Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4065: scom local account with uid 0 gets locked out repeatedly

Centrify DirectControl ,  

2 March,17 at 06:59 PM

Applies to:
 
All versions of Centrify DirectControl on HPUX platform
 
Problem:
 
After installing Centrify DirectControl 5.1.2 and joining to AD, it is noticed the local account "scomadm" with uid=0 (root equivalent) gets locked after initial login. This account is unlocked and it gets locked again.
 
The local account was added to /etc/centrifydc/user.ignore but it had no effect. 
 
The scomadm account does not exist in AD. All other local accounts work fine. The server is running stock sshd with UsePAM yes.
 
Also cimservera is running and Microsoft's scom (scx agent) is installed . HP WBEM Services for HP-UX and Linux System Administrator’s Guide"details the process of cimservera. 
 
Here's an excerpt 

============= 
cimservera (HP-UX only)- cimservera is a standalone process that provides the cimserver with PAM Authentication services. 
============= 
 
During the install of scom, the following lines are added to /etc/pam.conf
 
scx       auth required     libpam_hpsec.so.1
scx       auth required     libpam_unix.so.1 try_first_pass
scx       account required    libpam_hpsec.so.1
scx       account sufficient  libpam_krb5.so.1
scx       account required    libpam_unix.so.1
 
Snippets from debug log:
 
Dec 18 11:29:12 rueccbsb cimserver[22542]: Authentication failed for user=scomadm. 
Dec 18 11:29:14 rueccbsb cimservera[22934]: 2 authentication failures on account "scomadm" 
Dec 19 10:55:08 jucthd cimservera[6694]: 4563 authentication failures on account "scomadm"
Dec 19 10:55:08 jucthd cimservera[6753]: pam_authenticate: error Authentication failed
 
Cause:
 
The root cause of the login issue is due to authentication failure for the scx module.  
Centrify does not add the Centrify PAM stack for scx module and adds "use_first_pass"  in /etc/pam.conf  for the scx as shown below:
 
# The configuration of scx is generated by the scx installer    
 
scx    auth required  libpam_hpsec.so.1
scx    auth required  libpam_unix.so.1 use_first_pass
scx    account required       libpam_hpsec.so.1
scx    account required       libpam_unix.so.1
 
 
# End of section generated by the scx installer.
 
The reason of the lockout is  when "use_first_pass option" is added, the auth module will use the result from the previous stacked auth module. It never prompts the user for a password. However, since there is no previous pam stack for scx to get the password from, therefore this causes the authentication to fail for the scx module. 
 
 
Workaround:
 
1) After performing adjoin, in /etc/pam.conf, remove the use_first_pass as shown below
 
scx auth required  libpam_hpsec.so.1
scx    auth required  libpam_unix.so.1 
scx    account required       libpam_hpsec.so.1
scx    account required       libpam_unix.so.1
 
 
2) By default, Centrify will restore back the modified /etc/pam.conf lines upon a restart.
 
So in /etc/centrifydc/centrifydc.conf, the following value needs to be changed to false.
 
adclient.autoedit.pam: false 
 
This will stop adclient from modifying pam.conf upon rejoin or restart. 
 
Note: Revert the above changes when performing adleave.
 
Resolution:
 
This issue has been fixed in Suite 2015 (DirectControl 5.2.2)
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.