Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1787: Why is root user being prompted for password while trying to su to an AD user on AIX

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:02 AM

Applies to: DirectControl 4.2 or above on AIX 5.3 & above

Problem:
Why is root user being prompted for password while trying to su to an AD user. ?

Cause:
During join time we insert ourselves first into /etc/pam.conf before pam_allowroot entry, which causes the pam module prompt for password:

su   auth   sufficient   pam_centrifydc
su   auth   requisite    pam_centrifydc  deny
...
su   auth   sufficient   pam_allowroot
su   auth   required     pam_aix

Workaround:
Modify /etc/pam.conf to have the following order:

su   auth   sufficient   pam_allowroot
su   auth   sufficient   pam_centrifydc
su   auth   requisite    pam_centrifydc  deny
su   auth   required     pam_aix

After these changes, attempt su again. Now after centrifydc (agent) restart, the original lines will be restored.

How to prevent roll-back to original entries:

This is governed by 2 parameters called "adclient.autoedit: true" and

"adclient.autoedit.pam". The first one (in most cases), this parameter should be set to true to allow Centrify DirectControl to maintain configuration files automatically but the second one is for making manual changes to pam.conf (like above) or whenever support recommends. Customers can uncomment and set the 2nd one to false in /etc/centrifydc/centrifydc.conf and
run adreload or simply restart centrifydc and see if the changes remain permanent.

Solution:
Fixed in Centrify DirectControl 5.x and above

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.