Update: Authentication failed using PAM #446
mjoguinto opened this issue · comments
Hi,
This is the update for the previous issue (Authentication failed using PAM #446).
I was able now to access the login screen via port 3333. The issue now is the authentication failure using PAM.
I received Error 401.
@mjoguinto
apologies for the late reaction. I missed this one.
In my experience, login failures have 3 possible causes:
-
you are providing a username+password that is not valid on the salt-master/salt-api server.
this can be checked by using the same username/password on the salt-master/salt-api server for a regular login
additionally, verify it using:
curl -v -d eauth=pam -d username=notauser -d password=thepassword http://hostname:port/login/
results in an HTML response from salt-api with the 401 error -
the user exists, but is not granted access using the
external_auth
parameter in file/etc/salt/master
this actually does not produce a 401. but the login page will still reject this with the "No permissions" message.
curl -v -d eauth=pam -d username=notasaltuser -d password=thepassword http://hostname:port/login/
results in an OK response with "perms:{}" -
port 3333 on the given address is not a salt-api server but another server, e.g. the suse manager
curl -c -d eauth=pam -d username=asaltuser -d password=thepassword http://hostname:port/login/
may give additional information
Usesudo netstat -anp | grep :3333
to find the process-id of the process that is responding on port 3333. useps -ef|grep thepid
to get more information on that process. is it salt-api? or another program?
Hi @erwindon,
No worries! Thanks for the feedback.
Please see the output for each testing scenario below.
@mjoguinto
these tests rule out any influence from SaltGUI.
the curl and netstat+ps commands show that you are indeed connecting to salt-api.
now the remaining question is why your system is rejecting that username+password...
can you login normally with that username+password?
is there any interesting information in the files in /var/log? look only in the files that have changed around the same time as you executed the curl command.
@erwindon
Yes, I can login normally.
This is what I have found in /var/log/salt/master
when executing the curl command.
@mjoguinto
The first line in the file /var/log/salt/master
is an important clue.
This error message is from salt, file auth/__init__.py
. On my system, that is under /usr/lib/python3/dist-packages/salt
.
According to that code, the error is raised because your file /etc/salt/master
. or the file(s) under /etc/salt/master.d/
, do not provide a clause pam
under external_auth
.
external_auth
in /etc/salt/master
was comment-out. In the /etc/salt/master.d
, there's a lot of .conf
files but none of them are using pam
. Does salt-api
still dependent on /etc/salt/master
and /etc/salt/master.d
even if I already point to /etc/salt/saltgui.d
?
This is the command I used to run another instance of salt-api
:
salt-api -c /etc/salt/saltgui.d --pid-file=/var/run/saltgui.pid --log-file=/var/log/salt/saltgui -d
this is where it gets confusing...
to my knowledge, salt-api is only the protocol adapter for the api.
the actual authentication takes place in the salt-master, that is why you see the error messages about that in /var/log/salt/master
and not in /var/log/salt/api
.
with that knowledge, I think that your salt-master must be configured to see the external_auth
section. i.e. move it to the configuration that the salt-master sees.
@mjoguinto
Closing the issue. Let me know when you need more help.