Salesforce

KB-2052: WARNING: DZ PAM configurations wouldn't work: as the machine is using LAM instead of PAM

Printable View
« Go Back

Information

 
TitleKB-2052: WARNING: DZ PAM configurations wouldn't work: as the machine is using LAM instead of PAM
URL NameKB-2052-WARNING-DZ-PAM-configurations-wouldn-t-work-as-the-machine-is-using-LAM-instead-of-PAM
Knowledge Article TypeProblem / Resolution
Article TypeKnowledge
ArticleType 
ProductAuthentication Service
Component 
Version 
TagsLAM PAM AIX
Internal Comments
Article Edits1-16-2020- Per ECM, corrected article to only show this article only applies to 6.x and not 7.x. Updated the bug number to be the CS and not the bugzilla number Also added further clarification on the last sentence regarding if LAM is enabled.
Bug #bugzilla: 32979 (CS-28673)
Solution ID2980
Knowledge Base Article Details
Applies to: Centrify DirectControl 5.1 on AIX 6.x
 
Question:
When /usr/share/centrifydc/bin/adcheck is run on AIX machines (where the oslevel is 6100-04), the following warning appears: 
 
<user@/tmp/centrify>./adcheck-aix5.3-ppc intra.company.com 
OSCHK : Is operating system supported? : Pass 
PATCH : AIX Patch level : Pass 
AUTHCH : AIX Authentication Type : Warning 
: WARNING: DZ PAM configurations wouldn't work, 
: as the machine is using LAM instead of PAM 
 
Does this mean Centrify will not get installed or cannot be joined to AD? 
 
How does it affect DirectAuthorize (DZ PAM)?
 
Answer:
Centrify DirectControl supports both LAM and PAM methods of authentication depending on what AIX supports. 
This is a warning and will not prevent the product from being installed or joined to AD domain.
 
An AIX server can be configured for LAM (Loadable Authentication module) or PAM (Pluggable Authentication Module). 
Please check the IBM links below: (Provided as a courtesy)
 
https://www.ibm.com/developerworks/linux/library/l-pam/ 
http://pic.dhe.ibm.com/infocenter/aix/v7r1/index.jsp?topic=%2Fcom.ibm.aix.security%2Fdoc%2Fsecurity%2Fpam_lam.htm 
 
By default, AIX 6.x may come with LAM (STD_AUTH) support. 
There is also the option to change /etc/security/login.cfg from STD_AUTH (which is LAM) to PAM_AUTH (Pluggable Authentication Module). 
If it does not work, additional configuration may be required, please contact the vendor (IBM in this case) for additional help.
 
Note: Check to see if other 3rd party LAM-based applications do not get affected by configuring the Centrify server for PAM. 
 
The reason why adcheck throws this warning is to caution about using DirectAuthorize PAM-enabled roles on an AIX server configured for LAM and not PAM. It won't work because Centrify is designed to work with PAM and not LAM. This is just a warning and the user should still be able to login with AD credentials after a successful join and provisioning user for login. 
 
dzdo essentially only allows escalation of privileges. DirectAuthorize also has the additional capability to escalate privileges via dzdo. It can control which PAM applications a user can use (i.e. ssh, ftp). 
 
Centrify provides two different capabilities of DZ:
1. PAM Access rights (what PAM apps can be used)
2. Commands Rights (dzdo).
 
If LAM is enabled, the PAM Access will not work but Command Rights will work fine due to dzdo being handled as a separate application and only calling on PAM if authentication is required.

Please review:
KB-2073: How to enable PAM in AIX platforms for Centrify DirectControl
Created ByArticle Admin
Solution CreatorRaghu Srinivasan
DraftNot Checked
LithiumId
Lithium_Board_Id
Lithium_View_Href
Tags 
Category 
ArticleImage
Known IssuesNot Checked
Powered by