-
Title
Allow Active Directory accounts with UID conflicts to bypass pam checking -
Description
During a migration, it is sometimes necessary to allow users with the same UID to log into a Unix system without being denied by a "UID conflict" checking rule at PAM level.
-
Cause
Having two or more accounts locally and in Microsoft Active Directory sharing the UID is a "temporary" practice usually allowed during migration.However, when accounts sharing the same UID try to log in to a system running Authentication Services Software version 4.2.x and up, the following message may appear in the logs:pam_vas: Authentication <failed> for <Active Directory> user: test reason: <User has a UID conflict>The user that has the UID conflict is being denied by the PAM module, which is the correct behavior. -
Resolution
To allow the login of UID sharing accounts by means of disabling the UID conflict checking at PAM level, the following modification needs to be done in at least the following PAM configuration files:
/etc/pam.d/system-auth
/etc/pam.d/password-auth
From something like:
/etc/pam.d/password-auth:auth sufficient pam_vas3.so create_homedir get_nonvas_pass
to
/etc/pam.d/password-auth:auth sufficient pam_vas3.so create_homedir get_nonvas_pass no_uidconflict_check
This change does not need a system reboot, or Authentication Services reload as PAM changes are instantly applied.
Note: the change may need to be applied in other /etc/pam.d/ modules depending on the customer environment.
-
Additional Information
in case the same UID conflict checking override needs to be performed at the NSS level then please check KB article 53858 https://support.oneidentity.com/safeguard-authentication-services/kb/53858/uid-conflict-option-of-false-for-parameter-check-uid-conflicts