Return
-
Title
"Operation not permitted" error when configuring PAM for smartcard -
Description
While attempting to configure MacOS for smartcard login the following error is encountered while trying to set up the pam_vas_smartcard module.$ sudo vastool smartcard configure pam loginError creating symlink /usr/lib/pam/pam_vas_smartcard.so -> /opt/quest/usr/lib/pam/pam_vas_smartcard.so: Operation not permittedERROR: Error linking pamvas_smartcard module to the system pam directory -
Cause
When running in rootless mode we don't have permission to create the symlink for our smartcard module and so we get this error. Rather than creating the symlink, we should use the full path in the PAM file like we do with pam_vas.
We have created ER 801976 for this issue.
-
Resolution
WORKAROUND
Graphical logins in MacOS don't normally use PAM, so it may not be necessary to configure this module at all.
If it is necessary, the following two lines could be added to the /etc/pam.d/login file before the pam_vas3.so lines:
auth sufficient /opt/quest/usr/lib/pam/pam_vas_smartcard.so try_first_passauth requisite /opt/quest/usr/lib/pam/pam_vas_smartcard.so echo_returnSTATUSIssue fixed in QAS 4.2.1. which is due for release in Aug 2019. The latest version of Authentication Services can be found here: -
Change Request
801976