1. Add "debug trace" at the end of "auth" pam_vas module entries in /etc/pam.conf or /etc/pam.d/<service specific file>
e.g. sshd auth sufficient pam_vas3.so create_homedir get_tgt debug trace
2. Add an entry to /etc/syslog.conf to capture the debug (use tab key below) - For RHEL6 and above see below.
*.debug -/tmp/vas_debug.log
If rsyslog is being used we will need to add lines to the /etc/rsyslog.conf to turn off rate limiting. After the line that includes;
'$ModLoad imuxsock'
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0
At the bottom add this line.
*.debug -/tmp/vas_debug.log
3. Create the log file.
# touch /tmp/vas_debug.log
4. Enable PAM stack debugging (For AIX, Solaris and HP-UX only)
# touch /etc/pam_debug
4. Restart syslogd
# kill -HUP `ps -e | grep -i syslog | awk '{print $1}'`
5. Please log in as a VAS user you have been experiencing problems with (via ssh, for the example quoted above in step 1) to recreate the error.
To remove the debugging
1. Remove the *.debug line you added from your syslog.conf and restart each service again.
2. Remove the /etc/pam_debug file
# rm /etc/pam_debug
3. Remove the debug trace lines added to the PAM files
4. After you have reviewed or sent the log file to support. If can be safely removed.
# rm /tmp/vas_debug