https://community.cloudera.com/t5/Support-Questions/Knox-authentication-with-PAM/m-p/385049#M245603 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/109622">@S_chinna</a>&nbsp; To create user follow below steps on knox host</P><P><SPAN>#&nbsp;</SPAN><SPAN class="il">useradd</SPAN><SPAN>&nbsp;&lt;Username&gt; (to create a&nbsp;</SPAN><SPAN class="il">user</SPAN><SPAN>)</SPAN><BR /><SPAN># passwd &lt;Username&gt; (to set the password)</SPAN><BR /><SPAN>- Set read permission on /etc/shadow&nbsp; file&nbsp; for knox user and try to login with the above created credentials</SPAN><BR /><BR /></P> Fri, 15 Mar 2024 13:00:10 GMT Scharan 2024-03-15T13:00:10Z https://community.cloudera.com/t5/Support-Questions/Knox-authentication-with-PAM/m-p/339556#M233108 <P>Hello Team,</P><P>&nbsp;</P><P>I have an issue with setting the Knox authentication with PAM. I have the default <STRONG>login</STRONG> in <STRONG>/etc/pam.d/</STRONG></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">$ cat /etc/pam.d/login #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth substack system-auth auth include postlogin account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include system-auth session include postlogin -session optional pam_ck_connector.so</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Knox-sso looks as following (the default one)</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sayed016_0-1648116799273.png" style="width: 400px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/34001i8DE8700A319F27BD/image-size/medium?v=v2&amp;px=400" role="button" title="Sayed016_0-1648116799273.png" alt="Sayed016_0-1648116799273.png" /></span></P><P>&nbsp;</P><P>I created a user named -&nbsp;<STRONG>test</STRONG>&nbsp;with a password. I tried to access the Knox Gateway UI but I get the issue.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sayed016_1-1648116170710.png" style="width: 400px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/33998iB9D41A14FE53BFE0/image-size/medium?v=v2&amp;px=400" role="button" title="Sayed016_1-1648116170710.png" alt="Sayed016_1-1648116170710.png" /></span></P><P>&nbsp;</P><P>The Knox Gateway log says:</P><P>&nbsp;</P><LI-CODE lang="markup">(KnoxPamRealm.java:handleAuthFailure(170)) - Shiro unable to login: null</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Note: I am using CDP 7.1.6 and I can login to my host (where Knox Gateway is installed) using the <STRONG>test</STRONG> user. Also, there's no Kerberos setup.</P><P>&nbsp;</P><P>Please share if there's something that needs to be adjusted.</P><P>&nbsp;</P><P>Best Regards</P><P>Sayed</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 21 Apr 2026 07:58:44 GMT https://community.cloudera.com/t5/Support-Questions/Knox-authentication-with-PAM/m-p/339556#M233108 Sayed016 2026-04-21T07:58:44Z https://community.cloudera.com/t5/Support-Questions/Knox-authentication-with-PAM/m-p/339560#M233110 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/88786">@Sayed016</a>&nbsp;Can you check the permission on /etc/shadow file, make sure it has 444 permission</P> Thu, 24 Mar 2022 10:20:07 GMT https://community.cloudera.com/t5/Support-Questions/Knox-authentication-with-PAM/m-p/339560#M233110 Scharan 2022-03-24T10:20:07Z https://community.cloudera.com/t5/Support-Questions/Knox-authentication-with-PAM/m-p/339561#M233111 <P>Yes, that resolved the issue! I had 000 as my permission. Thank you&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/35149">@Scharan</a>&nbsp;I appreciate the quick reply.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 24 Mar 2022 10:22:58 GMT https://community.cloudera.com/t5/Support-Questions/Knox-authentication-with-PAM/m-p/339561#M233111 Sayed016 2022-03-24T10:22:58Z https://community.cloudera.com/t5/Support-Questions/Knox-authentication-with-PAM/m-p/339564#M233114 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/35149">@Scharan</a>&nbsp;Can you please give a short explanation as my customer is asking for it as to why shadow file matters in this case i.e. what's the relation with Knox with shadow file? Thank you!&nbsp;</P><P>&nbsp;</P> Thu, 24 Mar 2022 10:34:59 GMT https://community.cloudera.com/t5/Support-Questions/Knox-authentication-with-PAM/m-p/339564#M233114 Sayed016 2022-03-24T10:34:59Z https://community.cloudera.com/t5/Support-Questions/Knox-authentication-with-PAM/m-p/339565#M233115 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/88786">@Sayed016</a>&nbsp;Not only knox whatever the service may&nbsp; be the Pam authentication requires Read permission on /etc/shadow file&nbsp;</P><P>Refer to the below doc for more info</P><P><A href="https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam" target="_blank">https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam</A></P> Thu, 24 Mar 2022 10:54:14 GMT https://community.cloudera.com/t5/Support-Questions/Knox-authentication-with-PAM/m-p/339565#M233115 Scharan 2022-03-24T10:54:14Z https://community.cloudera.com/t5/Support-Questions/Knox-authentication-with-PAM/m-p/339567#M233117 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/35149">@Scharan</a>&nbsp;Thank you! This helps. I appreciate!</P><P>&nbsp;</P> Thu, 24 Mar 2022 11:12:20 GMT https://community.cloudera.com/t5/Support-Questions/Knox-authentication-with-PAM/m-p/339567#M233117 Sayed016 2022-03-24T11:12:20Z https://community.cloudera.com/t5/Support-Questions/Knox-authentication-with-PAM/m-p/351325#M236227 <P>Resolved my error. Thanks</P> Thu, 01 Sep 2022 14:38:53 GMT https://community.cloudera.com/t5/Support-Questions/Knox-authentication-with-PAM/m-p/351325#M236227 naymar 2022-09-01T14:38:53Z https://community.cloudera.com/t5/Support-Questions/Knox-authentication-with-PAM/m-p/385044#M245601 <P>Hi&nbsp;<SPAN>Sayed,</SPAN></P><P>&nbsp;</P><P><SPAN>i Would like to know that how you have created user to access KNOX web UI</SPAN></P> Fri, 15 Mar 2024 12:13:52 GMT https://community.cloudera.com/t5/Support-Questions/Knox-authentication-with-PAM/m-p/385044#M245601 S_chinna 2024-03-15T12:13:52Z https://community.cloudera.com/t5/Support-Questions/Knox-authentication-with-PAM/m-p/385049#M245603 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/109622">@S_chinna</a>&nbsp; To create user follow below steps on knox host</P><P><SPAN>#&nbsp;</SPAN><SPAN class="il">useradd</SPAN><SPAN>&nbsp;&lt;Username&gt; (to create a&nbsp;</SPAN><SPAN class="il">user</SPAN><SPAN>)</SPAN><BR /><SPAN># passwd &lt;Username&gt; (to set the password)</SPAN><BR /><SPAN>- Set read permission on /etc/shadow&nbsp; file&nbsp; for knox user and try to login with the above created credentials</SPAN><BR /><BR /></P> Fri, 15 Mar 2024 13:00:10 GMT https://community.cloudera.com/t5/Support-Questions/Knox-authentication-with-PAM/m-p/385049#M245603 Scharan 2024-03-15T13:00:10Z