Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2052: WARNING: DZ PAM configurations wouldn't work: as the machine is using LAM instead of PAM

Authentication Service ,  

16 January,20 at 10:29 PM

Applies to: Centrify DirectControl 5.1 on AIX 6.x
When /usr/share/centrifydc/bin/adcheck is run on AIX machines (where the oslevel is 6100-04), the following warning appears: 
OSCHK : Is operating system supported? : Pass 
PATCH : AIX Patch level : Pass 
AUTHCH : AIX Authentication Type : Warning 
: WARNING: DZ PAM configurations wouldn't work, 
: as the machine is using LAM instead of PAM 
Does this mean Centrify will not get installed or cannot be joined to AD? 
How does it affect DirectAuthorize (DZ PAM)?
Centrify DirectControl supports both LAM and PAM methods of authentication depending on what AIX supports. 
This is a warning and will not prevent the product from being installed or joined to AD domain.
An AIX server can be configured for LAM (Loadable Authentication module) or PAM (Pluggable Authentication Module). 
Please check the IBM links below: (Provided as a courtesy) 
By default, AIX 6.x may come with LAM (STD_AUTH) support. 
There is also the option to change /etc/security/login.cfg from STD_AUTH (which is LAM) to PAM_AUTH (Pluggable Authentication Module). 
If it does not work, additional configuration may be required, please contact the vendor (IBM in this case) for additional help.
Note: Check to see if other 3rd party LAM-based applications do not get affected by configuring the Centrify server for PAM. 
The reason why adcheck throws this warning is to caution about using DirectAuthorize PAM-enabled roles on an AIX server configured for LAM and not PAM. It won't work because Centrify is designed to work with PAM and not LAM. This is just a warning and the user should still be able to login with AD credentials after a successful join and provisioning user for login. 
dzdo essentially only allows escalation of privileges. DirectAuthorize also has the additional capability to escalate privileges via dzdo. It can control which PAM applications a user can use (i.e. ssh, ftp). 
Centrify provides two different capabilities of DZ:
1. PAM Access rights (what PAM apps can be used)
2. Commands Rights (dzdo).
If LAM is enabled, the PAM Access will not work but Command Rights will work fine due to dzdo being handled as a separate application and only calling on PAM if authentication is required.

Please review:
KB-2073: How to enable PAM in AIX platforms for Centrify DirectControl