none
Juypterhub no longer working with Kerberos/AD (Ubuntu) RRS feed

  • Question

  • Hi,

    I've built a number of these DS VMs over the past 18 months, most are used for a period of time then deleted.  As I build so many of them I have a nice installation script that I follow everytime that ensures I don't make any mistakes and the install works.

    I've just built a new DS VM from the Marketplace as usual.  Installed the various packages to support Kerberos talking to a Windows 2016 DC.  I am using SSSD and Krb5 on the VM to connect, along with Oddjob for creating users home directories.  The DS VM is joined to the domain and I can see Kerberos tickets flowing between the DS VM and DC.  I can SSH into the DSVM with a domain user with no problems, the user gets a home dir created with their user name, happy days.  The problem appears to be with Jupyterhub, when I try and login with a domain account I get invalid username warning.

    Looking at the auth.log I can see the following:

    dsvm python: pam_sss(jupyterhub:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=testuser
    dsvm python: pam_sss(jupyterhub:account): Access denied for user testuser: 6 (Permission denied)

    Similar in the Jupyterhub.log

    [JupyterHub auth:628] PAM Account Check failed (testuser@::ffff:172.16.201.2): [PAM Error 6] Permission denied
    [JupyterHub base:504] Failed login for testuser

    The interesting thing is on the DC I can see the Kerberos ticket is successful so the domain has authenticated the user but for some reason this isn't getting handed back to Jupyterhub to allow it to process the login.  I can login a local account into Jupyterhub and that works.

    I have some older builds of the DSVM and they are working as expected, I've checked the configuration files and they appear the same so I am at a loss why these new builds aren't working properly.  If anyone can offer some help or provide me with some more detail troubleshooting advice I would be very grateful!

    Thanks!

    Rob

    Monday, November 5, 2018 8:20 PM