[slurm-users] Re: pam_slurm_adopt ambiguity in instructions and with ssd

[Ole Holm Nielsen via slurm-users]

Hi Robert,

The explicit configuration details of pam_slurm_adopt are described in 
this Wiki page:
https://wiki.fysik.dtu.dk/Niflheim_system/Slurm_configuration/#pam-module-restrictions
Important: DO NOT configure UsePAM=1 in slurm.conf!  The advice for 
UsePAM=1 this may be found on the internet, but that is a bad advice :-(

You mention CentOS, but that OS has been dead for a long time...

IHTH,
Ole

On 18-04-2025 17:26, Robert Kudyba via slurm-users wrote:
In the instructions for pam_slurm_adopt <https://slurm.schedmd.com/ 
pam_slurm_adopt.html#ssh_config>, there are instructions such as:

    Add the following line to the appropriate file in /etc/pam.d, such
    as system-auth or sshd (you may use either the "required" or
    "sufficient" PAM control flag):


    This module is configurable. Add these options to the end of the
    pam_slurm_adopt line in the appropriate file in /etc/pam.d/ (e.g.,
    sshd or system-auth):

Assuming an OS like CentOS does this mean it should be put in both?

slurm.conf on the node has:
UsePAM yes

slurm.conf has PrologFlags=contain and ProctrackType=proctrack/cgroup
I placed the call here only in /etc/pam.d/sshd making sure it is the 
last line in the account stack.
#%PAM-1.0
auth       required pam_sepermit.so
auth       substack system-auth
auth       include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional pam_reauthorize.so prepare
account    required pam_nologin.so
account    include system-auth
-account   required      pam_slurm_adopt.so

so pam_sss.so is at the bottom of  /etc/pam.d/sshd
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
#-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0022 skel=/etc/skel
session     [success=1 default=ignore] pam_succeed_if.so service in 
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

We're testing this on an idle node. I start an interactive srun. However 
trying to ssh to the node gets:

Apr 18 11:13:41 node11 sshd[33355]: Authorized to dk2643, krb5 principal 
u...@ouruni.edu (ssh_gssapi_krb5_cmdok)
Apr 18 11:13:41 node11 sshd[33355]: pam_sss(sshd:account): Access denied 
for user user: 6 (Permission denied)
Apr 18 11:13:41 node11 sshd[33355]: fatal: Access denied for user user 
by PAM account configuration [preauth]

Am I missing something?

--
slurm-users mailing list -- slurm-users@lists.schedmd.com
To unsubscribe send an email to slurm-users-le...@lists.schedmd.com