我正在从 server1 执行一个命令,该命令将通过远程 ssh 连接到 server2 并以 olcne 用户身份执行某些命令。我在 /var/log/secure 文件中看到一些与 pam 相关的异常。有人能帮我看看可能是什么问题吗!
[root@server1~]# olcnectl --api-server 127.0.0.1:8091 module validate --environment-name dev --name dev
server2.com:8090 enountered error with crio.service for: crio.conf
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:
#1) Respect the privacy of others.
#2) Think before you type.
Password: (no password promted and exited with error)
Password:
[root@server2 pam.d]# cat sudo
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
session include system-auth
cat ./system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 900 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 900 quiet_success
auth sufficient pam_sss.so forward_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 900 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session optional pam_ldap.so
[root@server2 pam.d]#
这是从 server-1 到 server-2 调用的 ssh 操作之一。手动检查是否成功
[root@server2 pam.d]# sudo su olcne -c "sudo /etc/olcne/scripts/olcne-systemctl status crio.service"
● crio.service - Open Container Initiative Daemon
Loaded: loaded (/usr/lib/systemd/system/crio.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/crio.service.d
└─crio-proxy.conf
Active: active (running) since Tue 2020-04-14 00:21:34 PDT; 2 days ago
Docs: https://github.com/cri-o/cri-o
Main PID: 24249 (crio)
CGroup: /system.slice/crio.service
└─24249 /usr/bin/crio
Apr 14 00:21:34 server2 systemd[1]: Starting Open Container Initiative Daemon...
Apr 14 00:21:34 server2 systemd[1]: Started Open Container Initiative Daemon.
==> /var/log/secure <==
Apr 17 06:03:39 server2 sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=olcne
Apr 17 06:03:39 server2 sudo: pam_sss(sudo:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=olcne
Apr 17 06:03:39 server2 sudo: pam_sss(sudo:auth): received for user olcne: 10 (User not known to the underlying authentication module)
==> /var/log/messages <==
Apr 17 06:03:41 server2 olcne-agent: #033[36mINFO#033[0m[17/04/20 06:03:41] out: [{"error":"","States":[{"property":"containerd.service","user_action":"","state":"not enabled/not running","error":"","message":"","Command":"","returncode":0,"data":"","children":null},{"property":"crio.service","user_action":"","state":"enabled/running","error":"","message":"","Command":"","returncode":0,"data":"","children":[{"property":"crio.conf","user_action":"","state":"","error":"We trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these two things:\n\n\t#1) Respect the privacy of others.\n\t#2) Think before you type.\n\nPassword:\nPassword:","message":"","Command":"","returncode":65542,"data":"","children":null}]},{"property":"kubelet.service","user_action":"systemctl enable kubelet.service","state":"not enabled/not running","error":"","message":"","Command":"","returncode":0,"data":"","children":null}]}] , stdErr: [] , err: %!s(<nil>)
Apr 17 06:03:41 server2 olcne-agent: #033[36mINFO#033[0m[17/04/20 06:03:41] Gathering state on the agent running package
Apr 17 06:03:41 server2 automount[1712]: key "olcne" not found in map source(s).
Apr 17 06:03:41 server2 olcne-agent: #033[36mINFO#033[0m[17/04/20 06:03:41] out: [{"error":"","States":[{"property":"kubeadm","user_action":"","state":"not installed","error":"","message":"","Command":"","returncode":0,"data":"","children":null},{"property":"kubectl","user_action":"","state":"not installed","error":"","message":"","Command":"","returncode":0,"data":"","children":null},{"property":"kubelet","user_action":"","state":"not installed","error":"","message":"","Command":"","returncode":0,"data":"","children":null}]}] , stdErr: [] , err: %!s(<nil>)
Apr 17 06:03:41 server2 olcne-agent: #033[36mINFO#033[0m[17/04/20 06:03:41] Gathering state on the agent running container-images
==> /var/log/secure <==
Apr 17 06:03:41 server2 sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=olcne
Apr 17 06:03:41 server2 sudo: pam_sss(sudo:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=olcne
Apr 17 06:03:12 server1 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Apr 17 06:03:12 server1 sudo: pam_ldap(sudo:session): error opening connection to nslcd: No such file or directory
Apr 17 06:03:12 server1 su: pam_unix(su:session): session opened for user olcne by root(uid=0)
Apr 17 06:03:12 server1 su: pam_ldap(su:session): error opening connection to nslcd: No such file or directory
Apr 17 06:03:12 server1 sudo: pam_unix(sudo:auth): conversation failed
Apr 17 06:03:12 server1 sudo: pam_unix(sudo:auth): auth could not identify password for [olcne]
Apr 17 06:03:12 server1 sudo: pam_sss(sudo:auth): authentication failure; logname= uid=1001 euid=0 tty= ruser=olcne rhost= user=olcne
Apr 17 06:03:12 server1 sudo: pam_sss(sudo:auth): received for user olcne: 10 (User not known to the underlying authentication module)
Apr 17 06:03:12 server1 sudo: pam_ldap(sudo:auth): failed to get password: Authentication failure
Apr 17 06:03:14 server1 su: pam_unix(su:session): session closed for user olcne