Ole,
UsePAM has to do with how jobs are launched when controlled by Slurm.
Basically, it sends jobs launched under Slurm through the PAM stack.
UsePAM is not required by pam_slurm_adopt because it is *sshd* and not
*slurmd or slurmstepd* that is involved with pam_slurm_adopt. That's
what I believe Tim was referring to (I just skimmed the bug report so
maybe I missed something).
In this case the recommendation to use UsePAM=1 still applies since you
want PAM to affect the behavior of jobs launched through Slurm.
Ryan
On 03/21/2018 07:16 AM, Ole Holm Nielsen wrote:
On 03/21/2018 02:03 PM, Bill Barth wrote:
I don’t think we had to do anything special since we have UsePAM = 1
in our slurm.conf. I didn’t do the install personally, but our
pam.d/slurm* files are written by us and installed by our
configuration management system. Not sure which one UsePAM looks for,
but here are ours:
The UsePAM = 1 in slurm.conf may be deprecated, see Tim Wickberg's
comments on pam_slurm_adopt in
https://bugs.schedmd.com/show_bug.cgi?id=4098. Or perhaps UsePAM may
still be used in the way you describe?
c501-101[skx](41)# cat /etc/pam.d/slurm
auth required pam_localuser.so
auth required pam_shells.so
account required pam_unix.so
account required pam_access.so
session required pam_unix.so
session required pam_limits.so
-session optional pam_systemd.so
c501-101[skx](42)# cat /etc/pam.d/slurm.pam
auth required pam_localuser.so
auth required pam_shells.so
account required pam_unix.so
account required pam_access.so
session required pam_unix.so
session required pam_limits.so
-session optional pam_systemd.so
There might be better forms of these, but they’re working for us. I
guess this counts now as being documented in a public place!
Obviously, UsePAM and the /etc/pam.d/slurm rules ought to be
documented clearly somewhere, but I'm not aware of any good description.
/Ole
--
Ryan Cox
Operations Director
Fulton Supercomputing Lab
Brigham Young University
