[Spacewalk-list] CentOS 7.4 + Spacewalk 2.6: PAM fails because of SELinux

Thu Jan 4 10:01:54 UTC 2018

Michael Mraka <michael.mraka at redhat.com> wrote:

> Please check newer documentation at
> https://access.redhat.com/documentation/en-us/red_hat_satellite/5.8/html/
> installation_guide/chap-authentication#Implementing_PAM_Authentication

Thanks for info, there were two things missing, but fixing those didn't
help.

- Installed pam-devel -package
- Ran "$ setsebool -P allow_httpd_mod_auth_pam 1". Not sure if this was
already on, because getsebool -a doesn't show that.

>
> > Any ideas what else to check? The working 2.6 installation in Centos 6
> > causes also that same keytab error line to /var/log/messages so I suppose
> > it doesn't matter.
>
> What kind of authentication is behind your PAM? Is it LDAP?
>

ActiveDirectory/kerberos, so /etc/pam.d/rhn-satellite is based on the
Kerberos version.

I had missed yesterday that /var/log/messages has also something related to
this issue.

Jan  4 11:50:55 server: 2018-01-04 11:50:55,761
[ajp-bio-0:0:0:0:0:0:0:1-8009-exec-6] WARN
com.redhat.rhn.domain.user.legacy.UserImpl - PAM login for user User <user>
(id <id>, org_id <org_id>) failed with error System error.
Jan  4 11:50:57 server: 2018-01-04 11:50:57,762
[ajp-bio-0:0:0:0:0:0:0:1-8009-exec-6] INFO
com.redhat.rhn.frontend.action.LoginAction - LOCAL AUTH FAILURE: <user>

The success message was actually in /var/log/secure so it seems that PAM
itself is satisfied but there is some issue between PAM and Spacewalk.

Jan  4 11:50:55 java: pam_krb5[18217]: error reading keytab
'FILE:/etc/krb5.keytab'
Jan  4 11:50:55 java: pam_krb5[18217]: TGT verified
Jan  4 11:50:55 java: pam_krb5[18217]: authentication succeeds for
'<account>' (<account>@domain.invalid)

BR,
-- 
Olli Rajala
Finland
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20180104/2a4286fa/attachment.htm>