Update: Authentication failed using PAM #446
mjoguinto opened this issue · comments
Hi,
This is the update for the previous issue (Authentication failed using PAM #446).
I was able now to access the login screen via port 3333. The issue now is the authentication failure using PAM.
I received Error 401.
@mjoguinto
apologies for the late reaction. I missed this one.
In my experience, login failures have 3 possible causes:
-
you are providing a username+password that is not valid on the salt-master/salt-api server.
this can be checked by using the same username/password on the salt-master/salt-api server for a regular login
additionally, verify it using:
curl -v -d eauth=pam -d username=notauser -d password=thepassword http://hostname:port/login/
results in an HTML response from salt-api with the 401 error -
the user exists, but is not granted access using the
external_authparameter in file/etc/salt/master
this actually does not produce a 401. but the login page will still reject this with the "No permissions" message.
curl -v -d eauth=pam -d username=notasaltuser -d password=thepassword http://hostname:port/login/
results in an OK response with "perms:{}" -
port 3333 on the given address is not a salt-api server but another server, e.g. the suse manager
curl -c -d eauth=pam -d username=asaltuser -d password=thepassword http://hostname:port/login/
may give additional information
Usesudo netstat -anp | grep :3333to find the process-id of the process that is responding on port 3333. useps -ef|grep thepidto get more information on that process. is it salt-api? or another program?
Hi @erwindon,
No worries! Thanks for the feedback.
Please see the output for each testing scenario below.
- I tested the working username/password for salt-master/salt-api server to port 3333 and SUSE Manager
Port 3333
SUSE Manager
- Then I tested saltuser local account to port 3333 and SUSE Manager
Port 3333
SUSE Manager
- Here is process information of port 3333.
@mjoguinto
these tests rule out any influence from SaltGUI.
the curl and netstat+ps commands show that you are indeed connecting to salt-api.
now the remaining question is why your system is rejecting that username+password...
can you login normally with that username+password?
is there any interesting information in the files in /var/log? look only in the files that have changed around the same time as you executed the curl command.
@erwindon
Yes, I can login normally.
This is what I have found in /var/log/salt/master when executing the curl command.
@mjoguinto
The first line in the file /var/log/salt/master is an important clue.
This error message is from salt, file auth/__init__.py. On my system, that is under /usr/lib/python3/dist-packages/salt.
According to that code, the error is raised because your file /etc/salt/master. or the file(s) under /etc/salt/master.d/, do not provide a clause pam under external_auth.
external_auth in /etc/salt/master was comment-out. In the /etc/salt/master.d, there's a lot of .conf files but none of them are using pam. Does salt-api still dependent on /etc/salt/master and /etc/salt/master.d even if I already point to /etc/salt/saltgui.d?
This is the command I used to run another instance of salt-api:
salt-api -c /etc/salt/saltgui.d --pid-file=/var/run/saltgui.pid --log-file=/var/log/salt/saltgui -d
this is where it gets confusing...
to my knowledge, salt-api is only the protocol adapter for the api.
the actual authentication takes place in the salt-master, that is why you see the error messages about that in /var/log/salt/master and not in /var/log/salt/api.
with that knowledge, I think that your salt-master must be configured to see the external_auth section. i.e. move it to the configuration that the salt-master sees.
@mjoguinto
Closing the issue. Let me know when you need more help.