By default no projects are applied for AD users.
This can be seen by running the "id" command after logging in:
bash-3.00# su user1
$ id -p
uid=1000(user1) gid=1001(group1) projid=1(user.root)
As we can see above, the project is set to "user.root" and not a user or group defined project.
This is due to the order of the "authentication" modules in PAM.
On a Solaris 10 host, QAS by default, adds itself to the top of the PAM stack for all authentication methods. If the user is successfully authenticated by the pam_vas.so module then no lower modules are processed.
To allow the "projects" to be correctly assigned the "pam_unix_cred.so.1" module must be called.
Move the "pam_unix_cred.so.1" module to above the pam_vas.so module. The following is an example of this change made to the "other" authentication method:
other auth required pam_unix_cred.so.1 use_first_pass
other auth sufficient /opt/quest/lib/security/$ISA/pam_vas3.so create_homedir get_nonvas_pass
other auth requisite /opt/quest/lib/security/$ISA/pam_vas3.so echo_return
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_auth.so.1 use_first_pass
You will now need to ensure that all users, including AD users, now have a default project configured or they will not be able to log in.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center