Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-4065: scom local account with uid 0 gets locked out repeatedly

Authentication Service ,  

2 March,17 at 06:59 PM

Applies to:
All versions of Centrify DirectControl on HPUX platform
After installing Centrify DirectControl 5.1.2 and joining to AD, it is noticed the local account "scomadm" with uid=0 (root equivalent) gets locked after initial login. This account is unlocked and it gets locked again.
The local account was added to /etc/centrifydc/user.ignore but it had no effect. 
The scomadm account does not exist in AD. All other local accounts work fine. The server is running stock sshd with UsePAM yes.
Also cimservera is running and Microsoft's scom (scx agent) is installed . HP WBEM Services for HP-UX and Linux System Administrator’s Guide"details the process of cimservera. 
Here's an excerpt 

cimservera (HP-UX only)- cimservera is a standalone process that provides the cimserver with PAM Authentication services. 
During the install of scom, the following lines are added to /etc/pam.conf
scx       auth required
scx       auth required try_first_pass
scx       account required
scx       account sufficient
scx       account required
Snippets from debug log:
Dec 18 11:29:12 rueccbsb cimserver[22542]: Authentication failed for user=scomadm. 
Dec 18 11:29:14 rueccbsb cimservera[22934]: 2 authentication failures on account "scomadm" 
Dec 19 10:55:08 jucthd cimservera[6694]: 4563 authentication failures on account "scomadm"
Dec 19 10:55:08 jucthd cimservera[6753]: pam_authenticate: error Authentication failed
The root cause of the login issue is due to authentication failure for the scx module.  
Centrify does not add the Centrify PAM stack for scx module and adds "use_first_pass"  in /etc/pam.conf  for the scx as shown below:
# The configuration of scx is generated by the scx installer    
scx    auth required
scx    auth required use_first_pass
scx    account required
scx    account required
# End of section generated by the scx installer.
The reason of the lockout is  when "use_first_pass option" is added, the auth module will use the result from the previous stacked auth module. It never prompts the user for a password. However, since there is no previous pam stack for scx to get the password from, therefore this causes the authentication to fail for the scx module. 
1) After performing adjoin, in /etc/pam.conf, remove the use_first_pass as shown below
scx auth required
scx    auth required 
scx    account required
scx    account required
2) By default, Centrify will restore back the modified /etc/pam.conf lines upon a restart.
So in /etc/centrifydc/centrifydc.conf, the following value needs to be changed to false.
adclient.autoedit.pam: false 
This will stop adclient from modifying pam.conf upon rejoin or restart. 
Note: Revert the above changes when performing adleave.
This issue has been fixed in Suite 2015 (DirectControl 5.2.2)