Hi,
We typically see such issues being non-EDF related but failling into the following two categories:
- PAM/LDAP configuration issues
- OS PAM issues
- Password issues
Below is general guideline/sample on troubleshooting PAM failure issues:
(1) Install 'pamtester' package, e.g. for RHEL it is available in epel repository:
yum install pamtester
(2) Once pamtester is installed, test PAM authentication with the following commands for relevant PAM modules on non-working node:
pamtester sudo <username> authenticate
pamtester sshd <username> authenticate
(3) Compare files in /etc/pam.d/ in working vs non-working nodes, e.g.
md5sum /etc/pam.d/*
Run the command on both working / non-working nodes and check if there are any differences. Check if any files related to PAM and authentication (e.g. LDAP configuration) have been modified recently. Usually such comparative analysis involving pamtester and configuration review reveals the root cause of the issue.
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
You mentioned:
<quote>
Now we are not able to login to MCS with mapr user and in the log similar PAM Authentication error is thrown
</quote>
From that it sounds that the authentication issue is present on MCS (API server) nodes. In any case, my earlier comment applies to any node affected by PAM authentication failures, regardless of installed services. Would you be able to use the recommended approach with pamtester in your environment?
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
@okalinin Installed PAMTESTER in all 3 nodes and below is the successful authentication response from all 3 nodes.
Before executing this we had done some changes as instructed in the below page and restarted ezmeral. Post that MCS authentication is happening, in node-1 &2 behaviour continues to be random and node-3 not connecting.
And post above change, for node 1 & 2 PAM Authentication Error is not observed in api-server.log but randomly seen in data-access-gateway.log. I am suspecting it is perhaps some internal process of ezmeral which is blocking connection not really a OS level PAM error. Not sure..
Could you please pick one node where the issue occurs and share exact log messages for both apiserver and DAG (data access gateway) authentication errors?
Also, you've ran pamtester tests for mapr user. Do authentication errors occur for mapr user or some other user?
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Hello,
Let us know if you were able to resolve the issue.
If you are satisfied with the answers then kindly click the "Accept As Solution" button for the most helpful response so that it is beneficial to all community members.
Please click on "Thumbs Up/Kudo" icon to give a "Kudo".