Comments (22)
Are you trying to auth against PAM as the root user by any chance? That error looks familiar...
from salt-api.
Not root. Just a regular unprivileged user.
from salt-api.
Can you try auth'ing with Salt at the CLI with those same credentials and let me know what Salt outputs? Something like:
salt -a pam '*' test.ping
from salt-api.
Edit: I suppose that may be tough to do concurrently...
from salt-api.
Interesting. I tried your suggestion and it appears that eventually salt will hang on all but one process.
Here's the script:
#! /bin/bash
while true; do
/usr/bin/expect -c 'spawn /usr/local/bin/salt -a pam --out json \* test.ping; expect "username:" { send "<user>\r" }; expect "password:" { send "<password>\r" }; interact'
done
from salt-api.
Great test. Thanks for that!
I'm getting mixed results trying to reproduce but I think it's specific to my setup here. I'll follow up on this as soon as I can. We definitely need to have working concurrent authentication!
from salt-api.
Better stacktrace from OSX:
Traceback (most recent call last):
File "/Users/kim.ho/git/salt/salt/auth/__init__.py", line 73, in __auth_call
return self.auth[fstr](*fcall['args'], **fcall['kwargs'])
File "/Users/kim.ho/git/salt/salt/auth/pam.py", line 147, in auth
return authenticate(username, password, kwargs.get('service', 'login'))
File "/Users/kim.ho/git/salt/salt/auth/pam.py", line 139, in authenticate
retval = PAM_AUTHENTICATE(handle, 0)
ArgumentError: argument 1: <type 'exceptions.TypeError'>: expected PamHandle instance instead of PamHandle
My libpam info if this helps:
$ otool -L /usr/lib/libpam.dylib
/usr/lib/libpam.dylib:
/usr/lib/libpam.2.dylib (compatibility version 3.0.0, current version 3.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 159.0.0)
Here's the one I get from RHEL6 inside vagrant:
Traceback (most recent call last):
File "/vagrant/salt/salt/auth/__init__.py", line 73, in __auth_call
return self.auth[fstr](*fcall['args'], **fcall['kwargs'])
File "/vagrant/salt/salt/auth/pam.py", line 148, in auth
return authenticate(username, password, kwargs.get('service', 'login'))
File "/vagrant/salt/salt/auth/pam.py", line 133, in authenticate
retval = PAM_START(service, username, pointer(conv), pointer(handle))
ArgumentError: argument 3: <type 'exceptions.TypeError'>: expected LP_PamConv instance instead of LP_PamConv
[CRITICAL] Authentication module threw an exception: argument 3: <type 'exceptions.TypeError'>: expected LP_PamConv instance instead of LP_PamConv
from salt-api.
Thank you for the additional details! We're all at PyCon this weekend but we'll take a closer look at this once the conference is over.
from salt-api.
We have been looking into this and have not been able to reproduce it yet. We are working on some patches to give you to try.
from salt-api.
I seem to have fixed the issue that I'm seeing with this patch[1] but it's unclear to me why it fixes the issue. All I've done is force cast to the same type rather than using POINTER() to create a ctype even though they should be the same thing[2]. Hopefully, someone familiar with python/ctypes can shed some light on whether this a configuration problem with our environments.
[1]http://pastebin.com/LLnhnuxb
[2]http://docs.python.org/2/library/ctypes.html
from salt-api.
In RHEL6, I'm still getting this error but it's much less frequent:
[CRITICAL] Authentication module threw an exception: incompatible types, CFunctionType instance instead of CFunctionType instance
Traceback (most recent call last):
File "/vagrant/salt/salt/auth/__init__.py", line 73, in __auth_call
return self.auth[fstr](*fcall['args'], **fcall['kwargs'])
File "/vagrant/salt/salt/auth/pam.py", line 150, in auth
return authenticate(username, password, kwargs.get('service', 'login'))
File "/vagrant/salt/salt/auth/pam.py", line 131, in authenticate
conv = PamConv(my_conv, 0)
TypeError: incompatible types, CFunctionType instance instead of CFunctionType instance
The RHEL6 environment is running python 2.6.6 whereas OSX is running 2.7.3
from salt-api.
@sfdc-kho thank you for the patch! This is a bit out of my wheelhouse so I've run this past @thatch45 and he'll follow-up a bit later today.
from salt-api.
These additions look safe, but I am not sure why the concurrency is giving us this problem yet. I would say that we should add this patch and have a fallback try/except that will run a few retries until we can figure out the underlying problem.
I will open an issue on saltstack/salt to track this
from salt-api.
Hey guys,
Just wanted to touch base on where we are on this. I don't suppose anyone else has had any luck reproducing this issue either through salt-api or through the salt client directly? Are we going to proceed with patching up the salt module in the interim?
from salt-api.
Sorry about the slow repsponses here, lets patch it up for now. Do you want to open a pull req?
from salt-api.
Will do. I'll also work in the try/except retry logic as well.
from salt-api.
Thanks! I greatly appreciate it!
from salt-api.
I've done a bit more digging into this issue and I think I've managed to create a reproducible test case. It seems to have something to do with concurrent auth module loading.
from ctypes import *
import salt.auth
import ast, traceback
if __name__ == '__main__':
opts = ast.literal_eval("{ 'external_auth': {'pam': {'service': ['.*']}}, 'extension_modules': ''}")
auth = salt.auth.LoadAuth(opts)
handle = auth.auth['pam.PamHandle']()
print "Does handle match arg type? {0}".format(type(handle) == auth.auth['pam.PAM_AUTHENTICATE'].argtypes[0])
salt.auth.LoadAuth(opts)
print "Does handle match arg type? {0}".format(type(handle) == auth.auth['pam.PAM_AUTHENTICATE'].argtypes[0])
try:
auth.auth['pam.PAM_AUTHENTICATE'](handle, 0)
except ArgumentError:
traceback.print_exc()
print "Now try to force cast"
auth.auth['pam.PAM_AUTHENTICATE'](cast(addressof(handle), POINTER(auth.auth['pam.PAM_AUTHENTICATE'].argtypes[0])).contents, 0)
print "Called PAM_AUTHENTICATE successfully"
On both our RHEL6 and OSX machines, this gives:
[vagrant@piab1-saltm1-1-piab salt-api]$ python scripts/test.py
Does handle match arg type? True
Does handle match arg type? False
Traceback (most recent call last):
File "scripts/test.py", line 20, in <module>
auth.auth['pam.PAM_AUTHENTICATE'](handle, 0)
ArgumentError: argument 1: <type 'exceptions.TypeError'>: expected PamHandle instance instead of PamHandle
Now try to force cast
Called PAM_AUTHENTICATE successfully
If loading is in fact the root cause of the issue, the most straight-forward fix would be stop reloading auth in /login. We could also remove the hack in auth/pam. Thoughts? I've tried a patch locally and it seems to be harmless and actually seems to result in slight better login throughput (not that login performance is a huge bottleneck)
from salt-api.
Interesting find! Aside from an apparent concurrency problem in the loader, it does make sense to load the auth module just one time anyway. Is the above commit what you had in mind?
from salt-api.
BTW, I can reproduce the same output from running your script on both Fedora 17 and Ubuntu Lucid.
from salt-api.
Yes that's exactly what I was thinking. I will submit a pull for reverting the earlier hack. Resolving this issue. I'm not sure if there's a larger loader bug here (or whether loader is simply not meant to be used like this) but will leave to you guys to make that call.
from salt-api.
Thank you for your work tracking this down!
from salt-api.
Related Issues (20)
- question: fetch token from salt master in login function HOT 3
- How can i use like this command for the result save mysql?
- how to use salt restful api efficiently
- Did not find any netapi configurations HOT 2
- git.checkout error
- cherrypy._cperror.HTTPError: (401, 'Could not authenticate using provided credentials') HOT 8
- state.sls always run env=base HOT 2
- add linux user home directory can't change HOT 1
- how i get more about return message HOT 1
- Salt API connection failed Salt return HTTP code 503 HOT 4
- how can i use salt-api get the salt-mine??
- Salt-api on macOS high Sierra HOT 1
- salt-api + salt-ssh -r
- dockercompose module is missing docker-compose down command HOT 2
- Salt-Api + SSH + pillar
- Get status.procs the salt-api retrun 500
- salt-api return Failed to authenticate against remote windows host (smb).
- Environ.setenv return unicode
- error: [Errno 24] Too many open files HOT 1
- salt-api "Authentication module threw <nothing>" HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from salt-api.