How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-server"

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 4
Registered: ‎12-11-2018
#1 of 9 1,006

How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-server"

We use MFA for some users but this R application will not accept credentials. Since application does not need MFA tried setting

pam.mfa.program.ignore: ftpd proftpd vsftpd java httpd cdc_chkpwd kdm unix2_chkpwd shiny-server.

 

Still get the same message. Any ideas.

Centrify Guru I
Posts: 2,433
Registered: ‎07-26-2012
#2 of 9 1,004

Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se

@ErnieM,

 

Welcome to the community.

 

When posting, would you be kind enough to tell us the operating system, version and version of our software?

 

Keep in mind that we can provide MFA for UNIX/Linux (for console or remote login and privilege elevation via dzdo) or for Windows for Login (console, remote, screen unlock, privilege elevation or offline access).  It looks like you may be dealing with a PAM-enabled app in UNIX/Linux, but it's much easier if you tell us the info above.

 

If this is for remote access

By using the parameter you mentioned pam.mfa.program.ignore, you usually have to reload the agent configuration or (e.g. running adreload with elevated rights) or you may have to restart the centrifydc service depending on the version.

 

Alternatively, since You are disabling access overall for this app.  You can do this by assigning the target users a role that does not challenge for MFA

 

If this is for Privilege Elevation

Note that if this is an application to be run with privileges, as you define them, make sure the respective checkbox (per platform) is unchecked:

check-mfa.png

 

R.P

 

 

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 4
Registered: ‎12-11-2018
#3 of 9 1,002

Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se

Thank you for your timely reply and yes,  should have known better. Anyway,

Linux  [Redhat release 6.9 ],  (CentrifyDC 5.4.3-901).

 

We did restart the agent and flush the cache after we made the change. The target role would require a lot more effort, but shouldn't this have been enough.

Centrify Guru I
Posts: 2,433
Registered: ‎07-26-2012
#4 of 9 996

Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se

@ErnieM,

 

If after doing an adreload and service centrifydc restart this did not take, support may have to take a look.

 

Super important that the application in question is PAM-aware and that its PAM configuration stanzas are looking at the system PAM config.

 

One last check.  If you want to see what are the current memory working parameters of the client, you can use

adinfo --sysinfo config

and grep for the parameter you just set.  If the parameter lists your program (with the correct PAM name) and still prompts, I am sure support may want to take a deeper look.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Posts: 961
Topics: 3
Kudos: 256
Blog Posts: 6
Ideas: 0
Solutions: 126
Registered: ‎07-06-2010
#5 of 9 989

Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se

[ Edited ]

The parameter pam.mfa.program.ignore should work but you need to make sure you include the correct name of the application calling the Centrify PAM module.  

 

To confirm the name of the application, enable Centrify debug, attempt the login and confirm the name of the application.  I'll use SSH as an example:  

 

# /usr/share/centrifydc/bin/addebug on
/var/log/centrify_client.log does not exist. Creating now.
Configure /etc/rsyslog.conf
Send HUP signal to rsyslogd
Configure log level in /etc/centrifydc/centrifydc.conf
Reload /etc/centrifydc/centrifydc.conf
/usr/sbin/adreload returned 0
Centrify DirectControl debug logging is on

# tail -f /var/log/centrifydc.log | grep pam_sm

Dec 11 18:10:08 r10-sap-74 adclient[21097]: DEBUG <fd:23 sshd(21990)> -> pam_sm_authenticate
Dec 11 18:10:18 r10-sap-74 adclient[21097]: DEBUG <fd:28 sshd(21990)> -> cloud pam_sm_authenticate

As we can see, sshd is the name of the application calling the Centrify PAM module.  If I add sshd to pam.mfa.program.ignore and run "adreload", then log in again with sshd, I don't get MFA.

 

Remember to turn of debug:

 

# /usr/share/centrifydc/bin/addebug off

 

Please give this a try in your environment.  If it doesn't work, we will need a debug log showing issue.


Regards,

 

Felderi Santiago
VP of Enterprise Solutions
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify:
Participant II
Posts: 4
Registered: ‎12-11-2018
#6 of 9 594

Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se

Your  help has been incredaibly useful but we now have a better test user but the result is the same:

Jan 23 12:01:01 cdsadcashstnme adclient[2081]: DEBUG <fd:23 crond(6452)> <- pam_sm_close_session, result=PAM_IGNORE(25)
Jan 23 12:01:15 cdsadcashstnme adclient[2081]: DEBUG <fd:23 shiny-server(12775)> -> pam_sm_authenticate
Jan 23 12:01:15 cdsadcashstnme adclient[2081]: DEBUG <fd:23 shiny-server(12775)> <- pam_sm_authenticate, result=PAM_AUTH_ERR(7)
Jan 23 12:01:15 cdsadcashstnme adclient[2081]: DEBUG <fd:26 shiny-server(12775)> -> pam_sm_authenticate
Jan 23 12:01:15 cdsadcashstnme adclient[2081]: DEBUG <fd:26 shiny-server(12775)> pam_sm_common() failed 7
Jan 23 12:01:15 cdsadcashstnme adclient[2081]: DEBUG <fd:26 shiny-server(12775)> <- pam_sm_authenticate, result=PAM_AUTH_ERR(7)
Jan 23 12:01:49 cdsadcashstnme adclient[2081]: DEBUG <fd:23 shiny-server(12775)> -> pam_sm_authenticate
Jan 23 12:01:49 cdsadcashstnme adclient[2081]: DEBUG <fd:23 shiny-server(12775)> <- pam_sm_authenticate, result=PAM_AUTH_ERR(7)
Jan 23 12:01:49 cdsadcashstnme adclient[2081]: DEBUG <fd:23 shiny-server(12775)> -> pam_sm_authenticate
Jan 23 12:01:49 cdsadcashstnme adclient[2081]: DEBUG <fd:23 shiny-server(12775)> pam_sm_common() failed 7
Jan 23 12:01:49 cdsadcashstnme adclient[2081]: DEBUG <fd:23 shiny-server(12775)> <- pam_sm_authenticate, result=PAM_AUTH_ERR(7)

############################# Configuration ##########################
shiny-server]# adinfo --sysinfo config
System Diagnostic
===================Property values===================
adclient.clients.socket: /var/centrifydc/daemon
adclient.clients.socket2: /var/centrifydc/daemon2
adclient.custom.attributes.user: unixUserPassword msSFU30Password
adclient.krb5.service.principals: cifs nfs
adclient.local.account.manage: true
adclient.refresh.interval.dz: 90
adclient.samba.sync: true
adclient.schema.extensions.search.add.paged.control: true
adclient.schema.extensions.search.skip.displayname.filter: true
adclient.version2.compatible: false
dns.dc.glc.xxx.ddd: nosuchhost
dns.dc.m-oig.xxx.ddd: nosuchhost
dns.dc.rsma.xxx.ddd: nosuchhost
dns.gc.glc.xxx.ddd: nosuchhost
dns.gc.m-oig.xxx.ddd: nosuchhost
dns.gc.rsma.xxx.ddd: nosuchhost
log: DEBUG
nss.nobody.gid: 99
nss.nobody.group: nobody
nss.nobody.uid: 99
nss.nobody.user: nobody
nss.program.ignore: useradd,adduser,groupadd,addgroup,userdel,groupdel,usermod,groupmod,chfn,chsh,chpasswd,gpasswd,pwconv,pwunconv,grpconv,grpunconv,redhat-config-users,unix_chkpwd
nss.runtime.defaultvalue.var.domain: ggg.eee.tyy.ddd
nss.runtime.defaultvalue.var.home: /home
nss.runtime.defaultvalue.var.host:
nss.runtime.defaultvalue.var.shell: /bin/bash
nss.runtime.defaultvalue.var.site: P1-SITE-1
nss.runtime.defaultvalue.var.zone: NonLockdown
nss.shell.nologin: /sbin/nologin
pam.allow.override: root
pam.mfa.program.ignore: sshd ftpd proftpd vsftpd java httpd cdc_chkpwd kdm unix2_chkpwd shiny-server
pam.password.enter.mesg: RBPassword:\
samba.base.path: /usr
samba.interop.uselibtdb: true
samba.libtdb.path: /usr/lib64/libtdb.so.1
secedit.system.access.lockoutbadcount: 5
secedit.system.access.lockoutduration: 5
secedit.system.access.maximumpasswordage: 90
secedit.system.access.minimumpasswordage: 7

 

Posts: 961
Topics: 3
Kudos: 256
Blog Posts: 6
Ideas: 0
Solutions: 126
Registered: ‎07-06-2010
#7 of 9 585

Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se

[ Edited ]

If MFA is being ignored for one user but not another user, the configuration is likely correct but the user's authentication is failing for another reason.  

 

Its tough to tell why from the debug snippet provided.  A PAM_AUTH_ERR can occur for a number of reasons like the user doesn't have access, wrong password, etc.  Near the PAM_AUTH_ERR lines, you should see a reason why the failure occurred.  If we have a larger log file set, we can help pinpoint why.  

 

Regards,

Felderi Santiago
VP of Enterprise Solutions
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify:
Participant II
Posts: 4
Registered: ‎12-11-2018
#8 of 9 576

Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se

NOTE: Centrify does say MFA not required yet it still is referencing smartcard.

 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.plugin DA audit trail library is unavailable
   667 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.internal The targets setting of Centrify Suite/PAM is -1, don't known what value t       o override, so will inherit global targets setting
   668 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.internal The final targets setting of Centrify Suite/PAM is 2.
   669 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.internal No machine provided, use long local hostname cdsadcashstnme.
   670 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.internal No eventTime provided, use now time 1548262468.612770.
   671 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.plugin DA audit trail library is unavailable
   672 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.plugin Escape the audit trail event parameter to [shiny-server]
   673 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.plugin Escape the audit trail event parameter to [(none)]
   674 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.plugin Escape the audit trail event parameter to [(none)]
   675 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.plugin Escape the audit trail event parameter to [Authentication failure]
   676 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.plugin Escape the audit trail event parameter to [false]
   677 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.plugin Escape the audit trail event parameter to [ggg.eee.tyy.ddd\\cdsadcashstnme]
   678 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: INFO  AUDIT_TRAIL|Centrify Suite|PAM|1.0|103|PAM authentication denied|5|user=b1rxr16(type:ad,B1RXR16@ggg.eee.tyy.ddd) pid=12775 utc=15       48262468612 centrifyEventID=24103 DASessID=N/A DAInst=N/A status=DENIED service=shiny-server tty=(none) client=(none) reason=Authentication failure MfaRequired=false EntityName=ggg.eee.tyy.ddd\\cdsadcashstnme
   679 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > daemon.ipcclient2 request 'ATProxySetAuditTrailEvent' complete
   680 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> util.threadpool Pool size 3/4, busy size 1/20
   681 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:25 shiny-server(12775)> <- pam_sm_authenticate, result=PAM_AUTH_ERR(7)
   682 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> daemon.ipcserver Accepted new lrpc2 client on <fd:27> with flags 0x00000802
   683 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> daemon.ipcserver lrpc client disconnected normally <fd:25>
   684 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> daemon.ipcserver lrpc client disconnected normally <fd:26>
   685 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> util.threadpool Pool size 3/4, busy size 1/20
   686 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:27 shiny-server(12775)> -> pam_sm_authenticate
   687 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:27 shiny-server(12775)> PAM Options: deny
   688 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:27 shiny-server(12775)> PAM Flags: (none)
   689 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:27 shiny-server(12775)> check_smartcard_user [0]
   690 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:27 shiny-server(12775)> smartcard.allow.noeku is set to 0.
   691 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:27 shiny-server(12775)> smartcard.check.kdc.eku is set to 0.
   692 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:27 shiny-server(12775)> invoke_pkinit() : 0
   693 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> daemon.ipcserver Accepted new lrpc2 client on <fd:25> with flags 0x00000802
   694 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> util.threadpool Pool size 3/4, busy size 1/20
   695 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:25 PAMGetUnixName > daemon.ipcclient2 executing request 'PAMGetUnixName' in thread 140504825104128
   696 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:25 PAMGetUnixName > daemon.ipcclient2 Getting unix name of 'b1rxr16'
   697 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:25 PAMGetUnixName > adclient.pam.util Creating CimsContext
   698 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:25 PAMGetUnixName > adclient.pam.util username b1rxr16, presented: , effective: , unix: unknown
   699 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:25 PAMGetUnixName > base.adagent Find GUID: 7e87eae601daf1469f3aadfae773b785 (7)
   700 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:25 PAMGetUnixName > base.objecthelper age 0, expire age 3600, cutoff time 0, refresh 5, negative=false, cacheOps 7
   701 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:25 PAMGetUnixName > daemon.ipcclient2 Unix name for 'b1rxr16' is 'b1rxr16'
   702 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:25 PAMGetUnixName > daemon.ipcclient2 request 'PAMGetUnixName' complete
   703 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> util.threadpool Pool size 3/4, busy size 1/20
   704 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:27 shiny-server(12775)> pam_sm_common() failed 7
   705 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> util.threadpool Pool size 3/4, busy size 1/20
   706 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:27 shiny-server(12775)> <- pam_sm_authenticate, result=PAM_AUTH_ERR(7)
   707 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> daemon.ipcserver lrpc client disconnected normally <fd:25>
   708 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> daemon.ipcserver lrpc client disconnected normally <fd:27>
   709 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <bg-SECOND:RefreshUserSysrights: B1RXR16@ggg.eee.tyy.ddd (GUID:7e87eae601daf1469f3aadfae773b785) > base.pac   Adding remote group        SID=S-1-5-21-662528488-348457345-1760376032-592289, attribute=0x20000007
   710 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <bg-SECOND:RefreshUserSysrights: B1RXR16@ggg.eee.tyy.ddd (GUID:7e87eae601daf1469f3aadfae773b785) > base.pac   Adding remote group        SID=S-1-5-21-662528488-348457345-1760376032-517846, attribute=0x20000007
   711 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <bg-SECOND:RefreshUserSysrights: B1RXR16@ggg.eee.tyy.ddd (GUID:7e87eae601daf1469f3aadfae773b785) > base.pac   Adding remote group        SID=S-1-5-21-662528488-348457345-1760376032-587780, attribute=0x20000007
   712 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <bg-SECOND:RefreshUserSysrights: B1RXR16@ggg.eee.tyy.ddd (GUID:7e87eae601daf1469f3aadfae773b785) > base.pac   Adding remote group        SID=S-1-5-21-662528488-348457345-1760376032-1030247, attribute=0x20000007
   713 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <bg-SECOND:RefreshUserSysrights: B1RXR16@ggg.eee.tyy.ddd (GUID:7e87eae601daf1469f3aadfae773b785) > base.pac   Adding remote group        SID=S-1-5-21-662528488-348457345-1760376032-589790, attribute=0x20000007
   714 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <bg-SECOND:RefreshUserSysrights: B1RXR16@ggg.eee.tyy.ddd (GUID:7e87eae601daf1469f3aadfae773b785) > base.pac   Adding remote group        SID=S-1-5-21-662528488-348457345-1760376032-596009, attribute=0x20000007
   715 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <bg-SECOND:RefreshUserSysrights: B1RXR16@ggg.eee.tyy.ddd (GUID:7e87eae601daf1469f3aadfae773b785) > base.pac   Adding remote group        SID=S-1-5-21-662528488-348457345-1760376032-1379447, attribute=0x20000007
   716 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <bg-SECOND:RefreshUserSysrights: B1RXR16@ggg.eee.tyy.ddd (GUID:7e87eae601daf1469f3aadfae773b785) > base.pac   Adding remote group        SID=S-1-5-21-662528488-348457345-1760376032-1075820, attribute=0x20000007
   717 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <bg-SECOND:RefreshUserSysrights: B1RXR16@ggg.eee.tyy.ddd (GUID:7e87eae601daf1469f3aadfae773b785) > base.pac   Adding remote group        SID=S-1-5-21-662528488-348457345-1760376032-1030265, attribute=0x20000007
                                                                                                                                                                        717,1       

Highlighted
Posts: 961
Topics: 3
Kudos: 256
Blog Posts: 6
Ideas: 0
Solutions: 126
Registered: ‎07-06-2010
#9 of 9 563

Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se

Centrify is saying that the Authentication failed.

 

678 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: INFO  AUDIT_TRAIL|Centrify Suite|PAM|1.0|103|PAM authentication denied|5|user=b1rxr16(type:ad,B1RXR16@ggg.eee.tyy.ddd) pid=12775 utc=15       48262468612 centrifyEventID=24103 DASessID=N/A DAInst=N/A status=DENIED service=shiny-server tty=(none) client=(none) reason=Authentication failure MfaRequired=false EntityName=ggg.eee.tyy.ddd\\cdsadcashstnme

 

Please double check the account.  Make sure the account is visible with "adquery user b1rxr16" and privileges are setup correctly with "dzinfo b1rxr16".

 

Regards,

Felderi Santiago
VP of Enterprise Solutions
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify: