Cannot authenticate to salt-api

Problem:
Cannot authenticate to the salt-api with instructions provided.

Expected outcome:
Ability to authenticate.

Foreman and Proxy versions:
Latest

Foreman and Proxy plugin versions:
Latest

Distribution and version:

Other relevant data:
We set up the salt/foreman proxies and plugins following this guide:
https://theforeman.org/plugins/foreman_salt/13.0/index.html

We are trying to use this curl command to authenticate to the salt-api.

curl -k -H "Content-type: application/json" -X POST https://0.0.0.0:9191/login -d '{"username": "saltuser", "password": "saltpassword", "eauth": "pam"}'

I have this set in my master configs for salt:

external_auth:
  pam:
    saltuser:
      - .*
      - '@wheel'
      - '@runner'
      - '@jobs'

and this is the error I get in …/secure:

Jul 12 12:46:16 10-222-215-57 unix_chkpwd[376431]: check pass; user unknown
Jul 12 12:46:16 10-222-215-57 unix_chkpwd[376432]: check pass; user unknown
Jul 12 12:46:16 10-222-215-57 unix_chkpwd[376432]: password check failed for user (saltuser)
Jul 12 12:46:16 10-222-215-57 python3[374824]: pam_unix(login:auth): authentication failure; logname= uid=529180 euid=529180 tty= ruser= rhost=  user=saltuser
Jul 12 12:46:16 10-222-215-57 python3[374824]: pam_sss(login:auth): authentication failure; logname= uid=529180 euid=529180 tty= ruser= rhost= user=saltuser
Jul 12 12:46:16 10-222-215-57 python3[374824]: pam_sss(login:auth): received for user saltuser: 10 (User not known to the underlying authentication module)

One thing to note is the uid=529180 euid=529180 listed in the logs is the uid for the salt user itself because assumingly that is the user running salt-api.

If I change the user to salt (not saltuser) then it works. But we dont want to authenticate with the salt user, we want to use the new user named saltuser. About 4 of us have spent nearly 14 hours working on this, and we cannot find the solution. It seems like it might be something to do with a pam module setting, but nothing we try seems to matter. You can see in the logs that the pam_unix system fails and so it falls back to pam_sss. Neither which work. We have also tried authenticated as an ldap user, which we’ve had no luck with either.

Any ideas?

After reviewing salt docs, we believe this will never work. The salt-master runs as a non root user, and according to External Authentication System

eAuth using the PAM external auth system requires salt-master to be run as root as this system needs root access to check authentication.

So we’ll have to find a different way to resolve this.

Hey @Jeff_Sparrow
this came to my mind when reading your post. Not sure if it is exactly the same problem, though. However, there is a good description in the PR.

1 Like