I am building an Rstudio Server (open source) environment based on the rocker implementation of rstudio server for docker. Our previous versions allow us to join the server to our Active Directory domain and authenticate users. (rocker 3.6 using rstudio-server 1.2.1335 as well as previous versions)
We are currently deploying rocker 4.0 which uses rstudio-server 1.3.959. We no longer are able to have Active Directory users authenticate successfully. Local users do still authenticate.
Has there been some change between the 2019 rstudio server versions and the latest versions?
I am not aware of any changes in RStudio Server that would explain this. In both cases PAM is used to authenticate with the system. How do you integrate the PAM system with AD in both cases? Can you post the Dockerfiles?
Thank you for the response!
I installed Rstudio separately and did see that PAM worked fine in a direct install. This is not ideal for us because we use a lot of the downstream included tools and libraries in the rocker project.
Here are the Dockerfiles in case it makes a difference!
Here is my primary Dockerfile for this:
FROM rocker/tidyverse:4.0.0
# FROM rocker/verse:3.6.1
# FROM rocker/verse:3.5.2
# FROM rocker/verse:3.4.4
LABEL org.label-schema.license="GPL-2.0" \
org.label-schema.vcs-url="https://github.com/rocker-org/rocker-versioned2" \
org.label-schema.vendor="Rocker Project" \
maintainer="Carl Boettiger <cboettig@ropensci.org>"
ENV CTAN_REPO=http://mirror.ctan.org/systems/texlive/tlnet
ENV PATH=/usr/local/texlive/bin/x86_64-linux:$PATH
RUN /rocker_scripts/install_verse.sh
RUN apt update
RUN apt install -y apt-utils sssd-ad sssd-tools realmd adcli openssh-server
COPY sssd.conf /etc/sssd/sssd.conf
COPY fstab.append /tmp/fstab.append
tidyverse:4.0.0 has a Dockerfile of:
FROM rocker/rstudio:4.0.0
LABEL org.label-schema.license="GPL-2.0" \
org.label-schema.vcs-url="https://github.com/rocker-org/rocker-versioned" \
org.label-schema.vendor="Rocker Project" \
maintainer="Carl Boettiger <cboettig@ropensci.org>"
RUN /rocker_scripts/install_tidyverse.sh
rocker/rstudio:4.0.0:
FROM rocker/r-ver:4.0.0
LABEL org.label-schema.license="GPL-2.0" \
org.label-schema.vcs-url="https://github.com/rocker-org/rocker-versioned" \
org.label-schema.vendor="Rocker Project" \
maintainer="Carl Boettiger <cboettig@ropensci.org>"
ENV S6_VERSION=v1.21.7.0
ENV RSTUDIO_VERSION=1.3.959
ENV PATH=/usr/lib/rstudio-server/bin:$PATH
RUN /rocker_scripts/install_rstudio.sh
RUN /rocker_scripts/install_pandoc.sh
EXPOSE 8787
CMD ["/init"]
We are using the normal nsswitch configs calling out sss after files for passwd, shadow, etc.
getent passwd enumerates the users, login works.
r-studio seems to use the pam.d/other profile which we have set to look to all the "common" defaults e.g. auth [success=1 default=ignore] pam_sss.so use_first_pass
I did compile and run pamtester. I got no PAM authentication request for the sss pam type whn running it against the rserver binary.
At the moment I am working through the dockerfiles to see if I can isolate which one injects failure.