Aria Operations Telegraf Agent PAM Auth Warning Message on Suse 15
search cancel

Aria Operations Telegraf Agent PAM Auth Warning Message on Suse 15

book

Article ID: 324341

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Symptoms:
When running ucp-minion service status command on the endpoint Suse 15 system, systemctl status ucp-minion the following WARNING message is seen:

pam_unix(sudo:auth): auth could not identify password for [arcuser]
 
The Aria Operations Telegraf agent installation has previously been installed without errors and there are no issues seen in metric collections.


Environment

VMware Aria Operations 8.x

Cause

When PAM (Password Authentication Mechanism) is configured on the Suse system, it creates a pam.d file for each service. Additional configuration is needed within the file to prevent the PAM authentication error.

Resolution

SSH to the Suse 15 system as root and open the file /etc/pam.d/auth in your text editor of choice.

The default values within the file should look like below:

#%PAM-1.0

auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
session include system-auth


To correct the configuration, add the value,  auth sufficient pam_permit.so to the list of values. The value should always be listed at the top.

The updated file should look like below:

#%PAM-1.0
auth sufficient pam_permit.so 
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
session include system-auth

Once you save the /etc/pam.d/auth file within the text editor, the ucp-minion service needs to be restarted with command: systemctl restart ucp-minion

The issue should now be resolved next time you run the ucp-minion service status command.


Additional Information

Please be aware of the use and consequences of "auth sufficient pam_permit.so" as pam_permit is a PAM module that always permits access. It does nothing else. In the case of authentication, the user's name will be set to nobody if the application didn't set one. Many applications and PAM modules become confused if this name is unknown. This module is very dangerous. It should be used with extreme caution.

 For more details you follow this link: https://man7.org/linux/man-pages/man8/pam_permit.8.html

Powered by Wolken Software