Applies to: Centrify DirectControl 5.1 on AIX 6.x
Question:
When /usr/share/centrifydc/bin/adcheck is run on AIX machines (where the oslevel is 6100-04), the following warning appears:
<user@/tmp/centrify>./adcheck-aix5.3-ppc intra.company.com
OSCHK : Is operating system supported? : Pass
PATCH : AIX Patch level : Pass
AUTHCH : AIX Authentication Type : Warning
: WARNING: DZ PAM configurations wouldn't work,
: as the machine is using LAM instead of PAM
Does this mean Centrify will not get installed or cannot be joined to AD?
How does it affect DirectAuthorize (DZ PAM)?
Answer:
Centrify DirectControl supports both LAM and PAM methods of authentication depending on what AIX supports.
This is a warning and will not prevent the product from being installed or joined to AD domain.
An AIX server can be configured for LAM (Loadable Authentication module) or PAM (Pluggable Authentication Module).
Please check the IBM links below: (Provided as a courtesy)
https://www.ibm.com/developerworks/linux/library/l-pam/
http://pic.dhe.ibm.com/infocenter/aix/v7r1/index.jsp?topic=%2Fcom.ibm.aix.security%2Fdoc%2Fsecurity%2Fpam_lam.htm
By default, AIX 6.x may come with LAM (STD_AUTH) support.
There is also the option to change /etc/security/login.cfg from STD_AUTH (which is LAM) to PAM_AUTH (Pluggable Authentication Module).
If it does not work, additional configuration may be required, please contact the vendor (IBM in this case) for additional help.
Note: Check to see if other 3rd party LAM-based applications do not get affected by configuring the Centrify server for PAM.
The reason why adcheck throws this warning is to caution about using DirectAuthorize PAM-enabled roles on an AIX server configured for LAM and not PAM. It won't work because Centrify is designed to work with PAM and not LAM. This is just a warning and the user should still be able to login with AD credentials after a successful join and provisioning user for login.
dzdo essentially only allows escalation of privileges. DirectAuthorize also has the additional capability to escalate privileges via dzdo. It can control which PAM applications a user can use (i.e. ssh, ftp).
Centrify provides two different capabilities of DZ:
1. PAM Access rights (what PAM apps can be used)
2. Commands Rights (dzdo).