Page MenuHomePhabricator

sssd apparently not working fine in toolsbeta
Closed, ResolvedPublic

Description

Not sure if there is some missing config bits in the toolsbeta case.

When trying to ssh as my user:

Jun  7 13:21:28 toolsbeta-arturo-k8s-etcd-1 sshd[19279]: Starting session: shell on pts/0 for root from 172.16.1.135 port 51022 id 0
Jun  7 13:21:46 toolsbeta-arturo-k8s-etcd-1 sshd[19329]: Connection from 172.16.1.135 port 51028 on 172.16.0.24 port 22
Jun  7 13:21:47 toolsbeta-arturo-k8s-etcd-1 sshd[19329]: Postponed publickey for aborrero from 172.16.1.135 port 51028 ssh2 [preauth]
Jun  7 13:21:48 toolsbeta-arturo-k8s-etcd-1 sshd[19329]: pam_access(sshd:account): access denied for user `aborrero' from `bastion-restricted-eqiad1-01.bastion.eqiad.wmflabs'
Jun  7 13:21:48 toolsbeta-arturo-k8s-etcd-1 sshd[19329]: Failed publickey for aborrero from 172.16.1.135 port 51028 ssh2: ED25519 SHA256:V1QNhG5BIXIOwTXNmr8N5YJckL1StLoDuQj5b3Fozsc
Jun  7 13:21:48 toolsbeta-arturo-k8s-etcd-1 sshd[19329]: fatal: Access denied for user aborrero by PAM account configuration [preauth]

Event Timeline

aborrero created this task.Jun 7 2019, 1:30 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 7 2019, 1:30 PM

If I compare the config in toolforge servers, I see:

root@tools-sgebastion-07.eqiad.wmflabs~# cat /etc/security/access.conf
+:ALL:LOCAL
+ : clushuser : tools-clushmaster-02.tools.eqiad.wmflabs
-:ALL EXCEPT (project-tools) root:ALL

and in toolsbeta:

root@toolsbeta-arturo-k8s-etcd-1:~# cat /etc/security/access.conf
+:ALL:LOCAL
+ : clushuser : tools-clushmaster-02.tools.eqiad.wmflabs
-:ALL EXCEPT (toolsbeta.admin) root:ALL
-:ALL EXCEPT (project-toolsbeta) root:ALL

It turns out that if I delete the extra line -:ALL EXCEPT (toolsbeta.admin) root:ALL, then everything works as expected (i.e, the original issue disappears...)
The issue may not be in sssd but in the pam config?

Just confirmed using this command that toolsbeta is the only CloudVPS project with that special config. We may just drop the special case and move on.

aborrero@labpuppetmaster1001:~$ sudo cumin --force -x O{*} "cat /etc/security/access.conf"

Mentioned in SAL (#wikimedia-cloud) [2019-06-19T10:39:37Z] <arturo> add myself to the toolsbeta.admin LDAP group (T225303)

aborrero closed this task as Resolved.Wed, Jun 19, 11:07 AM

That was it. I was missing in the toolsbeta.admin group.