[slurm-users] pam_slurm_adopt not working for all users

Tina Friedrich tina.friedrich at it.ox.ac.uk
Fri May 21 15:35:39 UTC 2021

Hi Loris,

I'm not an PAM expert, but - pam_slurm_adopt doesn't do authenticatio, 
it only verifies that access for the authenticated user is allowed (by 
checking there's a job). 'account' not 'auth' in PAM config. As in, it's 
got nothing to do with how the user logs in to the server / is 
authenticated by the server.

So yes, I'd expect this. For SSH logins to work, users need to, well, be 
able to log in via ssh. Key based, password auth, host-based SSH, 
Kerberos, ... - whatever auth mechanism your PAM config's configured to 
use (or whatever you've configured in sshd_config).

If this is simply about quickly accessing nodes that they have jobs on 
to check on them - we tell our users to 'srun' into a job allocation 
(srun --jobid=XXXXXX).


On 21/05/2021 13:53, Loris Bennett wrote:
> Hi,
> We have set up pam_slurm_adopt using the official Slurm documentation
> and Ole's information on the subject.  It works for a user who has SSH
> keys set up, albeit the passphrase is needed:
>    $ salloc --partition=gpu --gres=gpu:1 --qos=hiprio --ntasks=1 --time=00:30:00 --mem=100
>    salloc: Granted job allocation 7202461
>    salloc: Waiting for resource configuration
>    salloc: Nodes g003 are ready for job
>    $ ssh g003
>    Warning: Permanently added 'g003' (ECDSA) to the list of known hosts.
>    Enter passphrase for key '/home/loris/.ssh/id_rsa':
>    Last login: Wed May  5 08:50:00 2021 from login.curta.zedat.fu-berlin.de
>    $ ssh g004
>    Warning: Permanently added 'g004' (ECDSA) to the list of known hosts.
>    Enter passphrase for key '/home/loris/.ssh/id_rsa':
>    Access denied: user loris (uid=182317) has no active jobs on this node.
>    Access denied by pam_slurm_adopt: you have no active jobs on this node
>    Authentication failed.
> If SSH keys are not set up, then the user is asked for a password:
>    $ squeue --me
>               7201647      main test_job nokeylee  R    3:45:24      1 c005
>               7201646      main test_job nokeylee  R    3:46:09      1 c005
>    $ ssh c005
>    Warning: Permanently added 'c005' (ECDSA) to the list of known hosts.
>    nokeylee at c005's password:
> My assumption was that a user should be able to log into a node on which
> that person has a running job without any further ado, i.e. without the
> necessity to set up anything else or to enter any credentials.
> Is this assumption correct?
> If so, how can I best debug what I have done wrong?
> Cheers,
> Loris

Tina Friedrich, Advanced Research Computing Snr HPC Systems Administrator

Research Computing and Support Services
IT Services, University of Oxford
http://www.arc.ox.ac.uk http://www.it.ox.ac.uk

More information about the slurm-users mailing list