PAM permission denied|V4.0.0|OceanBase Cloud Platform| docs|Distributed Database

PAM permission denied

Last Updated：2023-08-22 02:46:05 Updated

The Pluggable Authentication Modules (PAM) is a component of the Linux system. PAM provides dynamic authentication support for applications and services. If the configuration of the system causes the configured PAM authentication procedure to fail, the OCP-Agent pos_proxy process will not be able to run O&M.

Problems

When you run OCP-Agent 2.4.0 or later versions on a Linux system, such as Red Hat, CentOS, or AliOS 7, and

add a host, a sub-task failed and the sudo: pam_open_session: Permission denied error appears in the log.
deploy a cluster, a sub-task failed and the sudo: pam_open_session: Permission denied error appears in the log.
deploy OBProxy, a sub-task failed and the sudo: pam_open_session: Permission denied error appears in the log.

Possible causes

The configured PAM of the Session type failed to authenticate the status of the corresponding operations. General causes include:

An error occurred while authenticating sudo permission: You have not granted the required permission for the corresponding user to access the /etc/sudoers file.
An error occurred when you authenticated the system resource constraint configuration: You have configured improper system resource constraints by using the ulimit command or in the /etc/security/limits.conf file.

Solutions

If you are not sure about the specific cause, you can try the following methods one by one to solve the problem.

When the failure is caused during sudo permission authentication, perform the following steps to grant the required sudo permission to the corresponding user:
1. Log on to the operating system as the root user.
2. Open the /etc/sudoers file.
```
vim /etc/sudoers
```
3. Modify the permissions of the root user and admin user, and save the file.
```
root  ALL=(ALL) ALLadmin ALL=(ALL) ALL
```
4. Restart OCP-Agent.
```
/home/admin/ocp_agent/bin/ocp_agentctl restart
```
When the failure is caused during system resource constraint configuration, try the following two solutions:
- Perform the following steps to modify the system resource constraint configuration:
  1. Log on to the operating system as the root user.
  2. Run the following command to check the maximum number of files that can be opened by processes.
```
cat /proc/sys/fs/nr_open
```
  3. Open the /etc/security/limits.conf file, and set a value smaller than the maximum number of files that can be opened.
```
# Assume 655360 is smaller than /proc/sys/fs/nr_opencat >> /etc/security/limits.conf <<EOF* soft nofile 655360* hard nofile 655360EOF
```
  4. Restart OCP-Agent.
```
export PYTHONPATH=/home/admin/ocp_agent/libs && cd /home/admin/ocp_agent && ./ocp_agentd.py stop basesleep 10export PYTHONPATH=/home/admin/ocp_agent/libs && cd /home/admin/ocp_agent && ./ocp_agentd.py start base
```
- Perform the following steps to remove the PAM authentication for system resource constraints in sessions.
Notice
- This solution may introduce security risks.
- It invalidates the ulimit configuration in the Debian/Ubuntu system.
1. Log on to the operating system as the root user.
2. Open the PAM configuration file.
```
vim /etc/pam.d/sudo
```
3. Delete the following line, and save the file.
```
session    required     pam_limits.so
```
4. Restart OCP-Agent.
```
export PYTHONPATH=/home/admin/ocp_agent/libs && cd /home/admin/ocp_agent && ./ocp_agentd.py stop basesleep 10export PYTHONPATH=/home/admin/ocp_agent/libs && cd /home/admin/ocp_agent && ./ocp_agentd.py start base
```

Community Edition

Enterprise Edition

PAM permission denied

Problems

Possible causes

Solutions

Notice