Steps for enabling vasd and pam debugging
1 - Enable vasd and pam debugging by running:
/opt/quest/bin/vastool configure vas vasd debug-level 5
2 - Add debug trace at the end of auth pam_vas module entries in /etc/pam.conf or /etc/pam.d/<service specific file>
For example:
sshd auth sufficient pam_vas3.so create_homedir get_tgt debug trace
OR
Edit the /etc/pam.d/system-auth file and add 'debug trace' as shown below on the pam_vas3.so module lines only.
For example:
auth required /lib/security/$ISA/pam_env.so
auth sufficient pam_vas3.so create_homedir debug trace
auth requisite pam_vas3.so echo_return
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account sufficient pam_vas3.so debug trace
account requisite pam_vas3.so echo_return
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password sufficient pam_vas3.so debug trace
password requisite pam_vas3.so echo_return
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required pam_vas3.so create_homedir debug trace
session requisite pam_vas3.so echo_return
session required /lib/security/$ISA/pam_unix.so
3 - Add an entry to the syslog config file (/etc/syslog.conf) to capture the debug (use tab key below).
*.debug -/tmp/vas_debug.log
If rsyslog is being used we will need to add lines to the /etc/rsyslog.conf to turn off rate limiting. After the line that includes;
'$ModLoad imuxsock'
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0
At the bottom add this line.
*.debug -/tmp/vas_debug.log
4 - Create the log file.
# touch /tmp/vas_debug.log
5 - Enable PAM stack debugging (For AIX, Solaris and HP-UX only)
# touch /etc/pam_debug
6 - HUP the syslog daemon
# kill -HUP `ps -e | grep -i syslog | awk '{print $1}'`
7 - Redo the steps that had failed earlier and necessitated setting up debug.
8 - Please then review the /tmp/vas_debug.log file to ensure it contains data and then attach it to this service request by going to support.quest.com and logging in with your email address and password. Then go to Service Request | My Service Request | and click on your SR and add attachment. Please also send a note indicating approx time it was reproduced and the account or group name used.
To remove the debugging
1. Unconfigure vasd debugging
# vastool configure vas vasd debug-level
2. Remove the *.debug line that you added to the syslog.conf
Remove the debug trace lines added to the PAM files
3. Remove the pam_debug file
# rm /etc/pam_debug
4. Re-hup the syslog process
5. After you have reviewed or sent the log file to support. If can be safely removed.
# rm /tmp/vas_debug
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center