xcom.glb is configured with these PAM related variables:
AUTH_TYPE=PAM
PAM_PATH=/usr/lib/
The /etc/pam.conf file contains the following lines for the XCOM PAM service xcomauth:
xcomauth auth required pam_aix
xcomauth account required pam_aix
The AIX machine is configured to authenticate with an Windows Active directory, where the same service account for all XCOM transfers is created and maintained. The XCOM transfers reports an error "XCOMU0287E Error setting remote user id: Verify login failed" when multiple (say 10 simultaneous) XCOM connections are being received from same (or different) hosts.
Is this is a known limitation with XCOM or suggest if there is a work around to circumvent the issue above?
cache files under /var/krb5/security/creds kept increasing
1. Configuration:a. The xcom.glb parameters are correct:
AUTH_TYPE=PAM
PAM_PATH=/usr/lib/
NOTE: XCOM expects to find the required file libpam.a in the directory specificed by PAM_PATH.
b. The /etc/pam.conf file used to configure XCOM PAM service xcomauth on Unix including AIX also has the correct entries i.e.
xcomauth auth required pam_aix
xcomauth account required pam_aix
Correct configuration of both the above files is reinforced by the fact that the transfers are only failing intermittently for the same PAM user i.e. if configuration was a problem we would expect 100% failure for that user.
2. Transfer Execution:
Enabled "XTRACE=10" in xcom.glb file on AIX server and restarted the xcomd service.
Executed more transfers to generate trace files $XCOM_HOME/TID_number.tra.
The trace file for a successful transfer shows:
===
security.c 2166: Authentication mechanism used : PAM
security.c 2169: PAM based authentication for user XCOM
security.c 2170: verify_login: call PAM user XCOM
security.c 3031: The path to PAM module is /usr/lib/
security.c 3150: loadPAMModule: Start
security.c 3151: PAM Module directory :/usr/lib/
security.c 3180: loadPAMModule PAM Module=[/usr/lib/libpam.a(shr_64.o)]
util.c 2934: In xdlopen, lib-length = 27, lib-path = </usr/lib/libpam.a(shr_64.o)>
security.c 3187: loadPAMModule dlopen ok, PAMhandle=[3]
security.c 3194: loadPAMModule PAMStart=[9001000a200bf38], PAMAuthenticate=[9001000a200bdb8], PAMAcctMgmt=[9001000a200bda0], PAMGetItem=[9001000a200bef0], PAMEnd=[9001000a200bf20], PAMStrError=[9001000a200bdd0]
security.c 3206: loadPAMModule exiting with rc 1
security.c 3049: PAMStart succeeded
security.c 2971: Msg No:0, msg_style= 1
security.c 3005: Returning success from pam_userpass_conv
security.c 3062: PAMAuthenticate succeeded
security.c 3075: PAMAcctMgmt succeeded
security.c 3087: PAMGetItem succeeded
security.c 3091: retval is : XCOM
security.c 2182: verify_login: returned PAM ldap_user XCOM
===
The trace file for a failed received transfer shows:
===
security.c 2166: Authentication mechanism used : PAM
security.c 2169: PAM based authentication for user XCOM
security.c 2170: verify_login: call PAM user XCOM
security.c 3031: The path to PAM module is /usr/lib/
security.c 3150: loadPAMModule: Start
security.c 3151: PAM Module directory :/usr/lib/
security.c 3180: loadPAMModule PAM Module=[/usr/lib/libpam.a(shr_64.o)]
util.c 2934: In xdlopen, lib-length = 27, lib-path = </usr/lib/libpam.a(shr_64.o)>
security.c 3187: loadPAMModule dlopen ok, PAMhandle=[3]
security.c 3194: loadPAMModule PAMStart=[9001000a200bf38], PAMAuthenticate=[9001000a200bdb8], PAMAcctMgmt=[9001000a200bda0], PAMGetItem=[9001000a200bef0], PAMEnd=[9001000a200bf20], PAMStrError=[9001000a200bdd0]
security.c 3206: loadPAMModule exiting with rc 1
security.c 3049: PAMStart succeeded
security.c 2971: Msg No:0, msg_style= 1
security.c 3005: Returning success from pam_userpass_conv
security.c 3053: PAMAuthenticate status :9
security.c 3057: PAMAuthenticate failed :Authentication failed
security.c 2176: verify_login: returned NULL PAM ldap_user.
===
So for the failed transfer the messages "PAMAuthenticate status :9" and "PAMAuthenticate failed :Authentication failed" are being returned from the remote authentication service which is outside the scope of XCOM.
As the problem appears to be with the remote authentication service (Windows active directory) from where the authentication is failing, it is suggested that research is focused on the PAM client & remote authentication service configurations. There is also this IBM Knowledge Center article for Enabling PAM Debug which may assist that research:
**** WORKAROUND ****
IBM were later able to provide a workaround for the intermittent authentication failures.
Enable 'keep_creds=yes' in krb5 paragraph of file /etc/methods.cfg
NOTE: It was observed the cache files under /var/krb5/security/creds kept increasing after enabling 'keep_creds=yes'. So need to run command ‘kdestroy’ on regular basis (e.g. nightly job) to clear the old ones. Running kdestroy with -e flag will specify all credentials cache files be deleted after certain number of days/weeks.
For details of "keep_creds" see "AIX Version 7.2 Files Reference" :
Page 161: "/usr/lib/security/methods.cfg File"
Page 163:
keep_creds=[ yes/no ]
By default, the keep_creds option is set to no. If the keep_creds option is set to yes, every new login generates a new PAG based credential cache file.