I was wondering if anyone has found a solution to this problem.
Rocky Linux 8.6 Rstudio Server Open Source 2022.07.2 PAM acct_mgmt failure
Pamtester output:
[user@super_cool_server downloads]$ pamtester -v rstudio aaron.oster authenticate acct_mgmt open_session close_session
pamtester: invoking pam_start(rstudio, aaron.oster, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated
pamtester: performing operation - acct_mgmt
pamtester: Permission denied
[user@super_cool_server downloads]$ pamtester -v rstudio aaron.oster authenticate open_session close_session
pamtester: invoking pam_start(rstudio, aaron.oster, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated
pamtester: performing operation - open_session
pamtester: sucessfully opened a session
pamtester: performing operation - close_session
pamtester: session has successfully been closed.
General Info
We have Centos 7 machines with working versions of rstudio server 1.2 and no login issues. Tried to use this RS open source 1.2 on rocky as a control but it fails to run.
My attempts to resolve
No file etc/pam.d/common-account exist as described here: Configuring Active Directory in RStudio Workbench - RStudio Documentation
rstub
October 6, 2022, 2:42pm
2
The file /etc/pam.d/common-account
is Ubuntu specific. The analogue on Rocky Linux might be /etc/pam.d/system-auth
, but we would need the file /etc/pam.d/rstudio
that you are currently using.
BTW, you should start pamtester
as root
/with sudo
since RStudio Server does so as well. In addition, you should remove open_session
and close_session
from the command line, since PAM sessions are only supported in Rstudio Workbench.
1 Like
Thank you for the response!
cat etc/pam.d/rstudio
its a copy of etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
cat /etc/pam.d/system-auth
[user@super_cool_server /]$ cat /etc/pam.d/system-auth
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
sudo pamtester
[user@super_cool_server /]$ sudo pamtester -v rstudio user authenticate acct_mgmt
[sudo] password for user:
pamtester: invoking pam_start(rstudio, user, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated
pamtester: performing operation - acct_mgmt
pamtester: Permission denied
rstub
October 7, 2022, 9:40am
4
Ok, now you can apply the workaround from the linked article: Comment out
account [default=bad success=ok user_unknown=ignore] pam_sss.so
in /etc/pam.d/system-auth
.
At some point I would like to understand properly where this comes from, though. So if you are willing to do some digging, here are some links that might explain what is going on:
1 Like
Thank you! That seems to have solved the acct_mgmt issue
one of the Rocky 8.6 Rstudio Servers works now! the others not so much. Will keep digging as you suggested.
okay so now i get the below response.....
Authentication is failing on RStudio server
● rstudio-server.service - RStudio Server
Loaded: loaded (/usr/lib/systemd/system/rstudio-server.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2022-10-07 07:59:01 PDT; 4min 43s ago
Process: 3914 ExecStart=/usr/lib/rstudio-server/bin/rserver (code=exited, status=0/SUCCESS)
Main PID: 3930 (rserver)
Tasks: 4 (limit: 3355442)
Memory: 63.6M
CGroup: /system.slice/rstudio-server.service
└─3930 /usr/lib/rstudio-server/bin/rserver
Oct 07 07:59:01 super_cool_server systemd[1]: Starting RStudio Server...
Oct 07 07:59:01 super_cool_server systemd[1]: Started RStudio Server.
Oct 07 08:03:34 super_cool_server rserver-pam[5508]: pam_sss(rstudio:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=<user>
Oct 07 08:03:34 super_cool_server rserver-pam[5508]: pam_sss(rstudio:auth): received for user <user>: 7 (Authentication failure)
Pamtester passes authentication
[<user>@super_cool_server ~]$ sudo pamtester -v rstudio <user> authenticate
pamtester: invoking pam_start(rstudio, <user>, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated
[<user>@super_cool_server ~]$ sudo pamtester -v rstudio <user> authenticate acct_mgmt
pamtester: invoking pam_start(rstudio, <user>, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated
pamtester: performing operation - acct_mgmt
pamtester: account management done.
rstub
October 10, 2022, 3:45pm
6
It is odd that it works in pamtester
but not in Rstudio Server. Are you sure there were no typos in the username or password?
system
Closed
October 17, 2022, 3:46pm
7
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed. If you have a query related to it or one of the replies, start a new topic and refer back with a link.