Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1628: How to eliminate HPUX syslog message "AD user conflicts with user in local protected password database"

Auditing and Monitoring Service ,   Authentication Service ,   Mac & PC Management Service ,  

12 April,16 at 10:59 AM

Applies to: All versions of DirectControl on trusted HPUX

Question:

How to eliminate the warning message below from /var/adm/syslog/syslog.log?

====

adclient[12406]: WARN <fd:20 NSSNextPrPasswd> base.objecthelper.user AD user 'testuser'[uid=1234] conflicts with user 'testuser'[uid=4321] in local protected password database. Continuing without overwriting.

====

Answer:

Whenever an AD user logs into HPUX server, a corresponding password database file is created under /tcb/files/auth. The warning is thrown if AD user's uid does not match with the one in the corresponding tcb file the AD user.

Attached in this KB is a script to check and remove the conflicting password database entries:

# ./checkconflict.pl --help

This script checks if trusted user's uid conflicts with AD User for the same unixname, and prints out a report of all the AD users with conflicting uids.
User running the script will be prompted if they want to fix the conflicting tcb records. --fix flag can be used for no prompt.

Usage:
 [-v] [--fix]
    -v      Verbose operation
   --fix    Fix the problem without prompting
   --help   Print this usage.
  
Sample report of conflict uids:

Name                UID(TRUSTED)   UID (AD)
====                ============   ========
seminole            80699          40699
selma_cl            80700          40700
c-krusty            10029          43394
senegal_            80709          40709
semitiza            80712          40712
knudsen_            50205          40205
child12k3           10000          41013
aix51_u             144823         44823
smoke2k3-test1      10001          10000


Here are the sample messages when fixing the record in the trusted db: 

semitici            80166          40166
Do you want fix the conflicted uid in trusted db? [N] : y
Updating /tcb/files/auth/s/seminole change uid to 40699 .....
Updating /tcb/files/auth/s/selma_cl change uid to 40700 .....
Updating /tcb/files/auth/c/c-krusty change uid to 43394 .....
Updating /tcb/files/auth/s/senegal_ change uid to 40709 .....
Updating /tcb/files/auth/s/semitiza change uid to 40712 .....
Updating /tcb/files/auth/k/knudsen_ change uid to 40205 .....
Updating /tcb/files/auth/c/child12k3 change uid to 41013 .....
Updating /tcb/files/auth/a/aix51_u change uid to 44823 .....
Updating /tcb/files/auth/s/smoke2k3-test1 change uid to 10000 .....
Updating /tcb/files/auth/s/septembe change uid to 40110 .....
Updating /tcb/files/auth/s/sergei_b change uid to 40765 .....
Updating /tcb/files/auth/t/t2child change uid to 41010 .....
Updating /tcb/files/auth/t/t1child change uid to 41009 .....
Attachments:
checkconflict.pl.gz

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part II articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-3015: adquery user does not return anything on HPUX requiring leave and join articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-3925: How to add Centrify parameter to a group policy