Description of problem: When I have pam enabled for my user, login on the WebUI works. But when I use rhnpush to upload a pkg, I end up with: Error Class Code: 2 Error Class Info: Invalid username and password combination. Explanation: An error has occurred while processing your request. If this problem persists please enter a bug report at bugzilla.redhat.com. If you choose to submit the bug report, please be sure to include details of what you were trying to do when this error occurred and details on how to reproduce this problem. Version-Release number of selected component (if applicable): # rpm -qa | grep spacewalk spacewalk-search-0.6.11-1.el5 spacewalk-branding-0.6.8-1.el5 spacewalk-0.6.4-1.el5 spacewalk-html-0.6.19-1.el5 spacewalk-backend-0.6.30-1.el5 spacewalk-backend-config-files-0.6.30-1.el5 spacewalk-taskomatic-0.6.42-1.el5 spacewalk-schema-0.6.22-1.el5 rhn-org-httpd-ssl-key-pair-spacewalk-1.0-4 spacewalk-backend-xml-export-libs-0.6.30-1.el5 spacewalk-backend-package-push-server-0.6.30-1.el5 spacewalk-moon-0.6.19-1.el5 spacewalk-client-tools-0.0-1 spacewalk-java-config-0.6.42-1.el5 spacewalk-monitoring-0.6.7-1.el5 spacewalk-admin-0.6.3-1.el5 spacewalk-backend-server-0.6.30-1.el5 spacewalk-backend-app-0.6.30-1.el5 spacewalk-backend-iss-export-0.6.30-1.el5 spacewalk-backend-xp-0.6.30-1.el5 spacewalk-pxt-0.6.19-1.el5 spacewalk-cypress-0.6.19-1.el5 spacewalk-selinux-0.6.13-1.el5 spacewalk-java-lib-0.6.42-1.el5 spacewalk-backend-sql-0.6.30-1.el5 spacewalk-backend-xmlrpc-0.6.30-1.el5 spacewalk-backend-config-files-tool-0.6.30-1.el5 spacewalk-backend-iss-0.6.30-1.el5 spacewalk-base-0.6.19-1.el5 spacewalk-sniglets-0.6.19-1.el5 spacewalk-certs-tools-0.6.3-1.el5 spacewalk-doc-indexes-0.6.1-1.el5 spacewalk-config-0.6.13-1.el5 spacewalk-base-minimal-0.6.19-1.el5 spacewalk-backend-config-files-common-0.6.30-1.el5 spacewalk-backend-applet-0.6.30-1.el5 spacewalk-grail-0.6.19-1.el5 spacewalk-monitoring-selinux-0.6.12-1.el5 spacewalk-backend-tools-0.6.30-1.el5 spacewalk-java-0.6.42-1.el5 spacewalk-setup-0.6.21-1.el5 How reproducible: Always Steps to Reproduce: 1. enable pam for a user 2. rhnpush Actual results: error because of wrong username/password combo Expected results: Uploads package(s) Additional info: Maybe pam works but the password (with special/non-alphanumeric chars) doesn't. Can't easily check that. But that would mean that something is done different over xmlrpc compared to webui.
I had the same problem and it appears to be selinux policy related. After running setenforce 0 and trying again I was able to generate the following in order to get it to work with selinux enforcing enabled. module rhnpush 1.0; require { type httpd_t; class netlink_audit_socket { write nlmsg_relay create read }; } #============= httpd_t ============== allow httpd_t self:netlink_audit_socket { write nlmsg_relay create read };
On our system, no SELinux denials are logged, neither on the client running rhnpush nor on the Satellite Server. This is logged on Satellite during login attempt: ('Password check failed (4): System error',) Best Regards Marcus
I just retested this with rhncfg-manager (which used to have the same problem). Now it works if SELinux is permissive only but not in enforcing mode as described by Jason. Not sure what changed because SELinux hasn't been the (primary) problem before as Marcus reported. Oh, don't have anything around to try rhnpush right now to verify this observation is the same with both tools. By the way, using the API with a python script always works, just like the WebUI.
Seeing that this might SELinux issue, I'm taking for investigation. Could you please paste your pam configuration? The PAM SELinux issues are often dependent on what authentication system you use (LDAP, Kerberos, ...), so knowing your setup will make it easier to reproduce it here. Thank you.
Alright, here you go: [root@id-sws-prd-01 ~]# grep pam_auth_service /etc/rhn/rhn.conf pam_auth_service = rhn-satellite [root@id-sws-prd-01 ~]# cat /etc/pam.d/rhn-satellite #%PAM-1.0 auth required pam_env.so auth sufficient pam_ldap.so auth required pam_deny.so account required pam_ldap.so Didn't even know/remember that was so tiny. Let me know if you need anything else.
In our case: #%PAM-1.0 auth required pam_env.so auth sufficient pam_krb5.so no_user_check auth required pam_deny.so account required pam_krb5.so no_user_check
Mass-moving to space13.
Sandro, I've checked that on Spacewalk nightly (with spacewalk-backend-1.3.50-1.el5) the rhnpush passes both with Kerberos and LDAP. Could you try on Spacewalk nightly (or wait for 1.3)?
(In reply to comment #8) > Sandro, I've checked that on Spacewalk nightly (with > spacewalk-backend-1.3.50-1.el5) the rhnpush passes both with Kerberos and LDAP. > Could you try on Spacewalk nightly (or wait for 1.3)? I forgot: to get it to work, you need to upgrade the selinux-policy-targeted to the version from RHEL 5.6 or higher, and you need to set # setsebool allow_httpd_mod_auth_pam 1
This bug has been fixed in Spacewalk 1.3.