After upgrading to the Solaris OS from 11.3 to 11.4 with a version of Authentication Services older than 18.104.22.16854 users can no longer log in.
Upgrading to Authentication Services 22.214.171.12454 post OS upgrade does not resolve.
The pam configuration file "/usr/lib/security/pam_authtok_common" is not used on Solaris 11.3 however it is on Solaris 11.4.
If this configuration file is in a state other than the default when upgrading the OS to version 11.4 with a previous version of Authentication Services installed it breaks authentication.
1) Upgrade Authentication Services on the system to a release that supports Solaris 11.4 (Authentication Services 126.96.36.19954 or newer) prior to upgrading the OS to 11.4.
2) clean up /usr/lib/security/pam_authtok_common so that it just has the comments and the following:
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1 force_check
3) Upgrade to 11.4.
4) Run "/opt/quest/bin/vastool configure pam" to upgrade the new added pam.d files
The supported version of Authentication Services 4.1.7 can be downloaded here:
Please note the following non Authentication Services related issues that were discovered when upgrading to Solaris 11.4 from Solaris 11.3:
1) Post upgrade the sysadmin group membership was wiped out which caused sudo errors.
- Mounted the 11.4 image from the working 11.3 image and fixed the file ( /mnt/etc/group ).
2) Newer sshd doesn't support dss keys, so if passwordless auth fails after upgrade add the following to /etc/ssh/sshd_config and restart the sshd daemon.