From d1cd78a80b5728b79e84fdf60f8bc4a05ae69878 Mon Sep 17 00:00:00 2001 From: Simo Tuomisto Date: Fri, 4 Sep 2020 16:53:06 +0300 Subject: [PATCH] Add a new option pam_enable_slurm_adopt which enables the new slurm pam module with cgroup adoption --- defaults/main.yml | 3 +++ templates/system-auth.j2 | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 6e52399..88db20c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,6 +7,9 @@ pam_use_sssd: False # Enable the pam_slurm.so module pam_enable_slurm: False +# Enable the pam_slurm_adopt.so module +pam_enable_slurm_adopt: False + # These are allowed in /etc/security/access.conf, set when # pam_enable_slurm == True slurm_access_groups: diff --git a/templates/system-auth.j2 b/templates/system-auth.j2 index 77f9016..8a1394e 100644 --- a/templates/system-auth.j2 +++ b/templates/system-auth.j2 @@ -10,7 +10,9 @@ auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so +{% if not pam_enable_slurm_adopt %} account sufficient pam_localuser.so +{% endif %} account sufficient pam_succeed_if.so uid < 1000 quiet {% if pam_use_sssd %} account [default=bad success=ok user_unknown=ignore] pam_sss.so @@ -18,6 +20,9 @@ account [default=bad success=ok user_unknown=ignore] pam_sss.so {% if pam_enable_slurm %} account sufficient pam_access.so account required pam_slurm.so +{% elif pam_enable_slurm_adopt %} +-account sufficient pam_slurm_adopt.so action_adopt_failure=deny action_generic_failure=deny +account required pam_access.so {% endif %} account required pam_permit.so @@ -30,7 +35,9 @@ password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so +{% if not pam_enable_slurm_adopt %} -session optional pam_systemd.so +{% endif %} session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so {% if pam_use_sssd %}