Applies to:
All versions of Centrify DirectControl on HPUX 11.31
Question:
When using dzdo on HPUX 11.31, the following error is reported in syslog.
dzdo: hpsec: auth - illegal option use_first_pass
From the HP man page
use_first_pass It compares the password in the password database with the user's initial password
(entered when the user authenticated to the first authentication module in the stack). If the passwords do not match, or if no password has been entered, quit and do not prompt the user for a password. This option should only be used if the authentication service is designated as optional in the pam.conf configuration file.
extract of /etc/pam.conf
dzdo auth sufficient /usr/lib/security/$ISA/libpam_centrifydc.so.1 get_first_pass
dzdo auth required /usr/lib/security/$ISA/libpam_centrifydc.so.1 deny requisite
dzdo account sufficient /usr/lib/security/$ISA/libpam_centrifydc.so.1
dzdo account required /usr/lib/security/$ISA/libpam_centrifydc.so.1 deny requisite
dzdo password sufficient /usr/lib/security/$ISA/libpam_centrifydc.so.1
dzdo password required /usr/lib/security/$ISA/libpam_centrifydc.so.1 deny requisite
dzdo auth required libpam_hpsec.so.1 use_first_pass
dzdo auth required libpam_unix.so.1 use_first_pass
dzdo account required libpam_hpsec.so.1
dzdo account required libpam_unix.so.1
dzdo session required libpam_hpsec.so.1
dzdo session required libpam_unix.so.1
dzdo password required libpam_hpsec.so.1 try_first_pass
dzdo password required libpam_unix.so.1 try_first_pass
Answer:
This is caused by the system change in HPUX 11.31 itself.
Workaround : customer should remove the 'use_first_pass' in the line of /etc/pam.conf as shown below
>dzdo auth required libpam_unix.so.1 use_first_pass
It's safe and ok to do this as this change will only affect the localuser which has the same
username as AD user and only when adclient has issues.
Centrify has fixed this issue in Suite 2015 (DirectControl 5.2.2)