Page tree

Welcome to FreeSoftwareServers Confluence Wiki

Skip to end of metadata
Go to start of metadata

I got this error and debugged it, thought i'd share.

Step 1:

[root@sqlarb ~]# service pcsd status
Redirecting to /bin/systemctl status  pcsd.service
? pcsd.service - PCS GUI and remote configuration interface
   Loaded: loaded (/usr/lib/systemd/system/pcsd.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2016-12-24 13:10:06 EST; 20min ago
 Main PID: 496 (pcsd)
   CGroup: /system.slice/pcsd.service
           ??496 /usr/bin/ruby /usr/lib/pcsd/pcsd > /dev/null &

Dec 24 13:24:12 sqlarb ruby[496]: pam_listfile(pcsd:auth): Refused user hacluster for service pcsd
Dec 24 13:24:12 sqlarb ruby[496]: pam_succeed_if(pcsd:auth): requirement "uid >= 1000" not met by user "hacluster"
 
[root@sqlarb ~]# id -u hacluster
189

Step 2: (Thankfully I had one node that authorized to compare to!)

cat /var/log/audit/audit.log | grep hacluster

Failing Node

type=USER_AUTH msg=audit(1482604165.829:167): pid=496 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="hacluster" exe="/usr/bin/ruby" hostname=? addr=? terminal=? res=failed'

Working Node

 

type=USER_ACCT msg=audit(1482604169.729:153): pid=2990 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="hacluster" exe="/usr/bin/ruby" hostname=? addr=? terminal=? res=success'

Difference

grantors=pam_unix,pam_localuser vs grantors=?

I had LDAP Login setup on this box, so I suspect its PAM/LDAP related...

nano /etc/pam.d/system-auth

 

Broken Setup:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_listfile.so onerr=fail item=group sense=allow file=/etc/ldap.restrictions
auth        required      pam_env.so

Working Setup:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so

 

After commenting out that line, which is regarding blocking my LDAP login to specific groups, I was able to Authenticate HACluster. Turns out that line doesn't even work, but you can use the steps above to see if your problem is similar.

  • No labels