Problem nach Upgrade 4.2 -> 4.3: PAM authentication failed

[DK3]

Hallo,

- Ich habe eine Ubuntu 22.04 VM mit allen Updates installiert.
- Vor dem Upgrade habe ich alle Updates für Ubuntu und OPSI 4.2 installiert und neu gestartet.

- Hier funktionierte der Login mit configed und Web-Interface noch.

- Nach dem Upgrade kommt im Web-Interface die Fehlermeldung:
"Opsi service authentication error: Authentication failed for user 'admin': Opsi service authentication error: PAM authentication failed for user 'admin': Authentication failure"

- Ich habe mit "apt reinstall opsiconfd" kein Erfolg.

- "opsiconfd health-check" gibt einen Hinweis wegen der Einstellung:
"opsiclientd.global.verify_server_cert = true"
Sowie den veralteten Stand des Paketes "opsi-client-agent" auf allen Systemen.

- Ich habe die Passwörter für alle drei OPSI-User neu gesetzt, jedoch kein Erfolg.

- In der Datei "/var/log/auth.log" steht:
"pam_unix(common-auth:auth): check pass; user unknown"
"pam_unix(common-auth:auth): authentication failure; logname= uid=1001 euid=1001 tty= ruser= rhost="

- Ich kann mich mit diesem User Erfolgreich an einer SSH-Konsole anmelden.


DK3

[j.schneider]

Hallo!

Bitte einmal in die Log-Dateien des opsiconfd in /var/log/opsi/opsiconfd schauen.
Wie sieht die Fehlermeldung dort aus?

Grüße
Jan Schneider

[DK3]

Dort steht nur:

opsiconfd.log:

Code: Alles auswählen

[1] [2024-01-02 13:39:57.844] [               ] Opsiconfd version '4.3.3.5' starting on 'opsiserver.pewe-ideen.net' as 'configserver'   (main.py:345)
[1] [2024-01-02 13:40:00.035] [               ] Switching to user opsiconfd   (main.py:354)
[1] [2024-01-03 08:15:29.836] [               ] Opsiconfd version '4.3.3.5' starting on 'opsiserver.pewe-ideen.net' as 'configserver'   (main.py:345)
[1] [2024-01-03 08:15:31.945] [               ] Switching to user opsiconfd   (main.py:354)

10.200.50.132.log:

Code: Alles auswählen

[3] [2024-01-03 08:16:04.220] [10.200.50.132  ] Opsi service authentication error: Authentication failed for user 'admin': Opsi service authentication error: PAM authentication failed for user 'a>
Traceback (most recent call last):
  File "opsiconfd/auth/pam.py", line 61, in authenticate
RuntimeError: Authentication failure

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "opsiconfd/session.py", line 1039, in authenticate_user_auth_module
  File "starlette/concurrency.py", line 41, in run_in_threadpool
  File "anyio/to_thread.py", line 33, in run_sync
  File "anyio/_backends/_asyncio.py", line 877, in run_sync_in_worker_thread
  File "anyio/_backends/_asyncio.py", line 807, in run
  File "opsiconfd/auth/pam.py", line 65, in authenticate
opsicommon.exceptions.OpsiServiceAuthenticationError: Opsi service authentication error: PAM authentication failed for user 'admin': Authentication failure

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "opsiconfd/rest.py", line 242, in create_response
  File "opsiconfd/rest.py", line 231, in exec_func
  File "opsiconfd/application/session.py", line 33, in login
  File "opsiconfd/session.py", line 1065, in authenticate
  File "opsiconfd/session.py", line 1140, in _authenticate
  File "opsiconfd/session.py", line 1041, in authenticate_user_auth_module
opsicommon.exceptions.OpsiServiceAuthenticationError: Opsi service authentication error: Authentication failed for user 'admin': Opsi service authentication error: PAM authentication failed for u>

DK3

[j.schneider]

Was steht in der /etc/nsswitch.conf ?

[DK3]

Code: Alles auswählen

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd
group:          files systemd
shadow:         files
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

DK3

[j.schneider]

Okay und in der /etc/pam.d/common-auth?

[DK3]

Code: Alles auswählen

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    [success=1 default=ignore]      pam_unix.so nullok
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_cap.so
# end of pam-auth-update config

DK3

[DK3]

Hat noch jemand eine Idee?

DK3

[DK3]

Gehört in den Ordner "/etc/pam.d" ein Symlink rein?

Bei OPSI 4.1/4.2 scheinbar ja.

Bei OPSI 4.3 ist keiner?


DK3

[j.schneider]

Ohne auf das System schauen zu können, ist es an dieser Stelle sehr schwierig weiterzuhelfen.
Schon mal über einen Support-Vertrag nachgedacht?

https://www.uib.de/de/support-schulung/ ... en-support