Page MenuHomePhabricator
Create Task
Maniphest T225303

sssd apparently not working fine in toolsbeta
Closed, ResolvedPublic
Actions

Description

Not sure if there is some missing config bits in the toolsbeta case.

When trying to ssh as my user:

Jun  7 13:21:28 toolsbeta-arturo-k8s-etcd-1 sshd[19279]: Starting session: shell on pts/0 for root from 172.16.1.135 port 51022 id 0
Jun  7 13:21:46 toolsbeta-arturo-k8s-etcd-1 sshd[19329]: Connection from 172.16.1.135 port 51028 on 172.16.0.24 port 22
Jun  7 13:21:47 toolsbeta-arturo-k8s-etcd-1 sshd[19329]: Postponed publickey for aborrero from 172.16.1.135 port 51028 ssh2 [preauth]
Jun  7 13:21:48 toolsbeta-arturo-k8s-etcd-1 sshd[19329]: pam_access(sshd:account): access denied for user `aborrero' from `bastion-restricted-eqiad1-01.bastion.eqiad.wmflabs'
Jun  7 13:21:48 toolsbeta-arturo-k8s-etcd-1 sshd[19329]: Failed publickey for aborrero from 172.16.1.135 port 51028 ssh2: ED25519 SHA256:V1QNhG5BIXIOwTXNmr8N5YJckL1StLoDuQj5b3Fozsc
Jun  7 13:21:48 toolsbeta-arturo-k8s-etcd-1 sshd[19329]: fatal: Access denied for user aborrero by PAM account configuration [preauth]

Related Objects
Search...

Event Timeline

aborrero created this task.Jun 7 2019, 1:30 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 7 2019, 1:30 PM
aborrero added a comment.Jun 7 2019, 5:50 PM

If I compare the config in toolforge servers, I see:

root@tools-sgebastion-07.eqiad.wmflabs~# cat /etc/security/access.conf
+:ALL:LOCAL
+ : clushuser : tools-clushmaster-02.tools.eqiad.wmflabs
-:ALL EXCEPT (project-tools) root:ALL

and in toolsbeta:

root@toolsbeta-arturo-k8s-etcd-1:~# cat /etc/security/access.conf
+:ALL:LOCAL
+ : clushuser : tools-clushmaster-02.tools.eqiad.wmflabs
-:ALL EXCEPT (toolsbeta.admin) root:ALL
-:ALL EXCEPT (project-toolsbeta) root:ALL

It turns out that if I delete the extra line -:ALL EXCEPT (toolsbeta.admin) root:ALL, then everything works as expected (i.e, the original issue disappears...)
The issue may not be in sssd but in the pam config?

aborrero added a comment.Jun 7 2019, 6:10 PM

Just confirmed using this command that toolsbeta is the only CloudVPS project with that special config. We may just drop the special case and move on.

aborrero@labpuppetmaster1001:~$ sudo cumin --force -x O{*} "cat /etc/security/access.conf"
Stashbot added a comment.Jun 19 2019, 10:39 AM

Mentioned in SAL (#wikimedia-cloud) [2019-06-19T10:39:37Z] <arturo> add myself to the toolsbeta.admin LDAP group (T225303)

aborrero closed this task as Resolved.Jun 19 2019, 11:07 AM

That was it. I was missing in the toolsbeta.admin group.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL