Cannot authenticate to salt-api

Jeff_Sparrow · July 12, 2024, 12:51pm

Problem:
Cannot authenticate to the salt-api with instructions provided.

Expected outcome:
Ability to authenticate.

Foreman and Proxy versions:
Latest

Foreman and Proxy plugin versions:
Latest

Distribution and version:

Other relevant data:
We set up the salt/foreman proxies and plugins following this guide:
https://theforeman.org/plugins/foreman_salt/13.0/index.html

We are trying to use this curl command to authenticate to the salt-api.

curl -k -H "Content-type: application/json" -X POST https://0.0.0.0:9191/login -d '{"username": "saltuser", "password": "saltpassword", "eauth": "pam"}'

I have this set in my master configs for salt:

external_auth:
  pam:
    saltuser:
      - .*
      - '@wheel'
      - '@runner'
      - '@jobs'

and this is the error I get in …/secure:

Jul 12 12:46:16 10-222-215-57 unix_chkpwd[376431]: check pass; user unknown
Jul 12 12:46:16 10-222-215-57 unix_chkpwd[376432]: check pass; user unknown
Jul 12 12:46:16 10-222-215-57 unix_chkpwd[376432]: password check failed for user (saltuser)
Jul 12 12:46:16 10-222-215-57 python3[374824]: pam_unix(login:auth): authentication failure; logname= uid=529180 euid=529180 tty= ruser= rhost=  user=saltuser
Jul 12 12:46:16 10-222-215-57 python3[374824]: pam_sss(login:auth): authentication failure; logname= uid=529180 euid=529180 tty= ruser= rhost= user=saltuser
Jul 12 12:46:16 10-222-215-57 python3[374824]: pam_sss(login:auth): received for user saltuser: 10 (User not known to the underlying authentication module)

One thing to note is the uid=529180 euid=529180 listed in the logs is the uid for the salt user itself because assumingly that is the user running salt-api.

If I change the user to salt (not saltuser) then it works. But we dont want to authenticate with the salt user, we want to use the new user named saltuser. About 4 of us have spent nearly 14 hours working on this, and we cannot find the solution. It seems like it might be something to do with a pam module setting, but nothing we try seems to matter. You can see in the logs that the pam_unix system fails and so it falls back to pam_sss. Neither which work. We have also tried authenticated as an ldap user, which we’ve had no luck with either.

Any ideas?

Jeff_Sparrow · July 12, 2024, 2:28pm

After reviewing salt docs, we believe this will never work. The salt-master runs as a non root user, and according to External Authentication System

eAuth using the PAM external auth system requires salt-master to be run as root as this system needs root access to check authentication.

So we’ll have to find a different way to resolve this.

nadjaheitmann · July 15, 2024, 1:57pm

Hey @Jeff_Sparrow
this came to my mind when reading your post. Not sure if it is exactly the same problem, though. However, there is a good description in the PR.

github.com/theforeman/puppet-foreman_proxy

Update Salt Master configuration template

theforeman:master ← ATIX-AG:fix/salt_conf_user_and_netapi

opened 04:20PM - 21 May 24 UTC

bastian-src

+9 -0

* Add netapi_enable_clients explicitly due to 3006 changes https://docs.saltproj…ect.io/en/master/topics/netapi/netapi-enable-clients.html#select-client-interfaces-to-enable → This is more of an pro-active change. I don't quite know where exactly we run into an issue with cherrypy-API permissions. So, I need a second opinion on this. * Set user for running Salt Master service due to 3006 changes https://docs.saltproject.io/en/3006/topics/releases/3006.0.html#linux-packaging-salt-master-salt-user-and-group → This is motivated by the following change: Since 3006, Salt installs with an explicit user that runs the Salt Master daemon in order to limit the daemon permissions. If that users differs from the user that we execute the `salt ...` commands with (when triggering Salt from Smart Proxy), we get some permission issues. More specifically, `sudo -u foreman-proxy salt '*' test.ping` runs into the following error: ``` [ERROR ] Unable to connect to the salt master publisher at /var/run/salt/master The salt master could not be contacted. Is master running? ``` When executing `salt '*' test.ping`, that comand wants to connect to the Salt Master whose PID is stored in `/var/run/salt/master/*`. But, with the 3006-explicit-user update, they limit access to the `/var/run/salt` folder to the same user which runs the Salt Master daemon. Therefore, I see two options: A) Make the Salt Master daemon run with the same user that we execute the `salt ...` commands with (currently implemented in this PR) B) Take care that the foreman-proxy user has the necessary permissions/adapt the folder permissions that the foreman-proxy user can execute `salt ...` even if the daemon is started by a different user.