HP Unix Password Sync Issue
Article ID: 108971
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager (PAM)
Issue/Introduction
Users are able to connect to the unix system through PAM using the autologin. Issue is only with password verification. The target account is not able to be synchronized.
The catalina logs shows that the verification is failing. PAM is expecting to receive from the device the value=0 after executing the "echo $?" and is getting "1" which means that there's a process running and didn't finish.
Operating system of Unix : HP UNIX 11.31
HP UNIX 11 v3
The verification was working before. And works for root user but not for others.
The catalina logs shows that the verification is failing. PAM is expecting to receive from the device the value=0 after executing the "echo $?" and is getting "1" which means that there's a process running and didn't finish.
Operating system of Unix : HP UNIX 11.31
HP UNIX 11 v3
The verification was working before. And works for root user but not for others.
Environment
CA PAM All
Cause
Basically what is happening is that the root user and the other user run at initialization different scrips (for instance the .profile and .login, which is running /bin/bash):
http://www.linuxfromscratch.org/blfs/view/6.3/postlfs/profile.html
By construction, when you log in to the unix system (via PAM or ssh) the init scripts corresponding to the shell of the user will be run. These scripts consist of different commands, settings for environment variables, etc, which must be completed and which may fail or five unexpected results (e.g. a not found error). Any failure running the init scripts of your shell may be shown when you log in interactively but will fail to show up when using PAM since we are not talking about an interactive login situation.
One of the things that the verification password process does is to verify successful login into the UNIX machine. To do that an
echo $?
is issued just after login. This commands gives, as you know the result of the latest return code which will of course be the result of running the init scripts for your shell.
For instance, if the profile contains
PATH=$PATH:.
then echo $? will be 0 because this is a correct command and it has been completed well. However, should it contain
PATH=$PATH;.
where I have made a mistake, then echo $? after login would not be 0
We have verified by loging in from PAM access and also through ssh that the root user gives ' as echo $? just after login, whereas for pamuser, just after login echo $? is 1
http://www.linuxfromscratch.org/blfs/view/6.3/postlfs/profile.html
By construction, when you log in to the unix system (via PAM or ssh) the init scripts corresponding to the shell of the user will be run. These scripts consist of different commands, settings for environment variables, etc, which must be completed and which may fail or five unexpected results (e.g. a not found error). Any failure running the init scripts of your shell may be shown when you log in interactively but will fail to show up when using PAM since we are not talking about an interactive login situation.
One of the things that the verification password process does is to verify successful login into the UNIX machine. To do that an
echo $?
is issued just after login. This commands gives, as you know the result of the latest return code which will of course be the result of running the init scripts for your shell.
For instance, if the profile contains
PATH=$PATH:.
then echo $? will be 0 because this is a correct command and it has been completed well. However, should it contain
PATH=$PATH;.
where I have made a mistake, then echo $? after login would not be 0
We have verified by loging in from PAM access and also through ssh that the root user gives ' as echo $? just after login, whereas for pamuser, just after login echo $? is 1
Resolution
1. Compare what scripts are run at login between the root user and the affected user. See command by command if they give any kind of error. That will give an idea of what is wrong.
2. Create a very simple user, without any initialization script, just the result of useradd, and see if you face the same problem
If 2 works but not 1 it means there is something in the accounts configuration you need to check.
2. Create a very simple user, without any initialization script, just the result of useradd, and see if you face the same problem
If 2 works but not 1 it means there is something in the accounts configuration you need to check.
Feedback
Yes
No
Powered by
