Spacewalk, PAM, and Centrify…oh, my!

So, I’ve been spending a good portion of the last six months designing a software distribution system, and looking for a good way to manage user access in an AD environment, where LDAP is fractured, at best. A few months ago, we were approved to procure Centrify as a provider of AD integration, so we could get rid (entirely) of winbind,  and samba related services.

Finally, we are approaching handover, and time to integrate Spacewalk is here.

Spacewalk does NOT integrate directly to Active Directory. Never has, probably never will. It will, however, authenticate to PAM, and PAM does have methods to authenticate to AD- mostly with winbind. Centrify is supposed to be the bridge between them, and much more reliable than using winbind, but as we discovered (quickly), Spacewalk’s documentation does not cover connecting to AD or winbind or anything similar. A quick google finds a few tutorials on how to connect to winbind, but none on Centrify.

Long story short: we did get AD working: and the trick was using system-auth instead of satellite-rhn for the rhn.conf file. Apparently Centrify adds some magic deep in the system-auth file ( /etc/pam.d/system-auth ) that allows PAM to connect.

Long story long:

The tutorials we found on “the Google” were really trying their best to be helpful, but never quite got there.

The default for Spacewalk is to set the contents of /etc/rhn/rhn.conf  to

pam_auth_service = rhn-satellite

The default file is that rhn-satellite – /etc/pam.d/rhn-satellite . If Spacewalk were authenticating to LDAP or NIS or whatever, that file would be correct. Granted, it’s just a short PAM tree, five or so lines of sufficient, requisite, etc.

Further investigation reveals that Centrify needs to add a few lines, and change the others:

Original rhn-satellite :

auth            required         pam_env.so
auth            sufficient       pam_sss.so
auth            required         pam_deny.so
account         sufficient       pam_sss.so
account         required         pam_deny.so

The suggested fix found on a few sites:

auth             required         pam_centrify.so
auth             requisite        pam_centrify.so  deny
account          sufficient       pam_centrify.so
account          requisite        pam_centrify.so  deny
session          required         pam_centrify.so  homedir
password         sufficient       pam_centrify.so  try_first_pass
password         requisite        pam_centrify.so  deny

On the surface, this looks like it’s correct, but we could never get it to work.

However, further searching had located some people who had made it work by just pointing line in rhn.conf to “password-auth” instead of “rhn-satellite”, since Centrify adds several extra lines to integrate with the specific AD domains there (which I won’t share for obvious security reasons). However, newer versions don’t have a “password-auth” file, and use “system-auth” instead. Making /etc/rhn/rhn.conf read:

pam_auth_service = system-auth

…finally did the trick. You’ll need to look at those files your self: password-auth and or system-auth to determine where the settings you need are: you can copy them to rhn-satellite, or simply point the pam_auth_service to it directly. The latter is what I did.

Hopefully this will help a few people out there!

 

Bootnote: this should work both with Spacewalk and Satellite equally.

Leave a Reply

Your email address will not be published. Required fields are marked *