Hi Robert,
The pam_slurm_adopt has worked well and without bugs for many Slurm versions in the past. You should make sure to follow carefully the instructions in the mentioned wiki page, however.
What is your Slurm version and OS version?
Did you try a different username than "user"?
/Ole
On 18-04-2025 19:09, Robert Kudyba via slurm-users wrote:
Thanks Ole and Massimo, I definitely do not have UsePAM=1 in slurm.conf. I commented outpam_systemdhere: grep pam_systemd * fingerprint-auth:-session optional pam_systemd.so fingerprint-auth-ac:-session optional pam_systemd.so password-auth:#-session optional pam_systemd.so password-auth-ac:#-session optional pam_systemd.so runuser-l:#-session optional pam_systemd.so smartcard-auth:-session optional pam_systemd.so smartcard-auth-ac:-session optional pam_systemd.so system-auth:#-session optional pam_systemd.so system-auth-ac:#-session optional pam_systemd.so
I did enable debug here; sshd:-account sufficient pam_slurm_adopt.so action_unknown=newest log_level=debug5 Latest logs:
Apr 18 13:06:08 node11 sshd[32043]: Authorized to user, krb5 principal user@ADCU.OURUNI.EDU mailto:user@ADCU.OURUNI.EDU (ssh_gssapi_krb5_cmdok) Apr 18 13:06:08 node11 sshd[32043]: pam_sss(sshd:account): Access denied for user user: 6 (Permission denied) Apr 18 13:06:08 node11 pam_slurm_adopt[32043]: debug: Reading cgroup.conf file /etc/slurm/cgroup.conf Apr 18 13:06:08 node11 pam_slurm_adopt[32043]: debug: Ignoring obsolete CgroupReleaseAgentDir option. Apr 18 13:06:08 node11 pam_slurm_adopt[32043]: debug: Reading slurm.conf file: /etc/slurm/slurm.conf Apr 18 13:06:08 node11 pam_slurm_adopt[32043]: debug4: found jobid = 4736742, stepid = 4294967295 Apr 18 13:06:08 node11 pam_slurm_adopt[32043]: debug4: found jobid = 4736742, stepid = 0 Apr 18 13:06:08 node11 pam_slurm_adopt[32043]: debug3: Trying to load plugin /usr/lib64/slurm/auth_munge.so Apr 18 13:06:08 node11 pam_slurm_adopt[32043]: debug: Munge authentication plugin loaded Apr 18 13:06:08 node11 pam_slurm_adopt[32043]: debug3: Success. Apr 18 13:06:08 node11 pam_slurm_adopt[32043]: Connection by user user: user has only one job 4736742 Apr 18 13:06:08 node11 pam_slurm_adopt[32043]: debug: _adopt_process: trying to get 4736742.4294967295 to adopt 32043 Apr 18 13:06:08 node11 pam_slurm_adopt[32043]: debug: Leaving stepd_add_extern_pid Apr 18 13:06:08 node11 pam_slurm_adopt[32043]: debug: Leaving stepd_get_x11_display Apr 18 13:06:08 node11 pam_slurm_adopt[32043]: Process 32043 adopted into job 4736742 Apr 18 13:06:08 node11 sshd[32043]: fatal: Access denied for user user by PAM account configuration [preauth]
There are a few Slurm bugs mentioning: Connection by user user: user has only one job
But the "only" makes it sound like that's a bad thing?
On Fri, Apr 18, 2025 at 1:07 PM Massimo Sgaravatto <massimo.sgaravatto@gmail.com mailto:massimo.sgaravatto@gmail.com> wrote:
Hi Did you disable the pam_systemd.so also from the module files included by the sshd pam file ? I am asking because I had this problem when I configured the pam_slurm_adopt Cheers, Massimo On Fri, Apr 18, 2025 at 5:28 PM Robert Kudyba via slurm-users <slurm-users@lists.schedmd.com <mailto:slurm- users@lists.schedmd.com>> wrote: In the instructions for pam_slurm_adopt <https:// slurm.schedmd.com/pam_slurm_adopt.html#ssh_config>, there are instructions such as: Add the following line to the appropriate file in /etc/ pam.d, such as system-auth or sshd (you may use either the "required" or "sufficient" PAM control flag): This module is configurable. Add these options to the end of the pam_slurm_adopt line in the appropriate file in /etc/ pam.d/ (e.g., sshd or system-auth): Assuming an OS like CentOS does this mean it should be put in both? slurm.conf on the node has: UsePAM yes slurm.conf has PrologFlags=contain and ProctrackType=proctrack/ cgroup I placed the call here only in /etc/pam.d/sshd making sure it is the last line in the account stack. #%PAM-1.0 auth required pam_sepermit.so auth substack system-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include system-auth -account required pam_slurm_adopt.so so pam_sss.so is at the bottom of /etc/pam.d/sshd session optional pam_keyinit.so revoke session required pam_limits.so #-session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0022 skel=/etc/skel session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so We're testing this on an idle node. I start an interactive srun. However trying to ssh to the node gets: Apr 18 11:13:41 node11 sshd[33355]: Authorized to dk2643, krb5 principal user@ouruni.EDU (ssh_gssapi_krb5_cmdok) Apr 18 11:13:41 node11 sshd[33355]: pam_sss(sshd:account): Access denied for user user: 6 (Permission denied) Apr 18 11:13:41 node11 sshd[33355]: fatal: Access denied for user user by PAM account configuration [preauth] Am I missing something?