Re: Knox OS authentication fail due to "password check failed for user"

[Lian Jiang]

Furthermore, knoxcli.sh shows guest authentication is ok:

sudo bin/knoxcli.sh user-auth-test --cluster ui --u guest --p "{PASSWORD}"
LDAP authentication successful!

The output shows LDAP but OS auth is used:

<provider>
            <role>authentication</role>
            <name>ShiroProvider</name>
            <enabled>true</enabled>
            <param>
                <name>sessionTimeout</name>
                <value>30</value>
            </param>
            <param>
                <name>main.pamRealm</name>

<value>org.apache.hadoop.gateway.shirorealm.KnoxPamRealm</value>
            </param>
            <param>
                <name>main.pamRealm.service</name>
                <value>knox</value>
            </param>
            <param>
                <name>urls./**</name>
                <value>authcBasic</value>
            </param>
        </provider>
        <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>true</enabled>
        </provider>
        <provider>
            <role>authorization</role>
            <name>XASecurePDPKnox</name>
            <enabled>true</enabled>
        </provider>

The knox pam service is:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

On Sat, Jun 30, 2018 at 9:21 AM, Lian Jiang <jiangok2...@gmail.com> wrote:

> yes. I do both pamtester and curl on the knox host.
>
> On Sat, Jun 30, 2018 at 6:36 AM, larry mccay <lmc...@apache.org> wrote:
>
>> Are you on the Knox host when testing with Pam tester? The accounts will
>> need to be on the Knox host.
>>
>>
>>
>> On Sat, Jun 30, 2018, 2:22 AM Lian Jiang <jiangok2...@gmail.com> wrote:
>>
>>> I am using OS auth for knox and have verified the username and password
>>> work:
>>>
>>> sudo pamtester -v knox guest authenticate
>>> pamtester: invoking pam_start(knox, guest, ...)
>>> pamtester: performing operation - authenticate
>>> Password:
>>> pamtester: successfully authenticated
>>>
>>> However, my curl command failed:
>>>
>>> curl -ik  -u guest:"{PASSWORD}" http://test-namenode.subnet1.h
>>> adoop.oraclevcn.com:8443/gateway/ui/webhdfs/v1/user/?op=LISTSTATUS
>>>
>>> The error is:
>>> Jun 30 06:16:03 test-namenode unix_chkpwd[37385]: check pass; user
>>> unknown
>>> Jun 30 06:16:03 test-namenode unix_chkpwd[37385]: password check failed
>>> for user (guest)
>>> Jun 30 06:16:03 test-namenode java: pam_unix(knox:auth): authentication
>>> failure; logname= uid=2018 euid=2018 tty= ruser= rhost=  user=guest
>>>
>>>
>>> Any idea how I can debug? Appreciate any help.
>>>
>>>
>>>
>