search cancel

CA XCOM for AIX using PAM receives intermittent message "XCOMU0287E Error setting remote user id: Verify login failed"

book

Article ID: 189725

calendar_today

Updated On:

Products

XCOM Data Transport

Issue/Introduction

AIX 7.2 running CA XCOM Data Transport r11.6 17020 SP01 64bit has xcom.glb configured with these PAM related variables:
AUTH_TYPE=PAM
PAM_PATH=/usr/lib/

The /etc/pam.conf file contains the following lines for the XCOM PAM service xcomauth:
xcomauth        auth    required        pam_aix
xcomauth        account required        pam_aix

The AIX machine is configured to authenticate with an Windows Active directory, where the same service account for all XCOM transfers is created and maintained. The XCOM transfers reports an error "XCOMU0287E Error setting remote user id: Verify login failed" when multiple (say 10 simultaneous) XCOM connections are being received from same (or different) hosts.
Is this is a known limitation with XCOM or suggest if there is a work around to circumvent the issue above?

Environment

Release : 11.6
Component : CA XCOM Data Transport for AIX

Resolution

1. Configuration:
a. The xcom.glb parameters are correct:
AUTH_TYPE=PAM
PAM_PATH=/usr/lib/   
NOTE:  XCOM expects to find the required file libpam.a in the directory specificed by PAM_PATH.

b. The /etc/pam.conf file used to configure XCOM PAM service xcomauth on Unix including AIX also has the correct entries i.e.
xcomauth        auth    required        pam_aix
xcomauth        account required        pam_aix

Correct configuration of both the above files is reinforced by the fact that the transfers are only failing intermittently for the same PAM user i.e. if configuration was a problem we would expect 100% failure for that user.


2. Transfer Execution:
Enabled "XTRACE=10" in xcom.glb file on AIX server and restarted the xcomd service.
Executed more transfers to generate trace files $XCOM_HOME/TID_number.tra.
The trace file for a successful transfer shows:
===
 security.c 2166: Authentication mechanism used : PAM
 security.c 2169: PAM based authentication for user XCOM
 security.c 2170: verify_login: call PAM user XCOM
 security.c 3031: The path to PAM module is /usr/lib/
 security.c 3150: loadPAMModule: Start
 security.c 3151: PAM Module directory :/usr/lib/
 security.c 3180: loadPAMModule PAM Module=[/usr/lib/libpam.a(shr_64.o)]
 util.c 2934: In xdlopen, lib-length = 27, lib-path = </usr/lib/libpam.a(shr_64.o)>
 security.c 3187: loadPAMModule dlopen ok, PAMhandle=[3]
 security.c 3194: loadPAMModule PAMStart=[9001000a200bf38], PAMAuthenticate=[9001000a200bdb8], PAMAcctMgmt=[9001000a200bda0], PAMGetItem=[9001000a200bef0], PAMEnd=[9001000a200bf20], PAMStrError=[9001000a200bdd0]
 security.c 3206: loadPAMModule exiting with rc 1
 security.c 3049: PAMStart succeeded
 security.c 2971: Msg No:0, msg_style= 1
 security.c 3005: Returning success from pam_userpass_conv
 security.c 3062: PAMAuthenticate succeeded
 security.c 3075: PAMAcctMgmt succeeded
 security.c 3087: PAMGetItem succeeded
 security.c 3091: retval is : XCOM
 security.c 2182: verify_login: returned PAM ldap_user XCOM
===

The trace file for a failed received transfer shows:
===
 security.c 2166: Authentication mechanism used : PAM
 security.c 2169: PAM based authentication for user XCOM
 security.c 2170: verify_login: call PAM user XCOM
 security.c 3031: The path to PAM module is /usr/lib/
 security.c 3150: loadPAMModule: Start
 security.c 3151: PAM Module directory :/usr/lib/
 security.c 3180: loadPAMModule PAM Module=[/usr/lib/libpam.a(shr_64.o)]
 util.c 2934: In xdlopen, lib-length = 27, lib-path = </usr/lib/libpam.a(shr_64.o)>
 security.c 3187: loadPAMModule dlopen ok, PAMhandle=[3]
 security.c 3194: loadPAMModule PAMStart=[9001000a200bf38], PAMAuthenticate=[9001000a200bdb8], PAMAcctMgmt=[9001000a200bda0], PAMGetItem=[9001000a200bef0], PAMEnd=[9001000a200bf20], PAMStrError=[9001000a200bdd0]
 security.c 3206: loadPAMModule exiting with rc 1
 security.c 3049: PAMStart succeeded
 security.c 2971: Msg No:0, msg_style= 1
 security.c 3005: Returning success from pam_userpass_conv
 security.c 3053: PAMAuthenticate status :9
 security.c 3057: PAMAuthenticate failed :Authentication failed
 security.c 2176: verify_login: returned NULL PAM ldap_user.
===

So for the failed transfer the messages "PAMAuthenticate status :9" and "PAMAuthenticate failed :Authentication failed" are being returned from the remote authentication service which is outside the scope of XCOM. 
As the problem appears to be with the remote authentication service (Windows active directory) from where the authentication is failing, it is suggested that research is focussed on the PAM client & remote authentication service configurations. There is also this IBM Knowledge Center article for enabling PAM Debug on AIX 7.2 which may assist that research: https://www.ibm.com/support/knowledgecenter/ssw_aix_72/security/pam_enabling_debug.html

**** WORKAROUND ****
IBM were later able to provide a workaround for the intermittent authentication failures.
Enable 'keep_creds=yes' in krb5 paragraph of file /etc/methods.cfg

NOTE:
It was observed the cache files under /var/krb5/security/creds kept increasing after enabling 'keep_creds=yes'. So need to run command ‘kdestroy’ on regular basis (e.g. nightly job) to clear the old ones. Running kdestroy with -e flag will specify all credentials cache files be deleted after certain number of days/weeks.

For details of "keep_creds" see "AIX Version 7.2 Files Reference" : https://www.ibm.com/support/knowledgecenter/ssw_aix_72/filesreference/filesreference_pdf.pdf?view=kc
Page 161: "/usr/lib/security/methods.cfg File"
Page 163:
keep_creds=[ yes/no ]
By default, the keep_creds option is set to no. If the keep_creds option is set to yes, every new login generates a new PAG based credential cache file.

Additional Information

CA XCOM DATA TRANSPORT FOR UNIX/LINUX 11.6.1> Reference > Operating Environment > Pluggable Authentication Modules (PAM) Based Authentication