I try to install openldap(v2.4.44) using puppet agent --test in a Centos 7 environment and received this error
Error: Systems start for slapd failed!
journalctl log for slapd:
systemd[1]: Starting OpenLDAP Server Daemon...
runuser[110317]: pam_unix(runuser:session): session opened for user ldap by
(uid=0)
runuser[110317]: pam_unix(runuser:session): session closed for user ldap
tlsmc_get_pin: INFO: Please note the extracted key file will not be protected
with a PIN any more, however it will be still protected at least by file
permissions.
tlsmc_get_pin: INFO: Please note the extracted key file will not be protected
with a PIN any more, however it will be still protected at least by file
permissions.
tlsmc_get_pin: INFO: Please note the extracted key file will not be protected
with a PIN any more, however it will be still protected at least by file
permissions.
... loop until timeout
Note: This happened if I installed manually as well
Might be environment issue as well because I tried in different environment it seems fine.
Anyone have any clue?
Related
Earlier I have installed Rundeck in local machine and Everything was working fine for me . Recently I have installed rundeck in remote host machine where ssh and sudo user are different for this machine and they are not in same group .
When I am trying to run the job(python scripts) , it is throwing me below permisision denied message . Do I need to change the user level details somewhere in a file, Please let me know .
/bin/sh: /tmp/4-10-host-machine-dispatch-script.tmp.sh: Permission denied
Result: 126
Failed: NonZeroResultCode: Result code was 126
Thanks,
RK
That means the /tmp directory is restricted in your remote node (some servers setups restrict that by security reasons), you can define a custom copy script path in multiples ways:
1) Node level: defining file-copy-destination-dir attribute at resoruces.xml file, example:
<node name="freebsd11" description="FreeBSD 11 node" tags="unix,freebsd" hostname="192.168.33.41" osArch="amd64" osFamily="unix" osName="FreeBSD" osVersion="11.3-RELEASE" username="youruser" ssh-key-storage-path="keys/rundeck" file-copy-destination-dir="/home/youruser/scripts"/>
2) Project level: Go to Edit Configuration (Rundeck sidebar) > Edit Configuration > Edit Configuration File (up to right button) and add this line:
project.file-copy-destination-dir=/home/youruser/scripts
3) Globally: Stop Rundeck service, add the following line at project.properties (at /etc/rundeck path) file and start Rundeck service again:
framework.file-copy-destination-dir=/home/youruser/script
Just make sure that the custom path is reachable by the remote ssh user. You can check the full documentation here.
I'm using ansible to provision my Centos 7 produciton cluster. Unfortunately, execution of below command results with ansible Tiemout and Linux Pluggable Authentication Modules (pam) error conversation failed.
The same ansible command works well, executed against virtual lab mad out of vagrant boxes.
Ansible Command
$ ansible master_server -m yum -a 'name=vim state=installed' -b -K -u lukas -vvvv
123.123.123.123 | FAILED! => {
"msg": "Timeout (7s) waiting for privilege escalation prompt: \u001b[?1h\u001b=\r\r"
}
SSHd Log
# /var/log/secure
Aug 26 13:36:19 master_server sudo: pam_unix(sudo:auth): conversation failed
Aug 26 13:36:19 master_server sudo: pam_unix(sudo:auth): auth could not identify password for [lukas]
I've found the problem. It turned out to be PAM's auth module problem! Let me describe how I got to the solution.
Context:
I set up my machine for debugging - that is I had four terminal windows opened.
1st terminal (local machine): Here, I was executing ansible prduction_server -m yum -a 'name=vim state=installed' -b -K -u username
2nd terminal (production server): Here, I executed journalctl -f (system wide log).
3rd terminal (production server): Here, I executed tail -f /var/log/secure (log for sshd).
4th terminal (production server): Here, I was editing vi /etc/pam.d/sudo file.
Every time, I executed command from 1st terminal I got this errors:
# ansible error - on local machine
Timeout (7s) waiting for privilege escalation prompt error.
# sshd error - on remote machine
pam_unix(sudo:auth): conversation failed
pam_unix(sudo:auth): [username]
I showed my entire setup to my colleague, and he told me that the error had to do something with "PAM". Frankly, It was the first time that I've heard about PAM. So, I had to read this PAM Tutorial.
I figured out, that error relates to auth interface located in /etc/pam.d/sudo module. Diging over the internet, I stambled upon this pam_permit.so module with sufficient controll flag, that fixed my problem!
Solution
Basically, what I added was auth sufficient pam_permit.so line to /etc/pam.d/sudo file. Look at the example below.
$ cat /etc/pam.d/sudo
#%PAM-1.0
# Fixing ssh "auth could not identify password for [username]"
auth sufficient pam_permit.so
# Below is original config
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
session include system-auth
Conclusion:
I spent 4 days to arrive to this solution. I stumbled upon over a dozens solutions that did not worked for me, starting from "duplicated sudo password in ansible hosts/config file", "ldap specific configuration" to getting advice from always grumpy system admins!
Note:
Since, I'm not expert in PAM, I'm not aware if this fix affects other aspects of the system, so be cautious over blindly copy pasting this code! However, if you are expert on PAM please share with us alternative solutions or input. Thanks!
Assuming the lukas user is a local account, you should look at how the pam_unix.so module is declared in your system-auth pam file. But more information about the user account and pam configuration is necessary for a specific answer.
While adding auth sufficient pam_permit.so is enough to gain access. Using it in anything but the most insecure test environment would not be recommended. From the pam_permit man page:
pam_permit is a PAM module that always permit access. It does nothing
else.
So adding pam_permit.so as sufficient for authentication in this manner will completely bypass the security for all users.
Found myself in the same situation, tearing my hair out. In my case, hidden toward the end of the sudoers file, there was the line:
%sudo ALL=(ALL:ALL) ALL
This undoes authorizations that come before it. If you're not using the sudo group then this line can safely be deleted.
I had this error since upgrading sudo to version 1.9.4 with pacman. I hadn't noticed that pacman had provided a new sudoers file.
I just needed to merge /etc/sudoers.pacnew.
See here for more details: https://wiki.archlinux.org/index.php/Pacman/Pacnew_and_Pacsave
I know that this doesn't answer the original question (which pertains to a Centos system), but this is the top Google result for the error message, so I thought I'd leave my solution here in case anyone stumbles across this problem coming from an Arch Linux based operating system.
I got the same error when I tried to restart apache2 with sudo service apache2 restart
When logging into root I was able to see the real error lied with the configuration of apache2. Turned out I removed a site's SSL-Certificate files a few months ago but didn't disable the site in apache2. a2dissite did the trick.
I'm using Deployer for deploying my code to multiple servers. Today I got this error after starting a deployment:
[Deployer\Exception\RuntimeException (-1)]
The command "if hash command 2>/dev/null; then echo 'true'; fi" failed.
Exit Code: -1 (Unknown error)
Host Name: staging
================
Warning: Identity file /home/user/.ssh/id_rsa not accessible: No such file or directory.
Permission denied (publickey).
First I thought it would probably has something to do with this server configuration since I moved the complete installation to another hosting provider. I tried to trigger a deployment to a server which I deployed to just fine in the past days but then got the same error. This quickly turned my suspicions from server to local.
Since I'm running PHP in docker (Deployer is written in PHP), I thought it might had something to do with my ssh-agent not being forwarded correctly from my host OS to docker. I verified this by using a fresh PHP installation directly from my OS (Ubuntu if that would help). Same warning kept popping up in the logs.
When logging in using the ssh command everything seems to be alright. I still have no clue what going on here. Any ideas?
PS: I also created an issue at Deployer's GIT repo: https://github.com/deployphp/deployer/issues/1507
I have no experience with the library you are talking about, but the issue starts here:
Warning: Identity file /home/user/.ssh/id_rsa not accessible: No such file or directory.
So let's focus on that. Potential things I can think of:
Is the username really user? It says that the file lives at: /home/user. Verifying that that really is the correct path. For instance, just ls the file. If it doesn't exist, you will get an error:
$ ls /home/user/.ssh/id_rsa
That will throw a No such file or directory if it doesn't exist.
If 1. is not the issue, then most likely this is a user issue where the permissions are wrong for the user in the Docker container. If this is the issue, then INSIDE the Docker container, change the permissions on id_rsa before you need to do it:
$ chmod 600 /home/user/.ssh/id_rsa
Now do stuff with the key...
A lot of SSH agents won't work unless the key is only read-write accessible by the user who is trying to run the ssh agent. In this case, that is the user inside of the Docker container.
At first i was trying to do the upload file function and some configuration. However though the file_upload is ON, the upload file function is still not working. After I do some configuration according to online tutorials my XAMPP server seems to have problem. These were the error messages when i run php file:
Warning: session_start():
open(/var/folders/_z/rzmc9ysn0r15n2_88d5y5lbh0000gn/T/sess_4ff2e15141e8e599a0617ccafaba00c9,
O_RDWR) failed: Permission denied (13) in
/Applications/XAMPP/xamppfiles/htdocs/presoft/session_test.php on line
4
Warning: session_start(): It is not safe to rely on the system's
timezone settings. You are required to use the date.timezone setting
or the date_default_timezone_set() function. In case you used any of
those methods and you are still getting this warning, you most likely
misspelled the timezone identifier. We selected the timezone 'UTC' for
now, but please set date.timezone to select your timezone. in
/Applications/XAMPP/xamppfiles/htdocs/presoft/session_test.php on line
4
Warning: session_start(): Cannot send session cache limiter - headers
already sent (output started at
/Applications/XAMPP/xamppfiles/htdocs/presoft/session_test.php:2) in
/Applications/XAMPP/xamppfiles/htdocs/presoft/session_test.php on line
4
I also can't access phpmyadmin and the error is:
Error during session start; please check your PHP and/or webserver log
file and configure your PHP installation properly. Also ensure that
cookies are enabled in your browser.
I'm using Xampp server on Mac OS.
I already looked into session.save_path and the location is "Application/XAMPP/xamppfiles/temp". Tried "/tmp" but still the same.
Give read/write permissions to your Apache user on temp directory in /Applications/XAMPP/xamppfiles/.
To know your OS user: open Terminal and use command whoami
To know your Apache user: Open httpd.conf file in /Applications/XAMPP/xamppfiles/etc/httpd.conf
and look for user yourusername and Group admin
Usually this comes from a permission problem with the session.save_path; in this case I suggest you check the permissions on /Applications/XAMPP/xamppfiles/temp/ and set them such that the webserver process can read and write files there.
I can't get the openssh server to work on Windows Server 2008. I have it working on two other servers, but one of them just won't work.
I run ssh-host-config, and choose privilege separation. Two users are created sshd and sshd_server.
Then I run net start sshd, and I see this:
The CYGWIN sshd service is starting.
The CYGWIN sshd service could not be started.
The service did not report an error.
Then I run cat /var/log/sshd.log and I see this output:
/etc/sshd_config: No such file or directory
I then check permissions on /etc/sshd_config:
-rw-r--r-- 1 sshd_server root 3344 Sep 7 09:15 /etc/sshd_config
So now, it seems sshd cannot see a file which is there and has the right permissions. Even on windows, that file is owned by sshd_server.
had this happen too .
a Procmon session revealed to me that the sshd service was trying to locate /etc in the root directory c:\etc instead of c:\cygwin\etc.
further investigation showed that sshd was loading an incorrect cygwin1.dll which was living in my system PATH environment variable.
solution was to either to remove the bad cygwin1.dll or remove the "bad" path from the system variables and assigning that path it to user specific environment variables.
afterwards running the sshd daemon under a dedicated user who did not have this "bad "path worked as it should.
thanks mark