How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-server"

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-server"
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
12-11-2018 12:54 PM
We use MFA for some users but this R application will not accept credentials. Since application does not need MFA tried setting
pam.mfa.program.ignore: ftpd proftpd vsftpd java httpd cdc_chkpwd kdm unix2_chkpwd shiny-server.
Still get the same message. Any ideas.
Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
12-11-2018 01:14 PM
Welcome to the community.
When posting, would you be kind enough to tell us the operating system, version and version of our software?
Keep in mind that we can provide MFA for UNIX/Linux (for console or remote login and privilege elevation via dzdo) or for Windows for Login (console, remote, screen unlock, privilege elevation or offline access). It looks like you may be dealing with a PAM-enabled app in UNIX/Linux, but it's much easier if you tell us the info above.
If this is for remote access
By using the parameter you mentioned pam.mfa.program.ignore, you usually have to reload the agent configuration or (e.g. running adreload with elevated rights) or you may have to restart the centrifydc service depending on the version.
Alternatively, since You are disabling access overall for this app. You can do this by assigning the target users a role that does not challenge for MFA
If this is for Privilege Elevation
Note that if this is an application to be run with privileges, as you define them, make sure the respective checkbox (per platform) is unchecked:
R.P
Follow Centrify:




Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
12-11-2018 01:40 PM
Thank you for your timely reply and yes, should have known better. Anyway,
Linux [Redhat release 6.9 ], (CentrifyDC 5.4.3-901).
We did restart the agent and flush the cache after we made the change. The target role would require a lot more effort, but shouldn't this have been enough.
Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
12-11-2018 02:15 PM
If after doing an adreload and service centrifydc restart this did not take, support may have to take a look.
Super important that the application in question is PAM-aware and that its PAM configuration stanzas are looking at the system PAM config.
One last check. If you want to see what are the current memory working parameters of the client, you can use
adinfo --sysinfo config
and grep for the parameter you just set. If the parameter lists your program (with the correct PAM name) and still prompts, I am sure support may want to take a deeper look.
R.P
Follow Centrify:





Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se
[ Edited ]- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
12-11-2018 06:18 PM
The parameter pam.mfa.program.ignore should work but you need to make sure you include the correct name of the application calling the Centrify PAM module.
To confirm the name of the application, enable Centrify debug, attempt the login and confirm the name of the application. I'll use SSH as an example:
# /usr/share/centrifydc/bin/addebug on /var/log/centrify_client.log does not exist. Creating now. Configure /etc/rsyslog.conf Send HUP signal to rsyslogd Configure log level in /etc/centrifydc/centrifydc.conf Reload /etc/centrifydc/centrifydc.conf /usr/sbin/adreload returned 0 Centrify DirectControl debug logging is on # tail -f /var/log/centrifydc.log | grep pam_sm Dec 11 18:10:08 r10-sap-74 adclient[21097]: DEBUG <fd:23 sshd(21990)> -> pam_sm_authenticate Dec 11 18:10:18 r10-sap-74 adclient[21097]: DEBUG <fd:28 sshd(21990)> -> cloud pam_sm_authenticate
As we can see, sshd is the name of the application calling the Centrify PAM module. If I add sshd to pam.mfa.program.ignore and run "adreload", then log in again with sshd, I don't get MFA.
Remember to turn of debug:
# /usr/share/centrifydc/bin/addebug off
Please give this a try in your environment. If it doesn't work, we will need a debug log showing issue.
Regards,
VP of Enterprise Solutions
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify:




Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
a month ago
Your help has been incredaibly useful but we now have a better test user but the result is the same:
Jan 23 12:01:01 cdsadcashstnme adclient[2081]: DEBUG <fd:23 crond(6452)> <- pam_sm_close_session, result=PAM_IGNORE(25)
Jan 23 12:01:15 cdsadcashstnme adclient[2081]: DEBUG <fd:23 shiny-server(12775)> -> pam_sm_authenticate
Jan 23 12:01:15 cdsadcashstnme adclient[2081]: DEBUG <fd:23 shiny-server(12775)> <- pam_sm_authenticate, result=PAM_AUTH_ERR(7)
Jan 23 12:01:15 cdsadcashstnme adclient[2081]: DEBUG <fd:26 shiny-server(12775)> -> pam_sm_authenticate
Jan 23 12:01:15 cdsadcashstnme adclient[2081]: DEBUG <fd:26 shiny-server(12775)> pam_sm_common() failed 7
Jan 23 12:01:15 cdsadcashstnme adclient[2081]: DEBUG <fd:26 shiny-server(12775)> <- pam_sm_authenticate, result=PAM_AUTH_ERR(7)
Jan 23 12:01:49 cdsadcashstnme adclient[2081]: DEBUG <fd:23 shiny-server(12775)> -> pam_sm_authenticate
Jan 23 12:01:49 cdsadcashstnme adclient[2081]: DEBUG <fd:23 shiny-server(12775)> <- pam_sm_authenticate, result=PAM_AUTH_ERR(7)
Jan 23 12:01:49 cdsadcashstnme adclient[2081]: DEBUG <fd:23 shiny-server(12775)> -> pam_sm_authenticate
Jan 23 12:01:49 cdsadcashstnme adclient[2081]: DEBUG <fd:23 shiny-server(12775)> pam_sm_common() failed 7
Jan 23 12:01:49 cdsadcashstnme adclient[2081]: DEBUG <fd:23 shiny-server(12775)> <- pam_sm_authenticate, result=PAM_AUTH_ERR(7)
############################# Configuration ##########################
shiny-server]# adinfo --sysinfo config
System Diagnostic
===================Property values===================
adclient.clients.socket: /var/centrifydc/daemon
adclient.clients.socket2: /var/centrifydc/daemon2
adclient.custom.attributes.user: unixUserPassword msSFU30Password
adclient.krb5.service.principals: cifs nfs
adclient.local.account.manage: true
adclient.refresh.interval.dz: 90
adclient.samba.sync: true
adclient.schema.extensions.search.add.paged.control: true
adclient.schema.extensions.search.skip.displayname.filter: true
adclient.version2.compatible: false
dns.dc.glc.xxx.ddd: nosuchhost
dns.dc.m-oig.xxx.ddd: nosuchhost
dns.dc.rsma.xxx.ddd: nosuchhost
dns.gc.glc.xxx.ddd: nosuchhost
dns.gc.m-oig.xxx.ddd: nosuchhost
dns.gc.rsma.xxx.ddd: nosuchhost
log: DEBUG
nss.nobody.gid: 99
nss.nobody.group: nobody
nss.nobody.uid: 99
nss.nobody.user: nobody
nss.program.ignore: useradd,adduser,groupadd,addgroup,userdel,groupdel,usermod,groupmod,chfn,chsh,chpasswd,gpasswd,pwconv,pwunconv,grpconv,grpunconv,redhat-config-users,unix_chkpwd
nss.runtime.defaultvalue.var.domain: ggg.eee.tyy.ddd
nss.runtime.defaultvalue.var.home: /home
nss.runtime.defaultvalue.var.host:
nss.runtime.defaultvalue.var.shell: /bin/bash
nss.runtime.defaultvalue.var.site: P1-SITE-1
nss.runtime.defaultvalue.var.zone: NonLockdown
nss.shell.nologin: /sbin/nologin
pam.allow.override: root
pam.mfa.program.ignore: sshd ftpd proftpd vsftpd java httpd cdc_chkpwd kdm unix2_chkpwd shiny-server
pam.password.enter.mesg: RBPassword:\
samba.base.path: /usr
samba.interop.uselibtdb: true
samba.libtdb.path: /usr/lib64/libtdb.so.1
secedit.system.access.lockoutbadcount: 5
secedit.system.access.lockoutduration: 5
secedit.system.access.maximumpasswordage: 90
secedit.system.access.minimumpasswordage: 7

Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se
[ Edited ]- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
a month ago - last edited a month ago
If MFA is being ignored for one user but not another user, the configuration is likely correct but the user's authentication is failing for another reason.
Its tough to tell why from the debug snippet provided. A PAM_AUTH_ERR can occur for a number of reasons like the user doesn't have access, wrong password, etc. Near the PAM_AUTH_ERR lines, you should see a reason why the failure occurred. If we have a larger log file set, we can help pinpoint why.
Regards,
VP of Enterprise Solutions
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify:




Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
a month ago
NOTE: Centrify does say MFA not required yet it still is referencing smartcard.
Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.plugin DA audit trail library is unavailable
667 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.internal The targets setting of Centrify Suite/PAM is -1, don't known what value t o override, so will inherit global targets setting
668 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.internal The final targets setting of Centrify Suite/PAM is 2.
669 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.internal No machine provided, use long local hostname cdsadcashstnme.
670 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.internal No eventTime provided, use now time 1548262468.612770.
671 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.plugin DA audit trail library is unavailable
672 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.plugin Escape the audit trail event parameter to [shiny-server]
673 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.plugin Escape the audit trail event parameter to [(none)]
674 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.plugin Escape the audit trail event parameter to [(none)]
675 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.plugin Escape the audit trail event parameter to [Authentication failure]
676 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.plugin Escape the audit trail event parameter to [false]
677 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > audittrail.plugin Escape the audit trail event parameter to [ggg.eee.tyy.ddd\\cdsadcashstnme]
678 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: INFO AUDIT_TRAIL|Centrify Suite|PAM|1.0|103|PAM authentication denied|5|user=b1rxr16(type:ad,B1RXR16@ggg.eee.tyy.ddd) pid=12775 utc=15 48262468612 centrifyEventID=24103 DASessID=N/A DAInst=N/A status=DENIED service=shiny-server tty=(none) client=(none) reason=Authentication failure MfaRequired=false EntityName=ggg.eee.tyy.ddd\\cdsadcashstnme
679 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:26 ATProxySetAuditTrailEvent > daemon.ipcclient2 request 'ATProxySetAuditTrailEvent' complete
680 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> util.threadpool Pool size 3/4, busy size 1/20
681 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:25 shiny-server(12775)> <- pam_sm_authenticate, result=PAM_AUTH_ERR(7)
682 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> daemon.ipcserver Accepted new lrpc2 client on <fd:27> with flags 0x00000802
683 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> daemon.ipcserver lrpc client disconnected normally <fd:25>
684 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> daemon.ipcserver lrpc client disconnected normally <fd:26>
685 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> util.threadpool Pool size 3/4, busy size 1/20
686 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:27 shiny-server(12775)> -> pam_sm_authenticate
687 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:27 shiny-server(12775)> PAM Options: deny
688 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:27 shiny-server(12775)> PAM Flags: (none)
689 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:27 shiny-server(12775)> check_smartcard_user [0]
690 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:27 shiny-server(12775)> smartcard.allow.noeku is set to 0.
691 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:27 shiny-server(12775)> smartcard.check.kdc.eku is set to 0.
692 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:27 shiny-server(12775)> invoke_pkinit() : 0
693 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> daemon.ipcserver Accepted new lrpc2 client on <fd:25> with flags 0x00000802
694 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> util.threadpool Pool size 3/4, busy size 1/20
695 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:25 PAMGetUnixName > daemon.ipcclient2 executing request 'PAMGetUnixName' in thread 140504825104128
696 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:25 PAMGetUnixName > daemon.ipcclient2 Getting unix name of 'b1rxr16'
697 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:25 PAMGetUnixName > adclient.pam.util Creating CimsContext
698 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:25 PAMGetUnixName > adclient.pam.util username b1rxr16, presented: , effective: , unix: unknown
699 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:25 PAMGetUnixName > base.adagent Find GUID: 7e87eae601daf1469f3aadfae773b785 (7)
700 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:25 PAMGetUnixName > base.objecthelper age 0, expire age 3600, cutoff time 0, refresh 5, negative=false, cacheOps 7
701 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:25 PAMGetUnixName > daemon.ipcclient2 Unix name for 'b1rxr16' is 'b1rxr16'
702 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:25 PAMGetUnixName > daemon.ipcclient2 request 'PAMGetUnixName' complete
703 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> util.threadpool Pool size 3/4, busy size 1/20
704 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:27 shiny-server(12775)> pam_sm_common() failed 7
705 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> util.threadpool Pool size 3/4, busy size 1/20
706 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <fd:27 shiny-server(12775)> <- pam_sm_authenticate, result=PAM_AUTH_ERR(7)
707 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> daemon.ipcserver lrpc client disconnected normally <fd:25>
708 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <main> daemon.ipcserver lrpc client disconnected normally <fd:27>
709 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <bg-SECOND:RefreshUserSysrights: B1RXR16@ggg.eee.tyy.ddd (GUID:7e87eae601daf1469f3aadfae773b785) > base.pac Adding remote group SID=S-1-5-21-662528488-348457345-1760376032-592289, attribute=0x20000007
710 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <bg-SECOND:RefreshUserSysrights: B1RXR16@ggg.eee.tyy.ddd (GUID:7e87eae601daf1469f3aadfae773b785) > base.pac Adding remote group SID=S-1-5-21-662528488-348457345-1760376032-517846, attribute=0x20000007
711 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <bg-SECOND:RefreshUserSysrights: B1RXR16@ggg.eee.tyy.ddd (GUID:7e87eae601daf1469f3aadfae773b785) > base.pac Adding remote group SID=S-1-5-21-662528488-348457345-1760376032-587780, attribute=0x20000007
712 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <bg-SECOND:RefreshUserSysrights: B1RXR16@ggg.eee.tyy.ddd (GUID:7e87eae601daf1469f3aadfae773b785) > base.pac Adding remote group SID=S-1-5-21-662528488-348457345-1760376032-1030247, attribute=0x20000007
713 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <bg-SECOND:RefreshUserSysrights: B1RXR16@ggg.eee.tyy.ddd (GUID:7e87eae601daf1469f3aadfae773b785) > base.pac Adding remote group SID=S-1-5-21-662528488-348457345-1760376032-589790, attribute=0x20000007
714 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <bg-SECOND:RefreshUserSysrights: B1RXR16@ggg.eee.tyy.ddd (GUID:7e87eae601daf1469f3aadfae773b785) > base.pac Adding remote group SID=S-1-5-21-662528488-348457345-1760376032-596009, attribute=0x20000007
715 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <bg-SECOND:RefreshUserSysrights: B1RXR16@ggg.eee.tyy.ddd (GUID:7e87eae601daf1469f3aadfae773b785) > base.pac Adding remote group SID=S-1-5-21-662528488-348457345-1760376032-1379447, attribute=0x20000007
716 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <bg-SECOND:RefreshUserSysrights: B1RXR16@ggg.eee.tyy.ddd (GUID:7e87eae601daf1469f3aadfae773b785) > base.pac Adding remote group SID=S-1-5-21-662528488-348457345-1760376032-1075820, attribute=0x20000007
717 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: DEBUG <bg-SECOND:RefreshUserSysrights: B1RXR16@ggg.eee.tyy.ddd (GUID:7e87eae601daf1469f3aadfae773b785) > base.pac Adding remote group SID=S-1-5-21-662528488-348457345-1760376032-1030265, attribute=0x20000007
717,1

Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
a month ago
Centrify is saying that the Authentication failed.
678 Jan 23 11:54:28 cdsadcashstnme adclient[2081]: INFO AUDIT_TRAIL|Centrify Suite|PAM|1.0|103|PAM authentication denied|5|user=b1rxr16(type:ad,B1RXR16@ggg.eee.tyy.ddd) pid=12775 utc=15 48262468612 centrifyEventID=24103 DASessID=N/A DAInst=N/A status=DENIED service=shiny-server tty=(none) client=(none) reason=Authentication failure MfaRequired=false EntityName=ggg.eee.tyy.ddd\\cdsadcashstnme
Please double check the account. Make sure the account is visible with "adquery user b1rxr16" and privileges are setup correctly with "dzinfo b1rxr16".
Regards,
VP of Enterprise Solutions
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify:



