Reputation: 7124
Salt times out when using external authentication (PAM)
I'm trying to use Salt (2015.8.10 Beryllium) with "external_auth" via PAM. My ultimate goal is to use salt-api to authenticate a request from a salt-minion which will allow that minion to call for it's own key to be accepted. As a first step, it's suggested that you first get authentication working locally with "salt -a pam" on the salt master. That's where I'm stuck.
The issue I'm having is that attempts to use pam are resulting in the Salt request timing out:
[root@saltmaster ~]# salt -a pam 'box603.example.com' test.ping --log-level all
[DEBUG ] Reading configuration from /etc/salt/master
...
[DEBUG ] LazyLoaded pam.auth
username: user1
password:
[DEBUG ] Initializing new AsyncZeroMQReqChannel for ('/etc/salt/pki/master', 'saltmaster.example.com_master', 'tcp://127.0.0.1:4506', 'clear')
[TRACE ] Inserted key into loop_instance_map id 18446604434624361104 for key ('/etc/salt/pki/master', 'saltmaster.example.com_master', 'tcp://127.0.0.1:4506', 'clear') and process 11045
[DEBUG ] SaltReqTimeoutError, retrying. (1/3)
[DEBUG ] SaltReqTimeoutError, retrying. (2/3)
[DEBUG ] SaltReqTimeoutError, retrying. (3/3)
[DEBUG ] LazyLoaded nested.output
[TRACE ] data = Salt request timed out. The master is not responding. If this error persists after verifying the master is up, worker_threads may need to be increased.
Salt request timed out. The master is not responding. If this error persists after verifying the master is up, worker_threads may need to be increased.
The host in question, box603.example.com is online and is pingable when not using pam authentication:
[root@saltmaster ~]# salt 'box603.example.com' test.ping
box603.example.com:
True
My saltmaster:/etc/salt/master configuration file contains:
external_auth:
pam:
user1:
- .*
And user1 is a valid user in /etc/passwd|shadow, it's usable via ssh, and I can su to it.
The docs indicate that when trying to authenticate with pam and salt, that it default's to pam's login service. Here's my /etc/pam.d/login:
auth definitive pam_user_policy.so.1
auth requisite pam_authtok_get.so.1
auth required pam_dhkeys.so.1
auth required pam_unix_auth.so.1
auth required pam_unix_cred.so.1
For what it's worth, the salt master is running Solaris 11. I often see in posts for salt problems requests to post salt --versions-report, so here's that:
Salt Version:
Salt: 2015.8.10
Dependency Versions:
Jinja2: 2.8
M2Crypto: 0.24.0
Mako: Not Installed
PyYAML: 3.11
PyZMQ: 15.2.0
Python: 2.7.11 (default, Mar 24 2016, 22:19:35)
RAET: 0.6.5
Tornado: 4.3
ZMQ: 4.1.4
cffi: 1.5.2
cherrypy: 3.2.3
dateutil: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: 1.5.1
libgit2: Not Installed
libnacl: 1.4.4
msgpack-pure: Not Installed
msgpack-python: 0.4.7
mysql-python: Not Installed
pycparser: 2.14
pycrypto: 2.6.1
pygit2: Not Installed
python-gnupg: Not Installed
smmap: Not Installed
timelib: Not Installed
System Versions:
dist:
machine: i86pc
release: 5.11
Upvotes: 0
Views: 753
Answers (1)
Reputation: 4581
At this time Salt's "external_auth" pam implementation is tied directly to the Linux pam binaries and will only work on Linux. So that means no Solaris, unfortunately.
Upvotes: 1
Related Questions
- How to find out the number of CPUs using python
- How to install and configure mysql with saltstack
- How to log out user from web site using BASIC authentication?
- Why am I prompted to enter username and password when using `salt -a pam`?
- Salt request timed out. The master is not responding
- SSL Error on 8 on SaltStack using Tornado
- Saltstack test.ping taking 30+ seconds
- Master hostname: salt not found. Retrying in 30 seconds