Unable to use PAM authentication with sssd on CentOS 7 #3538

Closed
opened 2025-11-02 05:16:16 -06:00 by GiteaMirror · 10 comments
Owner

Originally created by @guillep2k on GitHub (Jul 5, 2019).

  • Gitea version (or commit ref): release/1.8
  • Git version: 1.8.3.1
  • Operating system: CentOS 7
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist:

Description

Hi. I've posted this on Discord, but I've been suggested to file an issue about it.

I've been trying to make Gitea work with PAM in my CentOS 7 to no avail.
First, I've compiled from sources to enable PAM (#2679). I'm using branch release/v1.8.
Then I've installed the executable and initialized the program (initial configuration; database, etc.). I'm using SQLite3, by the way (I might revise that later).
My system (CentOS 7) is recently configured, and is linked to active directory through SSSD. Users from my AD enabled to do so can log into the server through sshd using their AD password; no problems with that.

In the admin page, I've created a PAM "Authentication Source" with name "system-auth", which is a valid entry in /etc/pam.d.
Then I've added a user account with:
Username: short_name
Authentication source: system-auth
Authentication Sign-In Name: myuser@mydomain
Full Name: John Carpenter
E-mail address: myuser@mymail.com
(User account is valid and active; myuser@mydomain is permitted to log into the server via sshd).
When I go to the login page, I cannot log in; I'm being rejected as bad username or password.

If I use "short_name" for the "Username or Email Address", the system logs:
2019/07/03 16:04:40 [D] Session ID: b0c6b19b2e843638
2019/07/03 16:04:40 [D] CSRF Token: [....hidden...]
2019/07/03 16:04:40 [D] Template: user/auth/signin
2019/07/03 16:04:40 [I] Failed authentication attempt for short_name from 172.18.2.59

If I use "myuser@mydomain", the system logs:
2019/07/03 16:05:42 [D] Session ID: b0c6b19b2e843638
2019/07/03 16:05:42 [D] CSRF Token: [....hidden...]
2019/07/03 16:05:43 [W] Failed to login 'myuser@mydomain' via 'system-auth': user does not exist [uid: 0, name: myuser@mydomain, keyid: 0]
2019/07/03 16:05:43 [D] Template: user/auth/signin
2019/07/03 16:05:43 [I] Failed authentication attempt for myuser@mydomain from 172.18.2.59

I've tried with a different domain user and with the other user I only get the first kind of log, whether I try short_otheruser or otheruser@mydomain (weird!).

I don't know what else to check for, I'm completely lost here. Can anybody help me with this?

Originally created by @guillep2k on GitHub (Jul 5, 2019). <!-- 1. Please speak English, this is the language all maintainers can speak and write. 2. Please ask questions or configuration/deploy problems on our Discord server (https://discord.gg/gitea) or forum (https://discourse.gitea.io). 3. Please take a moment to check that your issue doesn't already exist. 4. Please give all relevant information below for bug reports, because incomplete details will be handled as an invalid report. --> - Gitea version (or commit ref): release/1.8 - Git version: 1.8.3.1 - Operating system: CentOS 7 - Database (use `[x]`): - [ ] PostgreSQL - [ ] MySQL - [ ] MSSQL - [x] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ ] No - [x] Not relevant - Log gist: ## Description Hi. I've posted this on Discord, but I've been suggested to file an issue about it. I've been trying to make Gitea work with PAM in my CentOS 7 to no avail. First, I've compiled from sources to enable PAM (#2679). I'm using branch release/v1.8. Then I've installed the executable and initialized the program (initial configuration; database, etc.). I'm using SQLite3, by the way (I might revise that later). My system (CentOS 7) is recently configured, and is linked to active directory through SSSD. Users from my AD enabled to do so can log into the server through sshd using their AD password; no problems with that. In the admin page, I've created a PAM "**Authentication Source**" with name "system-auth", which is a valid entry in /etc/pam.d. Then I've added a user account with: Username: short_name Authentication source: system-auth Authentication Sign-In Name: myuser@mydomain Full Name: John Carpenter E-mail address: myuser@mymail.com (User account is valid and active; myuser@mydomain is permitted to log into the server via sshd). When I go to the login page, I cannot log in; I'm being rejected as bad username or password. If I use "short_name" for the "Username or Email Address", the system logs: 2019/07/03 16:04:40 [D] Session ID: b0c6b19b2e843638 2019/07/03 16:04:40 [D] CSRF Token: [....hidden...] 2019/07/03 16:04:40 [D] Template: user/auth/signin 2019/07/03 16:04:40 [I] Failed authentication attempt for short_name from 172.18.2.59 If I use "myuser@mydomain", the system logs: 2019/07/03 16:05:42 [D] Session ID: b0c6b19b2e843638 2019/07/03 16:05:42 [D] CSRF Token: [....hidden...] 2019/07/03 16:05:43 [W] Failed to login 'myuser@mydomain' via 'system-auth': user does not exist [uid: 0, name: myuser@mydomain, keyid: 0] 2019/07/03 16:05:43 [D] Template: user/auth/signin 2019/07/03 16:05:43 [I] Failed authentication attempt for myuser@mydomain from 172.18.2.59 I've tried with a different domain user and with the other user I only get the first kind of log, whether I try short_otheruser or otheruser@mydomain (weird!). I don't know what else to check for, I'm completely lost here. Can anybody help me with this?
GiteaMirror added the type/question label 2025-11-02 05:16:16 -06:00
Author
Owner

@lunny commented on GitHub (Jul 6, 2019):

Maybe you should login with your login name but not email address.

@lunny commented on GitHub (Jul 6, 2019): Maybe you should login with your login name but not email address.
Author
Owner

@guillep2k commented on GitHub (Jul 6, 2019):

That's the first attempt I mentioned (16:04:40) with "short_name". I tried all combinations I could think of, to no avail:

short_name                      Gitea's own user name
Full name                       Gitea's user description
myuser@mydomain                 Domain user name, "e-mail" format
mydomain\myuser                 Domain user name, old NETBIOS format
myuser                          Domain user name, with no domain info
myemailaddress@myemailserver    E-mail address

I've also tried with a user whose e-mail address is the same as the domain user name "e-mail" format, just in case. All combinations rendered one of the two above results.

@guillep2k commented on GitHub (Jul 6, 2019): That's the first attempt I mentioned (16:04:40) with "short_name". I tried all combinations I could think of, to no avail: ``` short_name Gitea's own user name Full name Gitea's user description myuser@mydomain Domain user name, "e-mail" format mydomain\myuser Domain user name, old NETBIOS format myuser Domain user name, with no domain info myemailaddress@myemailserver E-mail address ``` I've also tried with a user whose e-mail address is the same as the domain user name "e-mail" format, just in case. All combinations rendered one of the two above results.
Author
Owner

@guillep2k commented on GitHub (Jul 6, 2019):

For additional info, I'm using PAM for Apache 2.4 as well in the same server (same pam.d entry):

<Location /restricted>
        AuthType Basic
        AuthName "PAM test users"
        AuthBasicProvider PAM
        AuthPAMService system-auth
        Require valid-user granted
</Location>

It works fine.

@guillep2k commented on GitHub (Jul 6, 2019): For additional info, I'm using PAM for Apache 2.4 as well in the same server (same pam.d entry): ``` <Location /restricted> AuthType Basic AuthName "PAM test users" AuthBasicProvider PAM AuthPAMService system-auth Require valid-user granted </Location> ``` It works fine.
Author
Owner

@zeripath commented on GitHub (Jul 7, 2019):

@guillep2k OK, so this might be a difficult one to debug.

First of all looking at:

fcda2d5b35/models/login_source.go (L580-L603)

you need to be logging in with what you're calling the short_name.

@zeripath commented on GitHub (Jul 7, 2019): @guillep2k OK, so this might be a difficult one to debug. First of all looking at: https://github.com/go-gitea/gitea/blob/fcda2d5b35ec9bec9a8e8fa0a0fb04cb21593648/models/login_source.go#L580-L603 you need to be logging in with what you're calling the short_name.
Author
Owner

@zeripath commented on GitHub (Jul 7, 2019):

Now LoginViaPAM is called by ExternalUserLogin: fcda2d5b35/models/login_source.go (L605-L634)

Which likely is called by UserSignIn: fcda2d5b35/models/login_source.go (L636-L721)

in two places: fcda2d5b35/models/login_source.go (L698)

fcda2d5b35/models/login_source.go (L712)

@zeripath commented on GitHub (Jul 7, 2019): Now `LoginViaPAM` is called by `ExternalUserLogin`: https://github.com/go-gitea/gitea/blob/fcda2d5b35ec9bec9a8e8fa0a0fb04cb21593648/models/login_source.go#L605-L634 Which likely is called by `UserSignIn`: https://github.com/go-gitea/gitea/blob/fcda2d5b35ec9bec9a8e8fa0a0fb04cb21593648/models/login_source.go#L636-L721 in two places: https://github.com/go-gitea/gitea/blob/fcda2d5b35ec9bec9a8e8fa0a0fb04cb21593648/models/login_source.go#L698 https://github.com/go-gitea/gitea/blob/fcda2d5b35ec9bec9a8e8fa0a0fb04cb21593648/models/login_source.go#L712
Author
Owner

@zeripath commented on GitHub (Jul 7, 2019):

OK looking at your log files. Now in the short_name case, the lack of a

[W] Failed to login 'myuser@mydomain' via 'system-auth': user does not exist [uid: 0, name: myuser@mydomain, keyid: 0]

Tells me that you're likely going down the first case line 698.

@zeripath commented on GitHub (Jul 7, 2019): OK looking at your log files. Now in the short_name case, the lack of a `[W] Failed to login 'myuser@mydomain' via 'system-auth': user does not exist [uid: 0, name: myuser@mydomain, keyid: 0]` Tells me that you're likely going down the first case line 698.
Author
Owner

@zeripath commented on GitHub (Jul 7, 2019):

Now looking at fcda2d5b35/routers/user/auth.go (L141)
The most likely place to be logging: "Failed authentication attempt for " - The likely way you're getting this particular log message is fcda2d5b35/routers/user/auth.go (L163-L166) - and presumably you're just getting the username_password_incorrect form. However, please check that you're not getting a prohibited login as fcda2d5b35/routers/user/auth.go (L169-L173) will look the same in the logs

Which puts us right back to: fcda2d5b35/models/login_source.go (L581-L586)

in particular line 583.

Of course we never log the original error so we can't find out more information from this - but it does tell us where to look... You're going to have to look at the PAM logs and perhaps add some more system PAM logs.

However, if I had to guess what the problem is, I suspect that the Gitea running user is not allowed to make PAM requests and thus you get an "Authentication failure".

@zeripath commented on GitHub (Jul 7, 2019): Now looking at https://github.com/go-gitea/gitea/blob/fcda2d5b35ec9bec9a8e8fa0a0fb04cb21593648/routers/user/auth.go#L141 The most likely place to be logging: `"Failed authentication attempt for "` - The likely way you're getting this particular log message is https://github.com/go-gitea/gitea/blob/fcda2d5b35ec9bec9a8e8fa0a0fb04cb21593648/routers/user/auth.go#L163-L166 - and presumably you're just getting the username_password_incorrect form. However, please check that you're not getting a prohibited login as https://github.com/go-gitea/gitea/blob/fcda2d5b35ec9bec9a8e8fa0a0fb04cb21593648/routers/user/auth.go#L169-L173 will look the same in the logs Which puts us right back to: https://github.com/go-gitea/gitea/blob/fcda2d5b35ec9bec9a8e8fa0a0fb04cb21593648/models/login_source.go#L581-L586 in particular line 583. Of course we never log the original error so we can't find out more information from this - but it does tell us where to look... You're going to have to look at the PAM logs and perhaps add some more system PAM logs. However, if I had to guess what the problem is, I suspect that the Gitea running user is not allowed to make PAM requests and thus you get an `"Authentication failure"`.
Author
Owner

@guillep2k commented on GitHub (Jul 7, 2019):

Of course we never log the original error so we can't find out more information from this - but it does tell us where to look... You're going to have to look at the PAM logs and perhaps add some more system PAM logs.
However, if I had to guess what the problem is, I suspect that the Gitea running user is not allowed to make PAM requests and thus you get an "Authentication failure".

Thanks, @zeripath . The users I tested with are certainly enabled to login. I use ssh to enter the system with any of them.

This system is not yet operational (I need this authentication in order to go live), which means that I won't have any problems adding log messages wherever in the source files we like for our investigation. I've never used golang, but just tell me the easiest way to log a string with parameters and I'll add them here and there in the compilation. Somethig like:

// Call and print these variables:
// Will one of the three forms work? What's the name of the function I should call?
gitea_general_log(LOG_ALWAYS,"var1 %s, var2 %s, var3 %s\n", (string) var1, var2 as String, var3.toString() );

You don't necessarily need to tell me all the places and variables to print (you gave me some good pointers). I can narrow it down by doing multiple tests and come back here when I've got something with more substance.

@guillep2k commented on GitHub (Jul 7, 2019): > Of course we never log the original error so we can't find out more information from this - but it does tell us where to look... You're going to have to look at the PAM logs and perhaps add some more system PAM logs. > However, if I had to guess what the problem is, I suspect that the Gitea running user is not allowed to make PAM requests and thus you get an `"Authentication failure"`. Thanks, @zeripath . The users I tested with are certainly enabled to login. I use ssh to enter the system with any of them. This system is not yet operational (I need this authentication in order to go live), which means that I won't have any problems adding log messages wherever in the source files we like for our investigation. I've never used golang, but **just tell me the easiest way to log a string with parameters** and I'll add them here and there in the compilation. Somethig like: ``` // Call and print these variables: // Will one of the three forms work? What's the name of the function I should call? gitea_general_log(LOG_ALWAYS,"var1 %s, var2 %s, var3 %s\n", (string) var1, var2 as String, var3.toString() ); ``` You don't necessarily need to tell me all the places and variables to print (you gave me some good pointers). I can narrow it down by doing multiple tests and come back here when I've got something with more substance.
Author
Owner

@zeripath commented on GitHub (Jul 7, 2019):

@guillep2k Sorry I was away from the computer for most of today.

So if you want to check what pam returns you should simply add a log.Debug("Underlying PAM Auth for login: %s Error: %v", login, err) to

fcda2d5b35/models/login_source.go (L582)

You could add username, password logging to that Debug call .

However, I suspect the problem is with your PAM configuration. Are you sure that the server user actually running the Gitea server (not the one trying to log in to Gitea) has permission to lookup users in PAM and to do PAM authentication? You should be able to switch on the debug logging for PAM at the PAM level too.

@zeripath commented on GitHub (Jul 7, 2019): @guillep2k Sorry I was away from the computer for most of today. So if you want to check what pam returns you should simply add a `log.Debug("Underlying PAM Auth for login: %s Error: %v", login, err)` to https://github.com/go-gitea/gitea/blob/fcda2d5b35ec9bec9a8e8fa0a0fb04cb21593648/models/login_source.go#L582 You could add username, password logging to that Debug call . However, I suspect the problem is with your PAM configuration. Are you sure that the server user actually running the Gitea server (not the one trying to log in to Gitea) has permission to lookup users in PAM and to do PAM authentication? You should be able to switch on the debug logging for PAM at the PAM level too.
Author
Owner

@guillep2k commented on GitHub (Jul 7, 2019):

@zeripath Thank you for your support. I've finally made it work. The problem was that I was confused about the meaning of the different "Authentication Sources" fields. I used Authentication Name for the name of the file at /etc/pam.d I wanted to use (system-auth), and PAM Service Name as... a text description. I've finally realized what was happening by using strace to see how was the program accessing pam.d, and it was:
open("/etc/pam.d/This is Gitea's PAM authentication service" ...)
Silly me!
I've changed the PAM Service Name to system-auth and everything worked flawlessly.
By the way, if anyone is interested, failing the first file gitea will attempt to use /etc/pam.d/other.

@guillep2k commented on GitHub (Jul 7, 2019): @zeripath Thank you for your support. I've finally made it work. The problem was that I was confused about the meaning of the different "Authentication Sources" fields. I used `Authentication Name` for the name of the file at `/etc/pam.d` I wanted to use (`system-auth`), and `PAM Service Name` as... a text description. I've finally realized what was happening by using strace to see how was the program accessing `pam.d`, and it was: `open("/etc/pam.d/This is Gitea's PAM authentication service" ...)` Silly me! I've changed the `PAM Service Name` to `system-auth` and everything worked flawlessly. By the way, if anyone is interested, failing the first file gitea will attempt to use `/etc/pam.d/other`.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#3538