Reputation: 1
Authenticate Active Directory users with PAM module and sshd service
I've just installed a fresh Rundeck server:
- Rundeck version: [ 4.10.1.20230221-1]
- install type: [ rpm ]
- OS Name/version: [ Oracle Linux 8 UEKR6 - Kernel 5.4.17-2136.315.5]
- DB Type/version: [postgres v13.7]
It is running behind NGINX with TLS Certificate. No issue on this.
I'm trying to setup external authentication not with the LDAP module but with the PAM module that comes with Rundeck. The server is already joined to our Active Directory domain with Winbind and Samba.
When I am trying to log with my domain user on the web UI, the Web UI display "Wrong username or password" while the logs tells the opposite.
I have edited the jaas conf file and added the Pam method
jaas-loginmodule.conf
org.rundeck.jaas.jettyPamLoginModule requisite
debug="true"
service="sshd"
supplementalRoles="readonly"
storePass="true"
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
debug="true"
file="/etc/rundeck/realm.properties";
When I try to log with AD user, the rundeck service log display that it succeeded:
/var/log/rundeck/service.log
[2023-03-08T13:35:12,068] DEBUG pam.AbstractPamLoginModule - PAM authentication trying (sshd) for: jsmith
[2023-03-08T13:35:12,416] DEBUG pam.AbstractPamLoginModule - PAM authentication succeeded for: jsmith
But the access logs shows the opposite:
/var/log/rundeck/rundeck.access.log
[2023-03-08T13:35:12,068] INFO web.requests "GET /user/error" [0:0:0:0:0:0:0:1] http form 303 ? [] (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36)
Does it success but can not login because the AD user does not exists in the Rundeck database ?
Thank you for you help
Upvotes: 0
Views: 251
Answers (1)
Reputation: 4325
Off the record answer:
It works with the followin config:
RDpropertyfilelogin {
org.rundeck.jaas.jetty.JettyPamLoginModule requisite
debug="true"
service="sshd"
supplementalRoles="readonly"
storePass="true";
org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required
debug="true"
useFirstPass="true"
file="/etc/rundeck/realm.properties";
org.ecliplse.jetty.jaas.spi.PropertyFileLoginModule required
debug="true" file="/etc/rundeck/realm.properties";
};
Upvotes: 0
Related Questions
- ERROR pool.ConnectionPool [main] - Unable to create initial connections of pool
- Rundeck Automatic Login
- Creating a non-admin user in Rundeck
- Rundeck gmail smtp setting
- Rundeck job failing with "error: PAM: Authentication failed"
- Rundeck Problem with AD authentication, it gives Invalid user name and password
- Rundeck 3.x error for remote execution - Failed: AuthenticationFailure: Authentication failure connecting to node. Could not authenticate
- Rundeck Yaml file formatting issue and issue with logging into Rundeck with AD user
- RunDeck / ACL / Custom / for non-admin group
- Rundeck: http error 500: when logging in as admin