In the syslog you see an error similar to the following:
May 22 08:42:12 system login: [ID 53659 auth.info] pam_vas: Failed disconnected authentication attempt for Active Directory user:email@example.com service telnet, err = 3
If you turn on vasd debugging, you see a SIGALRM.
In certain scenarios Autentication Services will go into perpetual disconnected mode. This is often related to the following scenarios:
- The network connection to the Active Directory KDC is very slow
- There are large number of Domain Controllers that are often used
- The user is in a large number of groups (the PAC is very large)
Whenever possible remedy the above, however if this is not possible then we can also increase some timeouts within Authentication Services as a workaround.
Edit your pam.conf file and consider the following:
On all systems:
Increase the IPC timeout value (default is 5 seconds)
vascache-ipc-timeout = 10
AIX uses a seperate *helper* application that handles the authentication. This can time-out as the default is to wait 10 seconds for authentication to complete.
auth-helper-timeout = 20
Additional information regarding the above variables can be found in the vas.conf man page.