Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4231: pam.allow.override is not working on AIX

Centrify DirectControl ,  

12 April,16 at 11:46 AM

Applies to: All versions of DirectControl on all AIX

Question:

On AIX, to allow a set of users to log in with their local accounts in case DirectControl agent disconnects, pam.allow.override setting in centrifydc.conf is configured. However, when user tries to login to the local account with username: user@localhost, ssh seems to be hanged and then timed out. The same configuration works with Linux.

Is this possible to make use of the pam.allow.override setting and log in local account with @localhost syntax on AIX?

Answer:

Unfortunately using username with suffix @localhost on AIX is not supported.

The problem lies within the LAMGetEntry call (which is for getting user information and extended attributes), which is similar to NSS call in Linux. (Note: AIX has no NSS) When sshd processes Deny/Allow directives, it will try to retrieve user information through LAMGetEntry().

However, this call does not support @localhost syntax - which it does not allow username to be renamed to an username without the @localhost suffix. (i.e. cannot stripe the @localhost suffix) The user’s LAMGetEntry call will then be ended up with a NOTFOUND result and the login attempt will be failed as we are not able to find the user or authenticate the user.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6041: How to show current license type in use by adclient? articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-3925: How to add Centrify parameter to a group policy articleKB-8434: Centrify Adbindproxy 5.3.0 will not work with Suite2017 on AIX and HPUX PA 11.31 articleKB-4019: "Specify printer list" group policy not working on OS X 10.9