2 Replies Latest reply on Nov 15, 2010 9:44 AM by ehall

    dedicated CIM account fail

    ehall Hot Shot

      I have a Cacti plugin that uses WBEM queries to read and graph sensor data, which works correctly with ESXI. I used the root account for testing, but I would like to have a dedicated WBEM account that is limited to just the CIM components.

       

      First I created a new Role called "WBEM Access" and gave it access to the Host->CIM->CIM Interaction and Global->Health objects. Then I created an account called "wbem" and assigned it a simple password (the pam config has been modified). FInally I used the permission screen to assign the WBEM Access role to the wbem account.

       

      Unfortunately when I try to issue queries with the username, I get HTTP authentication errors stating that the username password pair is invalid. I am 100% positive that I am using the correct password. Indeed, I have reassigned the wbem account to the Administrator role in the permission editor, and queries with the account then succeed, but if I change it back to the WBEM Access role then the queries fail again with username password error.

       

      Is there some other permission that needs to be assigned for this to work?

       

      Thanks

        • 1. Re: dedicated CIM account fail
          ehall Hot Shot

          This is a problem with PAM instead of the roles

           

          First, /var/log/messages has the following entry, which indicates that the account is being rejected by PAM

           

          sfcb-CIMXML-Processor[24829]: pam_access(sfcb:auth): access denied for user `wbem' from `sfcb'

           

          Furthermore, I can grant the WBEM role definition with access to every object in the role editor, and will still get username password failure. But when I assign the wbem account to the Administrators role it works fine. This tells me that the accounts are being authenticated differently based on their role assignment, not on the privileges defined in the role. This is odd because there is the "CIM Interaction" role privilege which should be the governor for this.

           

          edit for fix:

           

          /etc/pam.d/sfcb calls /etc/pam.d/system-auth definition for everything, which in turn calls the pam_access module. That module checks the /etc/security/access.conf file to govern who has access to resources. Once I added the wbem user account to that file, I was able to successfully authenticate and perform the wbem queries. Nice thing is that the pam_access module recognizes services as origins, so "+:wbem:sfcb" allows authentication for sfcb but not for (EG) sshd or login

           

          I expected this file to be edited according to the role privileges

           

          edit 2: file is overwritten on reboot, the role priv needs to be incorporated into the auto-generated file

          • 2. Re: dedicated CIM account fail
            ehall Hot Shot

            There is another way to fix this without having to modify the /etc/security/access.conf file on every reboot. Instead, assign the wbem user account to the "root" user group, and also give it the "no access" role. With the user in the root group then pam will allow WBEM queries to pass through to the CIM server using the default access.conf rules, but the "no access" role assignment not prevent the account from being able to login to the vsphere client, the service console, SSH, etc.

             

            1) create a local wbem user, and assign to the "root" user group (Inventory->Users/Groups)

             

            3) assign the wbem user to "no access" role (Inventory->Permissions)