PAMSC + PAM: Solaris Fails with LDAP User and Login Integration
Article ID: 110921
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager (PAM)
Issue/Introduction
Login to PAM as 'sumanth' and open a PuTTY session with AD user 'test_ps1' (bridged via Centrify) . The PuTTY session closes before the login prompt. The AD user is enabled.
Then, login to the box using direct PuTTY (no PAM) - the AD user 'test_ps1' can log in. The sewhoami -a displays the PAM user of the failed session above (sumanth)
login as: test_ps1
Password:
Last login: Thu Jun 28 10:30:59 2018 from 10.85.244.29
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
$ id
uid=650119697(test_ps1) gid=650119697(test_ps1)
$ sewhoami -a
test_ps1
ACEE Contents
User's Name : sumanth
ACEE's Handle : 46
Group Connections Table:
<Empty>
Categories : <None>
Profile Group : <None>
Security Label : <None>
User's Audit Mode : Failure LoginSuccess LoginFailure
User's Security Level : 0
Source Terminal : 10.85.193.130
Process Count for ACEE : 1
User's Mode : OS_user
ACEE's Creation Time : Thu Jun 28 11:59:42 2018
This behavior was noted on Linux as well - whenever PAM fails to log an AD user in using Login Integration, the immediate next session from direct putty - sewhoami -a displays the PAM user of the failed session.
Then, login to the box using direct PuTTY (no PAM) - the AD user 'test_ps1' can log in. The sewhoami -a displays the PAM user of the failed session above (sumanth)
login as: test_ps1
Password:
Last login: Thu Jun 28 10:30:59 2018 from 10.85.244.29
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
$ id
uid=650119697(test_ps1) gid=650119697(test_ps1)
$ sewhoami -a
test_ps1
ACEE Contents
User's Name : sumanth
ACEE's Handle : 46
Group Connections Table:
<Empty>
Categories : <None>
Profile Group : <None>
Security Label : <None>
User's Audit Mode : Failure LoginSuccess LoginFailure
User's Security Level : 0
Source Terminal : 10.85.193.130
Process Count for ACEE : 1
User's Mode : OS_user
ACEE's Creation Time : Thu Jun 28 11:59:42 2018
This behavior was noted on Linux as well - whenever PAM fails to log an AD user in using Login Integration, the immediate next session from direct putty - sewhoami -a displays the PAM user of the failed session.
Environment
Release:
Component: SCU
Component: SCU
Resolution
the issue is with Solaris and OpenSSH.
On their Solaris machine:
# pkgadd -d http://get.opencsw.org/now
# /opt/csw/bin/pkgutil -U
# /opt/csw/bin/pkgutil -y -i openssh
On their Solaris machine:
# pkgadd -d http://get.opencsw.org/now
# /opt/csw/bin/pkgutil -U
# /opt/csw/bin/pkgutil -y -i openssh
Feedback
Yes
No
Powered by
