In the instructions for pam_slurm_adopt, there are instructions such as:Add the following line to the appropriate file in /etc/pam.d, such as system-auth or sshd (you may use either the "required" or "sufficient" PAM control flag):
This module is configurable. Add these options to the end of the pam_slurm_adopt line in the appropriate file in /etc/pam.d/ (e.g., sshd or system-auth):
Assuming an OS like CentOS does this mean it should be put in both?
slurm.conf on the node has:
UsePAM yes
slurm.conf has PrologFlags=contain and ProctrackType=proctrack/cgroup
I placed the call here only in /etc/pam.d/sshd making sure it is the last line in the account stack.
#%PAM-1.0
auth required pam_sepermit.so
auth substack system-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include system-auth
-account required pam_slurm_adopt.so
so pam_sss.so is at the bottom of /etc/pam.d/sshd
session optional pam_keyinit.so revoke
session required pam_limits.so
#-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0022 skel=/etc/skel
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
We're testing this on an idle node. I start an interactive srun. However trying to ssh to the node gets:
Apr 18 11:13:41 node11 sshd[33355]: Authorized to dk2643, krb5 principal user@ouruni.EDU (ssh_gssapi_krb5_cmdok)
Apr 18 11:13:41 node11 sshd[33355]: pam_sss(sshd:account): Access denied for user user: 6 (Permission denied)
Apr 18 11:13:41 node11 sshd[33355]: fatal: Access denied for user user by PAM account configuration [preauth]
Am I missing something?