Change in user authentication from 1.2.1335 to 1.3.959?

veader · October 19, 2020, 6:29pm

Hello,

I am building an Rstudio Server (open source) environment based on the rocker implementation of rstudio server for docker. Our previous versions allow us to join the server to our Active Directory domain and authenticate users. (rocker 3.6 using rstudio-server 1.2.1335 as well as previous versions)

We are currently deploying rocker 4.0 which uses rstudio-server 1.3.959. We no longer are able to have Active Directory users authenticate successfully. Local users do still authenticate.

Has there been some change between the 2019 rstudio server versions and the latest versions?

Thanks for any insight,
Rick

rstub · October 23, 2020, 1:42pm

I am not aware of any changes in RStudio Server that would explain this. In both cases PAM is used to authenticate with the system. How do you integrate the PAM system with AD in both cases? Can you post the Dockerfiles?

veader · November 6, 2020, 7:20pm

Thank you for the response!
I installed Rstudio separately and did see that PAM worked fine in a direct install. This is not ideal for us because we use a lot of the downstream included tools and libraries in the rocker project.

Here are the Dockerfiles in case it makes a difference!

Here is my primary Dockerfile for this:

FROM rocker/tidyverse:4.0.0
# FROM rocker/verse:3.6.1
# FROM rocker/verse:3.5.2
# FROM rocker/verse:3.4.4

LABEL org.label-schema.license="GPL-2.0" \
      org.label-schema.vcs-url="https://github.com/rocker-org/rocker-versioned2" \
      org.label-schema.vendor="Rocker Project" \
      maintainer="Carl Boettiger <cboettig@ropensci.org>"

ENV CTAN_REPO=http://mirror.ctan.org/systems/texlive/tlnet
ENV PATH=/usr/local/texlive/bin/x86_64-linux:$PATH

RUN /rocker_scripts/install_verse.sh

RUN apt update
RUN apt install -y apt-utils sssd-ad sssd-tools realmd adcli openssh-server 
COPY sssd.conf /etc/sssd/sssd.conf
COPY fstab.append /tmp/fstab.append

tidyverse:4.0.0 has a Dockerfile of:

FROM rocker/rstudio:4.0.0

LABEL org.label-schema.license="GPL-2.0" \
      org.label-schema.vcs-url="https://github.com/rocker-org/rocker-versioned" \
      org.label-schema.vendor="Rocker Project" \
      maintainer="Carl Boettiger <cboettig@ropensci.org>"



RUN /rocker_scripts/install_tidyverse.sh

rocker/rstudio:4.0.0:

FROM rocker/r-ver:4.0.0

LABEL org.label-schema.license="GPL-2.0" \
      org.label-schema.vcs-url="https://github.com/rocker-org/rocker-versioned" \
      org.label-schema.vendor="Rocker Project" \
      maintainer="Carl Boettiger <cboettig@ropensci.org>"

ENV S6_VERSION=v1.21.7.0
ENV RSTUDIO_VERSION=1.3.959
ENV PATH=/usr/lib/rstudio-server/bin:$PATH


RUN /rocker_scripts/install_rstudio.sh
RUN /rocker_scripts/install_pandoc.sh

EXPOSE 8787

CMD ["/init"]

rocker/r-ver:4.0.0:

FROM ubuntu:20.04

LABEL org.label-schema.license="GPL-2.0" \
      org.label-schema.vcs-url="https://github.com/rocker-org/rocker-versioned" \
      org.label-schema.vendor="Rocker Project" \
      maintainer="Carl Boettiger <cboettig@ropensci.org>"

ENV R_VERSION=4.0.0
ENV TERM=xterm
ENV LC_ALL=en_US.UTF-8
ENV LANG=en_US.UTF-8
ENV R_HOME=/usr/local/lib/R
ENV CRAN=https://packagemanager.rstudio.com/all/__linux__/focal/291
ENV TZ=Etc/UTC

COPY scripts /rocker_scripts

RUN /rocker_scripts/install_R.sh


CMD ["R"]

veader · November 10, 2020, 2:58pm

Hello!

I realized I did not answer your PAM / AD question.

In our rocker 3.6 build, we have used winbind, in the rocker 4.0 (and 4.0.3 now) builds we must use sssd.

I installed the rstudio on centos via the rstudio.com provided rpm file and configured sssd/kerberos/etc. and the login worked fine.

I am not certain yet if the issue is the rocker build chain or the different OS implementations.

rstub · November 12, 2020, 9:51am

How are you integrating sssd with PAM? Have you tried the debugging your set-up using the pamtester program, c.f. https://docs.rstudio.com/ide/server-pro/authenticating-users.html#diagnosing-pam-authentication-problems? While pamtester is not bundled with the OS version, you can easily install it using apt-get install pamtester.

veader · November 12, 2020, 3:45pm

Hi Ralph,

We are using the normal nsswitch configs calling out sss after files for passwd, shadow, etc.
getent passwd enumerates the users, login works.

r-studio seems to use the pam.d/other profile which we have set to look to all the "common" defaults e.g. auth [success=1 default=ignore] pam_sss.so use_first_pass

I did compile and run pamtester. I got no PAM authentication request for the sss pam type whn running it against the rserver binary.

At the moment I am working through the dockerfiles to see if I can isolate which one injects failure.

Regards and many thanks!
Rick

rstub · November 12, 2020, 5:14pm

You don't run it against a binary but against a PAM profile:

pamtester --verbose <service> <user> authenticate acct_mgmt open_session close_session

The default for <service> would be other, but you can also define a rstudio profile. Typically as a copy of the login profile.

system · December 3, 2020, 5:14pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

If you have a query related to it or one of the replies, start a new topic and refer back with a link.