The Authentication Services PAM module uses the Kerberos protocol to authenticate users against Active Directory. The Kerberos protocol allows users to obtain a Ticket Granting Ticket (TGT) that can then be used to obtain other tickets to authenticate to services. Once the TGT has been obtained it can be used as a single sign-on mechanism that does not require users to repeatedly enter their password.
By default, when a user establishes a login session by means of a service configured to use the Authentication Services PAM module, the ticket is cached by default in the /tmp directory; the name of the cache file is krb5cc_<uid> where uid is the User ID (UID) of the account.
AIX does not support NSS in the same way that most other Unix versions do. On AIX there is no /etc/nsswitch.conf or support for NSS modules. AIX uses the Loadable Authentication Module (LAM) system to support name service lookups and authentication. As of AIX 5.3 all native binaries support PAM, but are configured for LAM by default. Authentication Services supports both a LAM module and a PAM module on AIX. Configuring the PAM module on AIX is the same as for any other platform. This section explains how to configure the LAM module.
When you join the domain, Authentication Services automatically configures the AIX system to use the Authentication Services LAM module for authentication as well as name service lookups. The modified files are /usr/lib/security/methods.cfg and /etc/security/user.
vastool can automatically update the AIX configuration files on your system.
To modify the AIX configuration
vastool configure irs
vastool unconfigure irs
Debug logging configuration depends on your platform and the subsystem you are troubleshooting. Some issues can span multiple subsystems.
To enable Authentication Services daemon debug output, set the debug-level setting in the [vasd] section of vas.conf. Unless instructed otherwise by Technical Support, the recommended level is 5 for investigating issues. (Refer to the vas.conf man page for details on debug log settings.)
vasd logs events to syslog using the DAEMON facility. vasd dynamically picks up the change for both enabling and disabling without requiring a restart.
Note: For both PAM and LAM, regardless of debug level, Authentication Services outputs a success or failure message to AUTH (AUTHPRIV on Linux or Mac OS X) a line similar to:
<syslog prefix>: pam_vas: Authentication <succeeded> for <Active Directory> user: <user1> account: <firstname.lastname@example.org> service: <sshd> reason: <N/A> Access Control Identifier(NT Name):<EXAMPLE1\user1>
The message indicates if the authentication was successful or failed, was disconnected, what type of account, if failed a general message as to why, what service if PAM, and the NT style name of the account used to authenticate against.
To enable PAM debug output, you must set the debug option for the Authentication Services PAM module in the pam.conf file. This consists of adding 'debug trace' to each pam_vas3 line in the appropriate file(s) for the system. (For more information, refer to the pam.conf man page for your platform.)
When you enable debug output, Authentication Services logs PAM output authentication events to syslog using the AUTH facility (AUTHPRIV on Mac OS X and Linux). Normally this does not require a restart of an application to start debugging.
Note: On HP-UX, Solaris, and AIX you can obtain additional PAM debug information by running touch /etc/pam_debug. This enables PAM library level debugging. To disable it, remove the "touched" file.
If you are using LAM for authentication on AIX, you can enable authentication debug output by running:
When you enable this debug option, Authentication Services logs LAM authentication events to /tmp/qas_module.log.
This includes debugging NSS on Linux, HP-UX, and SolarisSolaris and LAM identification on AIX. To enable full debugging of the Authentication Services identity library for the operating system, run the following:
This enables debug globally for the system. Disable it by removing the "touched" file. Enabling and disabling applies within 30 seconds.
You can also enable debugging for a single application to send output to stderr by defining the environment variable QAS_ID_DBG_STDERR. For example, in a Bourne shell, enter:
QAS_ID_DBG_STDERR=1 getent passwd
The output includes a line that lists input, result, and time spent in the call. Enable only this line by running
You can also use the environment variable, QAS_ID_CALL_STDERR to log the result line of the above debug.
This output is useful for profiling the volume/type of calls the Authentication Services identity interface is receiving.
Output is written to the /tmp/qas_module.log file for both options.
Note: The /tmp/qas_module.log file is world writable making it possible for any user to write output to it. Thus, One Identity recommends that you change the permissions once debug is disabled.
Authentication Services command line tools accept a -d parameter to indicate the level of debug output (1-5) you want to print to the console. To see more output, specify a higher value to the -d parameter. For example, to see extra diagnostic information when you join the domain, enter:
/opt/quest/bin/vastool -u administrator -d5 join example.com
Note: When you have debug enabled, it can affect performance.