Rocky Linux 8.6 Rstudio Server Open Source 2022.07.2 PAM acct_mgmt failure

aaron.oster · October 6, 2022, 12:13pm

I was wondering if anyone has found a solution to this problem.

Rocky Linux 8.6 Rstudio Server Open Source 2022.07.2 PAM acct_mgmt failure

Pamtester output:

[user@super_cool_server downloads]$ pamtester -v rstudio aaron.oster authenticate acct_mgmt open_session close_session
pamtester: invoking pam_start(rstudio, aaron.oster, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated
pamtester: performing operation - acct_mgmt
pamtester: Permission denied
[user@super_cool_server downloads]$ pamtester -v rstudio aaron.oster authenticate open_session close_session
pamtester: invoking pam_start(rstudio, aaron.oster, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated
pamtester: performing operation - open_session
pamtester: sucessfully opened a session
pamtester: performing operation - close_session
pamtester: session has successfully been closed.

General Info

We have Centos 7 machines with working versions of rstudio server 1.2 and no login issues. Tried to use this RS open source 1.2 on rocky as a control but it fails to run.

My attempts to resolve

No file etc/pam.d/common-account exist as described here: Configuring Active Directory in RStudio Workbench - RStudio Documentation

rstub · October 6, 2022, 2:42pm

The file /etc/pam.d/common-account is Ubuntu specific. The analogue on Rocky Linux might be /etc/pam.d/system-auth, but we would need the file /etc/pam.d/rstudio that you are currently using.

BTW, you should start pamtester as root/with sudo since RStudio Server does so as well. In addition, you should remove open_session and close_session from the command line, since PAM sessions are only supported in Rstudio Workbench.

aaron.oster · October 6, 2022, 5:17pm

Thank you for the response!

cat etc/pam.d/rstudio

its a copy of etc/pam.d/login

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       substack     system-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so

cat /etc/pam.d/system-auth

[user@super_cool_server /]$ cat /etc/pam.d/system-auth
auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so

sudo pamtester

[user@super_cool_server /]$ sudo pamtester -v rstudio user authenticate acct_mgmt
[sudo] password for user:
pamtester: invoking pam_start(rstudio, user, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated
pamtester: performing operation - acct_mgmt
pamtester: Permission denied

rstub · October 7, 2022, 9:40am

Ok, now you can apply the workaround from the linked article: Comment out

account     [default=bad success=ok user_unknown=ignore] pam_sss.so

in /etc/pam.d/system-auth.

At some point I would like to understand properly where this comes from, though. So if you are willing to do some digging, here are some links that might explain what is going on:

aaron.oster · October 7, 2022, 4:13pm

Thank you! That seems to have solved the acct_mgmt issue

one of the Rocky 8.6 Rstudio Servers works now! the others not so much. Will keep digging as you suggested.

okay so now i get the below response.....

Authentication is failing on RStudio server

● rstudio-server.service - RStudio Server
   Loaded: loaded (/usr/lib/systemd/system/rstudio-server.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2022-10-07 07:59:01 PDT; 4min 43s ago
  Process: 3914 ExecStart=/usr/lib/rstudio-server/bin/rserver (code=exited, status=0/SUCCESS)
 Main PID: 3930 (rserver)
    Tasks: 4 (limit: 3355442)
   Memory: 63.6M
   CGroup: /system.slice/rstudio-server.service
           └─3930 /usr/lib/rstudio-server/bin/rserver

Oct 07 07:59:01 super_cool_server systemd[1]: Starting RStudio Server...
Oct 07 07:59:01 super_cool_server systemd[1]: Started RStudio Server.
Oct 07 08:03:34 super_cool_server rserver-pam[5508]: pam_sss(rstudio:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=<user>
Oct 07 08:03:34 super_cool_server rserver-pam[5508]: pam_sss(rstudio:auth): received for user <user>: 7 (Authentication failure)

Pamtester passes authentication

[<user>@super_cool_server ~]$ sudo pamtester -v rstudio <user> authenticate
pamtester: invoking pam_start(rstudio, <user>, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated
 [<user>@super_cool_server  ~]$ sudo pamtester -v rstudio <user> authenticate acct_mgmt
pamtester: invoking pam_start(rstudio, <user>, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated
pamtester: performing operation - acct_mgmt
pamtester: account management done.

rstub · October 10, 2022, 3:45pm

It is odd that it works in pamtester but not in Rstudio Server. Are you sure there were no typos in the username or password?

system · October 17, 2022, 3:46pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

If you have a query related to it or one of the replies, start a new topic and refer back with a link.