Operating System - HP-UX

1833758 Members

2931 Online

110063 Solutions

HP-UX authenticating to Active Directory

Hi,

I'm setting up LDAP based authentication for my HP-UX 11.11 environment and I have a question about the /etc/pam.conf file.

In all the documentation I've seen, the "Authentication Management" section looks similar to this:

login auth sufficient /usr/lib/security/libpam_krb5.1
login auth required /usr/lib/security/libpam_unix.1 try_first_pass
su auth sufficient /usr/lib/security/libpam_krb5.1
su auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtlogin auth sufficient /usr/lib/security/libpam_krb5.1
dtlogin auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtaction auth sufficient /usr/lib/security/libpam_krb5.1
dtaction auth required /usr/lib/security/libpam_unix.1 try_first_pass
sshd auth sufficient /usr/lib/security/libpam_krb5.1
sshd auth required /usr/lib/security/libpam_unix.1 try_first_pass
ftp auth sufficient /usr/lib/security/libpam_krb5.1
ftp auth required /usr/lib/security/libpam_unix.1 try_first_pass
OTHER auth sufficient /usr/lib/security/libpam_krb5.1
OTHER auth required /usr/lib/security/libpam_unix.1 try_first_pass

All the man pages and websites say to use the "try_first_pass" flag and NOT the "use_first_pass" flag.

However, when I use the "try_first_pass" and try to log in a user who exists both locally AND in Active Directory, the terminal always prompts the user for a "System Password" like this:

login as: rgroten
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
System Password:

No matter what password I enter it always fails.

But when I use the "use_first_pass" flag on the otherwise identical file, this issue doesn't come up and the user is logged on normally.

Is it a problem that I'm using the "use_first_pass" flag instead of "try_first_pass"? The man pages explicitly state that you shouldn't use "use_first_pass" unless the auth section is designated as "optional". (By the way, setting the libpam_krb5.1 modules to optional results in the same "System password:" problem as above)

Also, if I change all the libpam_unix.1 entries in the auth section to "sufficient" instead of "required", then the "try_first_pass" flag works just fine.

Any insight is greatly appreciated.

Thanks,
Ryan

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

HP-UX authenticating to Active Directory

HP-UX authenticating to Active Directory