I’m trying to use unix user/group database as security realm of hudson. The linux server is using NIS for user management. My account could login the hudson server via ssh.
And the hudson server is running by user ‘hudson’ that is also a member of group ‘shadow’, so hudson could read /etc/shadow. And I tested the configuration using ‘test’ button, hudson tells me it works well.
But I can’t use my unix account and password to login the hudson sever.
And I found below java exception in the log of hudson,
Jan 12, 2011 8:23:42 AM hudson.security.AuthenticationProcessingFilter2 onUnsuccessfulAuthentication
INFO: Login attempt failed
org.acegisecurity.BadCredentialsException: pam_authenticate failed : Authentication failure; nested exception is org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at hudson.security.PAMSecurityRealm$PAMAuthenticationProvider.authenticate(PAMSecurityRealm.java:100)
at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:195)
at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:45)
at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:71)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
at winstone.RequestDispatcher.forward(RequestDispatcher.java:333)
at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:244)
at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)
at java.lang.Thread.run(Thread.java:595)
Caused by: org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at org.jvnet.libpam.PAM.check(PAM.java:105)
at org.jvnet.libpam.PAM.authenticate(PAM.java:123)
at hudson.security.PAMSecurityRealm$PAMAuthenticationProvider.authenticate(PAMSecurityRealm.java:90)
... 18 more
Update on Jan. 17,
The host is RHEL 4.5, and I created user and group shadow, then add hudson into group shadow.
-bash-3.00$ cat /etc/redhat-release
Red Hat Enterprise Linux WS release 4 (Nahant Update 5)
-bash-3.00$ ll /etc/shadow
-r--r----- 1 root shadow 1114 Jan 4 11:37 /etc/shadow
-bash-3.00$ cat /etc/group |grep shadow
shadow:x:44:hudson
I also tried to setup hudson on another RHEL 4.8 host. This time I ran the hudson by root,
kzhu0@pek-wb-rhws4_32:~$ ps -ef|grep hudson
root 18764 29161 0 Jan14 pts/5 00:00:33 /usr/bin/java -Dcom.sun.akuma.Daemon=daemonized -Djava.awt.headless=true -DHUDSON_HOME=/var/lib/hudson -jar /usr/lib/hudson/hudson.war --logfile=/var/log/hudson/hudson.log --daemon --httpPort=8080 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20
kzhu0 22404 18833 0 10:52 pts/2 00:00:00 grep hudson
kzhu0@pek-wb-rhws4_32:~$ cat /etc/redhat-release
But I still don’t have luck to get unix user/password group work. And I can’t find any pam error message in /var/log/messages and /var/log/secure. It looks like hudson throws the exception before actually using pam to get authentication.
Red Hat Enterprise Linux WS release 4 (Nahant Update 8)
I find the solution after debugging the code of libpam4j that is used by hudson for PAM security realm.