normal, esp if you are mounting pam conf from the host.

          generally I would not expect the API of pam to change in a breaking way (it would break many applications).  As such I am thinking this is not an issue with the pam plugin but more something else.

          1. what does the pam auth log say - this  may well have some clues.
          2. have you tried running Jenkins without docker on a host to see if you can reproduce / debug this outside of docker?

          James Nord added a comment - this does not fully surprise me - the container may well be missing some libraries required to do PAM authentication as this is not that normal, esp if you are mounting pam conf from the host. generally I would not expect the API of pam to change in a breaking way (it would break many applications).  As such I am thinking this is not an issue with the pam plugin but more something else. 1. what does the pam auth log say - this  may well have some clues. 2. have you tried running Jenkins without docker on a host to see if you can reproduce / debug this outside of docker?

          James Nord added a comment - - edited

          libpam-ldapd is not installed in either 2.401.3 or 2.414.1 which would IIUC be a prerequisite for this to even work?!

          ❯ docker run --user=root jenkins/jenkins:2.401.3 dpkg -l libpam-ldapd
          dpkg-query: no packages found matching libpam-ldapd
          ❯ docker run --user=root jenkins/jenkins:2.414.1 dpkg -l libpam-ldapd
          dpkg-query: no packages found matching libpam-ldapd
           
          

           

          James Nord added a comment - - edited libpam-ldapd is not installed in either 2.401.3 or 2.414.1 which would IIUC be a prerequisite for this to even work?! ❯ docker run --user=root jenkins/jenkins:2.401.3 dpkg -l libpam-ldapd dpkg-query: no packages found matching libpam-ldapd ❯ docker run --user=root jenkins/jenkins:2.414.1 dpkg -l libpam-ldapd dpkg-query: no packages found matching libpam-ldapd    

          Abderrazak added a comment -

          teilo ,
          from the Jenkins image we install  libpam-ldap, libnss-ldap and libpam-pwdfile before using it.

          [root@build-controller ~]# docker exec -it jenkins-controller dpkg -l libpam-ldap
          ||/ Name              Version      Architecture Description
          +++-=================-============-============-========================================
          ii  libpam-ldap:amd64 186-4+b1     amd64        Pluggable Authentication Module for LDAP

          It's not an issue on the plugin, but an issue on the libpam4j used bye the plugin.
          We do 2 issues one on the library libpam4j and one on the plugin wich use this lib.
          poddingue Propose us a PR on the libpam4j project, but our test reveal that this update was not resolve the issue.

          The issue is linked by the Jenkins Docker Image on Debian 12 and more specifically the 1.5.0 versionof libpam-runtime. I think the libpam4j had to be reviewd because when we come back to the version before the issue disapared.

          Think you very much for investigations 

          Abderrazak added a comment - teilo , from the Jenkins image we install  libpam-ldap, libnss-ldap and libpam-pwdfile before using it. [root@build-controller ~]# docker exec -it jenkins-controller dpkg -l libpam-ldap ||/ Name              Version      Architecture Description +++-=================-============-============-======================================== ii  libpam-ldap:amd64 186-4+b1     amd64        Pluggable Authentication Module for LDAP It's not an issue on the plugin, but an issue on the libpam4j used bye the plugin. We do 2 issues one on the library libpam4j and one on the plugin wich use this lib. poddingue Propose us a PR on the libpam4j project, but our test reveal that this update was not resolve the issue. The issue is linked by the Jenkins Docker Image on Debian 12 and more specifically the 1.5.0 versionof libpam-runtime. I think the libpam4j had to be reviewd because when we come back to the version before the issue disapared. Think you very much for investigations 

          James Nord added a comment - - edited

          the error in the log

           

          Sep 07, 2023 2:28:31 PM FINE org.jvnet.libpam.PAM
          pam_conv num_msg=1
          Sep 07, 2023 2:28:31 PM FINE org.jvnet.libpam.PAM
          1:Password: 
          Sep 07, 2023 2:28:33 PM FINEST org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter unsuccessfulAuthentication
          Failed to process authentication request
          org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure

          is AFAICT

           

          #define PAM_OPEN_ERR 1 /* dlopen() failure when dynamically */
                                 /* loading a service module */

          Which would point not at Jenkins and the pam plugin but at the configuration of PAM.

          Have you checked your pam config for compatibility? have you validated the exact same configuration with the same container base (ubuntu and version) using just a local login or ssh access?

          The issue is linked by the Jenkins Docker Image on Debian 12 and more specifically the 1.5.0 version of libpam-runtime. I think the libpam4j had to be reviewd because when we come back to the version before the issue disapared.

          by version before are you referring to the container or the plugin or all of it?  `pam-auth 1.10.0`  was released in August 2022

          James Nord added a comment - - edited the error in the log   Sep 07, 2023 2:28:31 PM FINE org.jvnet.libpam.PAM pam_conv num_msg=1 Sep 07, 2023 2:28:31 PM FINE org.jvnet.libpam.PAM 1:Password:  Sep 07, 2023 2:28:33 PM FINEST org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter unsuccessfulAuthentication Failed to process authentication request org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure is AFAICT   #define PAM_OPEN_ERR 1 /* dlopen() failure when dynamically */ /* loading a service module */ Which would point not at Jenkins and the pam plugin but at the configuration of PAM. Have you checked your pam config for compatibility? have you validated the exact same configuration with the same container base (ubuntu and version) using just a local login or ssh access? The issue is linked by the Jenkins Docker Image on Debian 12 and more specifically the 1.5.0 version of libpam-runtime. I think the libpam4j had to be reviewd because when we come back to the version before the issue disapared. by version before are you referring to the container or the plugin or all of it?  `pam-auth 1.10.0`  was released in August 2022

          Abderrazak added a comment -

          When I says "version before" I mean libpam-runtime 1.4.0

          Abderrazak added a comment - When I says "version before" I mean libpam-runtime 1.4.0

          Abderrazak added a comment -

          Hi teilo ,
          IIUC :
          The PAM_OPEN_ERR code error is not Throwed.
          The error we have on the logs is "pam_authenticate failed" , throwed in this line :

          org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure 

           

          Abderrazak added a comment - Hi teilo , IIUC : The PAM_OPEN_ERR code error is not Throwed. The error we have on the logs is " pam_authenticate failed " , throwed in this line : org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure  

          James Nord added a comment -

          the preceding log entry in the attached issue-logs.txt that says what libpam was doing is
          1:Password:

          1 should be the returned error code of the function.  

          AFAICT that is `PAM_OPEN_ERR`  - at any rate there is a non zero return code back from libpam and I have no way to reproduce this.

          there should be logs from your PAM system (not Jenkins) that you can enable to get it to tell you why it is failing.

          James Nord added a comment - the preceding log entry in the attached issue-logs.txt that says what libpam was doing is 1:Password: 1 should be the returned error code of the function.   AFAICT that is `PAM_OPEN_ERR`  - at any rate there is a non zero return code back from libpam and I have no way to reproduce this. there should be logs from your PAM system (not Jenkins) that you can enable to get it to tell you why it is failing.

          Abderrazak added a comment - - edited

          Hi teilo ,
          I am looking for getting PAM system logs.

          Regarding to the code the "1" refers to "pm.msg_style" its not a error code there AFAICT

          I attach the Jenkins log PAM on a successful connexion :

          Abderrazak added a comment - - edited Hi teilo , I am looking for getting PAM system logs. Regarding to the code the "1" refers to "pm.msg_style" its not a error code there AFAICT I attach the Jenkins log PAM on a successful connexion :

            Unassigned Unassigned
            abderrazakabidallah Abderrazak
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated: