Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-10266: Local user from SLES 11 cannot login when dad stopped and NSS enabled when join to the zone

Authentication Service ,  

1 October,18 at 03:40 PM

Problem:  Local user cannot login when dad stopped and NSS enabled after join to the zone

Step to reproduce the issue.

1. Install DC + DA on test machine, join to Hierarchical Zone and enable NSS.

2. Check the shell of local user(blocal5)
====

[root@etpgl3n 23:24:54]#getent passwd blocal5
blocal5:x:25028:100::/home/blocal5:/bin/cdax/bash

====

3. Run '/usr/share/centrifydc/bin/centrifyda stop' to stop dad

====
etpgl3n:~ # /usr/share/centrifydc/bin/centrifyda stop
DirectAudit daemon is about to stop.
Warning: Stopping the auditing service prevents all session activity from being captured. You must restart the auditing service to resume auditing.
Centrify DirectAudit stopped.

etpgl3n:~ # dainfo
Unable to collect information from DirectAudit daemon (dad). Is it running?
Getting offline database information:
Size on disk: 17.50 KB
Database filesystem use: 25.10 GB used, 56.69 GB total, 31.59 GB free
Unable to provide NSS information because unable to connect to DirectAudit daemon (dad).
Unable to provide audit status of this user because unable to connect to DirectAudit daemon (dad).
DirectAudit is not configured for per command auditing.

====

4. Login with local user(blocal5)
====
[root@etpgl3n 23:28:17]#ssh localhost -l blocal5

Welcome to SUSE Linux Enterprise Server 11 SP3 (s390x) - Kernel 3.0.76-0.11-default (ssh-pty).

Password:
Last login: Mon Sep 25 22:33:50 2017 from 127.0.0.1
This account is currently not available.
Connection to localhost closed.

--->User(blocal5) cannot login, this is unexpected.
====

5. Check blocal5's shell
====
[root@etpgl3n 23:32:27]#getent passwd blocal5
blocal5:x:25028:100::/home/blocal5:/sbin/nologin

--->Return nologin shell, this is unexpected, should return user's real shell.
====

Cause:
1) If:
	    - nscd is started
	    - DA NSS is enabled.
	    - dad is down.
	    - getent passwd <localuser>
	     Centrify DA nss module will load capi library to call cdcGetAuditLevel() to get local user's audit level.
	     AppArmor don't have any rules to allow nscd to load capi library.

2) Centrify doesn't configure apparmor correctly on SUSE12.2 because of the "lsb_release -a" output unexpected words.

Workaround
1) Add an apparmor rule to allow programs which include /etc/apparmor.d/abstractions/centrifyda in their apparmor config file to have mmap and read permisions to /usr/share/centrifydc/lib*/libcapi.so.0.0.0
2) Add the correct lsb_release output key words.

Resolution: It is fixed in suite 2017.3.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles