Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4310: dzdo: hpsec: auth - illegal option use_first_pass

Authentication Service ,  

12 April,16 at 11:19 AM

Applies to:
 
All versions of Centrify DirectControl on HPUX 11.31
 
Question:
 
When using dzdo on HPUX 11.31, the following error is reported in syslog.
 
dzdo: hpsec: auth - illegal option use_first_pass 
 
From the HP man page 
 
use_first_pass It compares the password in the password database with the user's initial password
 (entered when the user authenticated to the first authentication module in the stack). If the passwords do not match, or if no password has been entered, quit and do not prompt the user for a password. This option should only be used if the authentication service is designated as optional in the pam.conf configuration file.
 
extract of /etc/pam.conf
 
dzdo      auth sufficient        /usr/lib/security/$ISA/libpam_centrifydc.so.1 get_first_pass
dzdo      auth required          /usr/lib/security/$ISA/libpam_centrifydc.so.1 deny requisite
dzdo      account sufficient     /usr/lib/security/$ISA/libpam_centrifydc.so.1
dzdo      account required       /usr/lib/security/$ISA/libpam_centrifydc.so.1 deny requisite
dzdo      password sufficient    /usr/lib/security/$ISA/libpam_centrifydc.so.1
dzdo      password required      /usr/lib/security/$ISA/libpam_centrifydc.so.1 deny requisite
dzdo     auth required  libpam_hpsec.so.1 use_first_pass
dzdo     auth required  libpam_unix.so.1 use_first_pass
dzdo     account required       libpam_hpsec.so.1
dzdo     account required       libpam_unix.so.1
dzdo     session required       libpam_hpsec.so.1
dzdo     session required       libpam_unix.so.1
dzdo     password required      libpam_hpsec.so.1 try_first_pass
dzdo     password required      libpam_unix.so.1 try_first_pass
 
Answer:
 
This is caused by the system change in HPUX 11.31 itself.
 
Workaround : customer should remove the 'use_first_pass' in the line of /etc/pam.conf as shown below
 
>dzdo     auth required  libpam_unix.so.1 use_first_pass
 
It's safe and ok to do this as this change will only affect the localuser which has the same
username as AD user and only when adclient has issues.
 
Centrify has fixed this issue in Suite 2015 (DirectControl 5.2.2)

Related Articles

 articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? article[TIPS] A Centrify Server Suite Cheat Sheet articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-4065: scom local account with uid 0 gets locked out repeatedly