我正在尝试使用unix用户/组数据库作为hudson的安全领域. linux服务器正在使用NIS进行用户管理.我的帐户可以通过ssh登录hudson服务器.
并且哈德森服务器由用户’hudson’运行,它也是组’shadow’的成员,因此哈德森可以读取/ etc / shadow.我使用’test’按钮测试了配置,hudson告诉我它运行良好.
但我无法使用我的unix帐户和密码登录hudson服务器.
我在hudson的日志中发现了以下java异常,
Jan 12, 2011 8:23:42 AM hudson.security.AuthenticationProcessingFilter2 onUnsuccessfulAuthentication
INFO: Login attempt failed
org.acegisecurity.BadCredentialsException: pam_authenticate failed : Authentication failure; nested exception is org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at hudson.security.PAMSecurityRealm$PAMAuthenticationProvider.authenticate(PAMSecurityRealm.java:100)
at org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManager.java:195)
at org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:45)
at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:71)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
at winstone.RequestDispatcher.forward(RequestDispatcher.java:333)
at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:244)
at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)
at java.lang.Thread.run(Thread.java:595)
Caused by: org.jvnet.libpam.PAMException: pam_authenticate failed : Authentication failure
at org.jvnet.libpam.PAM.check(PAM.java:105)
at org.jvnet.libpam.PAM.authenticate(PAM.java:123)
at hudson.security.PAMSecurityRealm$PAMAuthenticationProvider.authenticate(PAMSecurityRealm.java:90)
... 18 more
1月17日更新,
主机是RHEL 4.5,我创建了用户和组阴影,然后将hudson添加到组阴影中.
-bash-3.00$cat /etc/redhat-release
Red Hat Enterprise Linux WS release 4 (Nahant Update 5)
-bash-3.00$ll /etc/shadow
-r--r----- 1 root shadow 1114 Jan 4 11:37 /etc/shadow
-bash-3.00$cat /etc/group |grep shadow
shadow:x:44:hudson
我还尝试在另一台RHEL 4.8主机上安装hudson.这次我用root运行哈德森,
kzhu0@pek-wb-rhws4_32:~$ps -ef|grep hudson
root 18764 29161 0 Jan14 pts/5 00:00:33 /usr/bin/java -Dcom.sun.akuma.Daemon=daemonized -Djava.awt.headless=true -DHUDSON_HOME=/var/lib/hudson -jar /usr/lib/hudson/hudson.war --logfile=/var/log/hudson/hudson.log --daemon --httpPort=8080 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20
kzhu0 22404 18833 0 10:52 pts/2 00:00:00 grep hudson
kzhu0@pek-wb-rhws4_32:~$cat /etc/redhat-release
但我仍然没有运气让unix用户/密码组工作.我在/ var / log / messages和/ var / log / secure中找不到任何pam错误消息.在实际使用pam进行身份验证之前,看起来hudson会抛出异常.
红帽企业Linux WS第4版(Nahant Update 8)
解决方法:
我在调试了hudson用于PAM安全领域的libpam4j代码后找到了解决方案.
>在我的情况下,服务名称必须是’sshd’,因为我想使用NIS进行身份验证. RHEL 4.x使用pam 0.77,它严格依赖于hudson指定的服务名称.但是我的Ubuntu 10.04接受任何无意义的服务名称,它使用pam 1.1.1.
>运行hudson的用户必须具有读取pam服务文件的权限,/ etc / pam.d / sddd是我的文件中的文件