-
Title
FAILURE: 608 Pamnot configured for QAS. -
Description
Vastool status sometimes reports some services as being not configured for QAS. An example of the error might look like this. This is from a RHEL 5 machine.
FAILURE: 608 Pam <ekshell><auth> not configured for QAS.
-
Cause
vastool status is looking for a line that will allow authentication. In this exampe the 'ekshell' stack has been modified from the default and this line has been removed.
auth required pam_rhosts_auth.so
Without a valid auth line vastool status reports an error.
-
Resolution
RESOLUTION 1:
In most instances configuring a stack for QAS will resolve the issue. For example.
/opt/quest/bin/vastool configure pam ekshell
In this example this will fail because the auth line has been removed. The alternatives would be to restore the pam stack to its default configuration.
RESOLUTION 2:
Alternatively there may be a need to alter a stack to suit security requirements or other needs but will never require QAS for authentication. On virtual machines a good example would be 'vmware' . If the stack will not require QAS authentication and you wish to suppress the error you can place the service on the PAM_MASK section of the script.
Edit '/opt/quest/libexec/vas/scripts/vas_status.sh'
Locate the PAM_MASK= line in the script.
You will see there are several entries here already for services that do not require QAS configuration. The additional service can be added to suit your environment.
The above works for Linux style processing. For AIX systems:
Edit '/opt/quest/libexec/vas/scripts/vas_status.sh'
Modify the pam_conf() function. next to grep -v pam_seos, add another grep for the service the error is reporting on:
In this example I have added wbem.
| grep -v pam_seos | grep -v wbem | grep -v pam_prohibit |