Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-9105: Authentication fails on AIX 7.2 when unixname is longer than 8 characters

Centrify DirectControl ,  

5 September,17 at 02:56 PM

Applies to:  All Versions of Centrify DirectControl on AIX 7.2


Problem:

After upgrading OS to AIX 7.2,  Active Directory users with an unixname longer than 8 characters are unable to successfully authenticate to the machine


Cause:

This is caused when the AIX systems parameter 'v_max_logname' is set to the default of 9 characters.

To verify that setting, run the following from the command line:
 
# lsattr -El sys0 -a max_logname


The user and group name length limit parameter default value is 9 characters. For AIX 5.3 and later, you can increase the user and group name length limit from 9 characters to 256 characters. Because the user and group name length limit parameter includes the terminating NULL character, the actual valid name lengths are from 8 characters to 255 characters.

The user and group name length limit is specified with the v_max_logname system configuration parameter for the sys0 device. You can change or retrieve the v_max_logname parameter value from the kernel or ODM database. The parameter value in the kernel is the value the system uses while running. The parameter value in the ODM database is the value the system uses after the next restart.


May see errors similar to the following in the Centrify debug logs:
 
Aug 28 13:47:32 server adclient[5112228]: DIAG <fd:27 PAMVerifyPassword > base.aduser Error: get creds: Preauthentication failed for user username123@acme.com (enctype: AES-256 CTS mode with 96-bit SHA-1 HMAC)
Aug 28 13:47:32 server adclient[5112228]: DEBUG <fd:27 PAMVerifyPassword > base.osutil Module=Base : bad password (reference base/aduser.cpp:990 rc: 1030)
Aug 28 13:47:32 server adclient[5112228]: DIAG <fd:27 PAMVerifyPassword > daemon.ipcclient validate password caught exception: bad password
Aug 28 13:47:32 server adclient[5112228]: WARN <fd:27 PAMVerifyPassword > audit User 'username123' not authenticated: bad password
Aug 28 13:47:32 server adclient[5112228]: DEBUG <fd:27 PAMVerifyPassword > daemon.ipcclient Validate password against AD caught exception: bad password
Aug 28 13:47:32 server adclient[5112228]: DEBUG <fd:27 PAMVerifyPassword > daemon.ipcclient2 doPAMVerifyPassword: user 'username123' not OK: 1030 (Base)
Aug 28 13:47:32 server adclient[5112228]: DEBUG <fd:27 PAMVerifyPassword > daemon.ipcclient2 Invalid password
Aug 28 13:47:32 server adclient[5112228]: DEBUG <fd:27 PAMVerifyPassword > daemon.ipcclient2 request 'PAMVerifyPassword' complete


Resolution:

On AIX systems, Unix usernames should only be 8 characters long or the AIX system parameter 'max_logname' needs to be modified to allow for a longer user name length limit.

Here is the command to check on the setting:
 
# lsattr -El sys0 -a max_logname

Here is the command to change the setting.  Please note that in this example, the limit for the Unix user names to is set 64 characters.
 
# chdev -l sys0 -a max_logname=’64’

The system will need to be rebooted after making this change as its a Kernel parameter.


Note:

This is not a Centrify issue, but a limitation of the OS.

(The below external links are provided as a courtesy only)

User and group name length limit
https://www.ibm.com/support/knowledgecenter/en/ssw_aix_72/com.ibm.aix.security/user_group_name_length.htm

Retrieving the user and group name length limit from the ODM database
https://www.ibm.com/support/knowledgecenter/ssw_aix_72/com.ibm.aix.security/retrieve_name_length_odm.htm

Retrieving the user and group name length limit from the kernel
https://www.ibm.com/support/knowledgecenter/ssw_aix_72/com.ibm.aix.security/retrieve_name_length_kernel.htm

Changing the user group and name length limit in the ODM database
https://www.ibm.com/support/knowledgecenter/ssw_aix_72/com.ibm.aix.security/change_user_group_name_limit.htm

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.