Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4231: pam.allow.override is not working on AIX

Centrify DirectControl ,  

12 April,16 at 11:46 AM

Applies to: All versions of DirectControl on all AIX

Question:

On AIX, to allow a set of users to log in with their local accounts in case DirectControl agent disconnects, pam.allow.override setting in centrifydc.conf is configured. However, when user tries to login to the local account with username: user@localhost, ssh seems to be hanged and then timed out. The same configuration works with Linux.

Is this possible to make use of the pam.allow.override setting and log in local account with @localhost syntax on AIX?

Answer:

Unfortunately using username with suffix @localhost on AIX is not supported.

The problem lies within the LAMGetEntry call (which is for getting user information and extended attributes), which is similar to NSS call in Linux. (Note: AIX has no NSS) When sshd processes Deny/Allow directives, it will try to retrieve user information through LAMGetEntry().

However, this call does not support @localhost syntax - which it does not allow username to be renamed to an username without the @localhost suffix. (i.e. cannot stripe the @localhost suffix) The user’s LAMGetEntry call will then be ended up with a NOTFOUND result and the login attempt will be failed as we are not able to find the user or authenticate the user.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.