mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-10 16:44:50 -05:00
Unable to use PAM authentication with sssd on CentOS 7 #3538
Closed
opened 2025-11-02 05:16:16 -06:00 by GiteaMirror
·
10 comments
No Branch/Tag Specified
main
release/v1.25
release/v1.24
release/v1.23
release/v1.22
release/v1.21
release/v1.20
release/v1.19
release/v1.18
release/v1.17
release/v1.16
release/v1.15
release/v1.14
release/v1.13
release/v1.12
release/v1.11
release/v1.10
release/v1.9
release/v1.8
v1.25.3
v1.25.2
v1.25.1
v1.25.0
v1.24.7
v1.25.0-rc0
v1.26.0-dev
v1.24.6
v1.24.5
v1.24.4
v1.24.3
v1.24.2
v1.24.1
v1.24.0
v1.23.8
v1.24.0-rc0
v1.25.0-dev
v1.23.7
v1.23.6
v1.23.5
v1.23.4
v1.23.3
v1.23.2
v1.23.1
v1.23.0
v1.23.0-rc0
v1.24.0-dev
v1.22.6
v1.22.5
v1.22.4
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.23.0-dev
v1.22.0-rc1
v1.21.11
v1.22.0-rc0
v1.21.10
v1.21.9
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.20.6
v1.21.1
v1.21.0
v1.21.0-rc2
v1.21.0-rc1
v1.20.5
v1.22.0-dev
v1.21.0-rc0
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.4
v1.21.0-dev
v1.20.0-rc2
v1.20.0-rc1
v1.20.0-rc0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.19.0-rc1
v1.20.0-dev
v1.19.0-rc0
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.4
v1.18.0-rc1
v1.19.0-dev
v1.18.0-rc0
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.99
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
Mirrored from GitHub Pull Request
No Label
type/question
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/gitea#3538
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @guillep2k on GitHub (Jul 5, 2019).
[x]):Description
Hi. I've posted this on Discord, but I've been suggested to file an issue about it.
I've been trying to make Gitea work with PAM in my CentOS 7 to no avail.
First, I've compiled from sources to enable PAM (#2679). I'm using branch release/v1.8.
Then I've installed the executable and initialized the program (initial configuration; database, etc.). I'm using SQLite3, by the way (I might revise that later).
My system (CentOS 7) is recently configured, and is linked to active directory through SSSD. Users from my AD enabled to do so can log into the server through sshd using their AD password; no problems with that.
In the admin page, I've created a PAM "Authentication Source" with name "system-auth", which is a valid entry in /etc/pam.d.
Then I've added a user account with:
Username: short_name
Authentication source: system-auth
Authentication Sign-In Name: myuser@mydomain
Full Name: John Carpenter
E-mail address: myuser@mymail.com
(User account is valid and active; myuser@mydomain is permitted to log into the server via sshd).
When I go to the login page, I cannot log in; I'm being rejected as bad username or password.
If I use "short_name" for the "Username or Email Address", the system logs:
2019/07/03 16:04:40 [D] Session ID: b0c6b19b2e843638
2019/07/03 16:04:40 [D] CSRF Token: [....hidden...]
2019/07/03 16:04:40 [D] Template: user/auth/signin
2019/07/03 16:04:40 [I] Failed authentication attempt for short_name from 172.18.2.59
If I use "myuser@mydomain", the system logs:
2019/07/03 16:05:42 [D] Session ID: b0c6b19b2e843638
2019/07/03 16:05:42 [D] CSRF Token: [....hidden...]
2019/07/03 16:05:43 [W] Failed to login 'myuser@mydomain' via 'system-auth': user does not exist [uid: 0, name: myuser@mydomain, keyid: 0]
2019/07/03 16:05:43 [D] Template: user/auth/signin
2019/07/03 16:05:43 [I] Failed authentication attempt for myuser@mydomain from 172.18.2.59
I've tried with a different domain user and with the other user I only get the first kind of log, whether I try short_otheruser or otheruser@mydomain (weird!).
I don't know what else to check for, I'm completely lost here. Can anybody help me with this?
@lunny commented on GitHub (Jul 6, 2019):
Maybe you should login with your login name but not email address.
@guillep2k commented on GitHub (Jul 6, 2019):
That's the first attempt I mentioned (16:04:40) with "short_name". I tried all combinations I could think of, to no avail:
I've also tried with a user whose e-mail address is the same as the domain user name "e-mail" format, just in case. All combinations rendered one of the two above results.
@guillep2k commented on GitHub (Jul 6, 2019):
For additional info, I'm using PAM for Apache 2.4 as well in the same server (same pam.d entry):
It works fine.
@zeripath commented on GitHub (Jul 7, 2019):
@guillep2k OK, so this might be a difficult one to debug.
First of all looking at:
fcda2d5b35/models/login_source.go (L580-L603)you need to be logging in with what you're calling the short_name.
@zeripath commented on GitHub (Jul 7, 2019):
Now
LoginViaPAMis called byExternalUserLogin:fcda2d5b35/models/login_source.go (L605-L634)Which likely is called by
UserSignIn:fcda2d5b35/models/login_source.go (L636-L721)in two places:
fcda2d5b35/models/login_source.go (L698)fcda2d5b35/models/login_source.go (L712)@zeripath commented on GitHub (Jul 7, 2019):
OK looking at your log files. Now in the short_name case, the lack of a
[W] Failed to login 'myuser@mydomain' via 'system-auth': user does not exist [uid: 0, name: myuser@mydomain, keyid: 0]Tells me that you're likely going down the first case line 698.
@zeripath commented on GitHub (Jul 7, 2019):
Now looking at
fcda2d5b35/routers/user/auth.go (L141)The most likely place to be logging:
"Failed authentication attempt for "- The likely way you're getting this particular log message isfcda2d5b35/routers/user/auth.go (L163-L166)- and presumably you're just getting the username_password_incorrect form. However, please check that you're not getting a prohibited login asfcda2d5b35/routers/user/auth.go (L169-L173)will look the same in the logsWhich puts us right back to:
fcda2d5b35/models/login_source.go (L581-L586)in particular line 583.
Of course we never log the original error so we can't find out more information from this - but it does tell us where to look... You're going to have to look at the PAM logs and perhaps add some more system PAM logs.
However, if I had to guess what the problem is, I suspect that the Gitea running user is not allowed to make PAM requests and thus you get an
"Authentication failure".@guillep2k commented on GitHub (Jul 7, 2019):
Thanks, @zeripath . The users I tested with are certainly enabled to login. I use ssh to enter the system with any of them.
This system is not yet operational (I need this authentication in order to go live), which means that I won't have any problems adding log messages wherever in the source files we like for our investigation. I've never used golang, but just tell me the easiest way to log a string with parameters and I'll add them here and there in the compilation. Somethig like:
You don't necessarily need to tell me all the places and variables to print (you gave me some good pointers). I can narrow it down by doing multiple tests and come back here when I've got something with more substance.
@zeripath commented on GitHub (Jul 7, 2019):
@guillep2k Sorry I was away from the computer for most of today.
So if you want to check what pam returns you should simply add a
log.Debug("Underlying PAM Auth for login: %s Error: %v", login, err)tofcda2d5b35/models/login_source.go (L582)You could add username, password logging to that Debug call .
However, I suspect the problem is with your PAM configuration. Are you sure that the server user actually running the Gitea server (not the one trying to log in to Gitea) has permission to lookup users in PAM and to do PAM authentication? You should be able to switch on the debug logging for PAM at the PAM level too.
@guillep2k commented on GitHub (Jul 7, 2019):
@zeripath Thank you for your support. I've finally made it work. The problem was that I was confused about the meaning of the different "Authentication Sources" fields. I used
Authentication Namefor the name of the file at/etc/pam.dI wanted to use (system-auth), andPAM Service Nameas... a text description. I've finally realized what was happening by using strace to see how was the program accessingpam.d, and it was:open("/etc/pam.d/This is Gitea's PAM authentication service" ...)Silly me!
I've changed the
PAM Service Nametosystem-authand everything worked flawlessly.By the way, if anyone is interested, failing the first file gitea will attempt to use
/etc/pam.d/other.