ERROR: "XCOMU0287E Error setting remote user id: Verify login failed" XCOM for Linux using PAM

search cancel

ERROR: "XCOMU0287E Error setting remote user id: Verify login failed" XCOM for Linux using PAM

book

Article ID: 6460

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - Linux PC

Issue/Introduction

Implemented LDAP PAM on Linux to use with XCOM and when performing an incoming transfer receive message:
"XCOMU0287E Error setting remote user id: Verify login failed"

Environment

XCOM™ Data Transport® for Linux PC
Red Hat

Resolution

Below find a working default installation sample of the xcomauth.

Note: Please review and modify this sample xcomauth to fit your security requirements or needs. For details on the statements in the sample xcomauth, refer to the Linux man pages and/or your Security Administrator.

auth required /opt/CA/XCOM/redistrib/pam_userpass/pam_userpass.so
auth required pam_env.so
auth sufficient pam_sss.so use_first_pass
auth sufficient pam_unix.so nullok use_first_pass
auth required pam_deny.so

account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

Additional Information

CA XCOM DATA TRANSPORT FOR UNIX/Linux 12.0 > Reference > Operating Environment > Pluggable Authentication Modules (PAM) Based Authentication

NOTE: The above sample xcomauth file may or may not work in a specific environment. It is the responsibility of the Security Administrator to review and modify the security for site specific implementation.

Here is some information about some of the above statements:

NOTE: Please make sure to refer to the Linux man pages for details on any of the statements supplied in the sample xcomauth.

account sufficient pam_localuser.so: Account check succeeds and is sufficient if it is a local account, ending the account check. When a user is checked its account by external system such as ldap, "pam_localuser.so" will fail.

account sufficient pam_succeed_if.so uid >= 500: Account check succeeds and is sufficient if the UID is greater than or equal to 500 ending the account check. If the UID is less than 500, the check fails.

account sufficient pam_succeed_if.so uid < 1000: Account check succeeds and is sufficient if the UID is less than 1000 ending the account check. If the UID is greater than or equal to 1000, the check fails.

To debug PAM problems:
1. Check the syslog for any useful messages
2. Debug the system-auth file and xcomauth file.

PAM modules are expected to send messages to syslog(3) under facility type authpriv and the following logging levels:

LOG_ERR - errors found by the module
LOG_DEBUG - debugging information
LOG_ALERT - corrupted or unusable configuration files
LOG_CRIT - shortage of resources
LOG_NOTICE - regular authentication failures

The debugging information is enabled by passing string 'debug' as the very first argument (right after the module name) in the PAM config file. For example:

auth required /opt/CA/XCOM/redistrib/pam_userpass/pam_userpass.so debug

Expand the included entries from system-auth into xcomauth and plant the debug parameter into each line (and adjust syslogd.conf so that the messages are saved). This will hopefully explain why any authentication fails. Also check how these logging destinations are defined in syslogd.conf and see whether there are meaningful messages there.
For further details please see Red Hat Knowledgebase article 1314883: Debugging PAM configuration (requires Red Hat Customer Portal Login)

Feedback

thumb_up Yes

thumb_down No