Configuring PAM Authenticator
The HPE Ezmeral Data Fabric supports Pluggable
Authentication Modules (PAM) in the UNIX authentication stack. HPE Ezmeral Data Fabric
provides a PAM Authenticator module that generates data-fabric tickets in conjunction with the
maprlogin
utility. After you install the platform, the PAM
Authenticator module is located at
$INSTALL_DIR/lib/libmapr_pam.so
. Configuration files for PAM are located
in the /etc/pam.d
directory. Each UNIX operation, such as
su
, login
, or ssh
, has a specific PAM
configuration file in that directory.
Configure the PAM Authenticator on Ubuntu or SLES
To configure the PAM Authenticator, append the following
line to the end of the /etc/pam.d/common-auth
file:
auth optional /opt/mapr/lib/libmapr_pam.so # MapR PAM module
libmapr_pam.so
file is required. By default, this location is
$MAPR_HOME/lib/libmapr_pam.so
. Configure the PAM Authenticator on RHEL or CentOS
- Insert the following line in the
/etc/pam.d/system-auth
file immediately before the first module that uses theauth sufficient
configuration:auth optional libmapr_pam.so # MapR PAM module
- Append the string
try_first_pass
to the end of the module that usesauth sufficient
, as in this example:Before modification:
auth required pam_env.so auth sufficient pam_unix.so nullok auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
After modification, changes in bold:auth required pam_env.so auth optional libmapr_pam.so # MapR PAM module auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
Enable Debugging for PAM
To enable debugging for the client traffic used by the maprlogin
utility, update the /opt/mapr/conf/log4j.properties
file with the
following line:
log4j.logger.com.mapr.login=DEBUG
After updating the log4j.properties
file, trace the
com.mapr.login
package at the DEBUG level.
Be sure to update the correct instance of the log4j.properties
file.
Traffic specific to HPE Ezmeral Data Fabric, such as
maprlogin
and Control System traffic, uses the instance in the
/opt/mapr/conf
directory. Hadoop applications use the
log4j.properties
file in the
/opt/mapr/hadoop/hadoop-2.x.x/etc/hadoop
directory.
To perform the same tracing activity on the server side, modify the appropriate instance
of the log4j.properties
file on the server. Alternatively, specify the
page com.mapr.login
in the Control System UI's tracing/logger settings.
To trace PAM activity from the server, add the following line to the server's
log4j.properties
instance:
log4j.logger.net.sf.jpam=DEBUG
After modifying this setting, the server log will contain a message similar to the following:
2013-07-23 16:05:25,200 DEBUG Pam [1068409264@qtp-874242484-3]: Debug mode
active.
Detailed
information about PAM activity is written to the
/opt/mapr/logs/pam_<username>.log
where
username
is the user name that Linux reports in response to the
getpwuid(geteuid())
call for the process. In this case, Linux
returns the effective user ID, which can be different from the real user ID or
saved user ID. For more information, see Difference between Real User ID, Effective User ID
and Saved User ID.
Other Packages
The following packages are not directly related to PAM, but can provide useful insights for subtler errors.
-
org.apache.hadoop.security
- This package contains Apache security code, including HPE Ezmeral Data Fabric enhancements. Tracing this package can provide information about what login configuration is in use. -
com.mapr.fs.cldb.http.login
- This package contains code that the CLDB uses to validatemaprlogin
calls.
Common Issues
The Linux Documentation Project's HOWTO on LDAP Implementation has a section on PAM and NSS that may prove helpful.
If a user's credentials appear valid, for example where the su
and
ssh
commands work normally but PAM does not correctly authenticate,
the issue may relate specifically to HPE Ezmeral Data Fabric's use of PAM as a normal user.
PAM consumers run as the root user, causing permissions issues. The two most common
issues relating to this condition are:
-
The
/etc/shadow
directory is not readable to themapr
user. This directory is made readable to themapr
user during install, but some secure environments and configuration management tools undo these changes. -
A Kerberos PAM module is attempting to create and change the ownership of a Kerberos ticket file. This attempt fails, since these changes require root privileges. Different Kerberos PAM modules can report errors differently, leading to difficulty tracking down root causes of errors. To address permissions problems with Kerberos PAM modules, configure the Kerberos PAM module to skip creating a ticket file, using the KDC only to validate the password. PAM configuration information is located in the
/etc/pam.d
directory. HPE Ezmeral Data Fabric can use a custom PAM configuration specified in theweb.conf
file.