Legacy app on AIX needing to do a getpwnam call

Here is the info I was given from Quest/Dell technical support...

You will need to run this first:

/opt/quest/bin/vastool configure pam sys-auth

 [0] [sellswor@vasdev-aix61] [~/pamAuth]

$ wget https://urldefense.proofpoint.com/v2/url?u=ftp-3A__ftp.vintela.com_vas_support_pamAuth.tar.gz&d=CwICaQ&c=WUZzGzAb7_N4DvMsVhUlFrsw4WYzLoMP5bgx2U7ydPE&r=_C2GnzWgNljIdG5FaVHJX68Wo5_A9dKJ5Hvx7iu1BbE&m=zMLedkL5VqCcEZgDp1nH0zidQqh9OgPZ4J__iTxZEPY&s=8zNqrL55h13Zq3J1kUEVu40yNZOWemNg9yqChTP7cIM&e=

...

2016-04-12 14:07:30 (98.3 MB/s) - 'pamAuth.tar.gz' saved [1958]

 

[0] [sellswor@vasdev-aix61] [~/pamAuth]

$ tar xvzf pamAuth.tar.gz

Makefile

pamAuth.c

[0] [sellswor@vasdev-aix61] [~/pamAuth]

$ make

gcc -g -DAIX -o pamAuth pamAuth.c -lpam

[0] [sellswor@vasdev-aix61] [~/pamAuth]

$ ls

Makefile pamAuth pamAuth.c pamAuth.tar.gz [0] [sellswor@vasdev-aix61] [~/pamAuth] $ ./pamAuth

Usage: ./pamAuth <name> <password>.

[1] [sellswor@vasdev-aix61] [~/pamAuth]

$ ./pamAuth tu-6-1 Test1234

PAM_AUTH_SUCCES ( Good authentication )

[0] [sellswor@vasdev-aix61] [~/pamAuth]

 

It defaults to sys-auth as the name, they can call it whatever they want, just need corresponding pam.conf entries.

 

The developer has done this but can not get things to work.

Any ideas or help would be greatly appreciated.

 

Thanks,

Scott

  • Happy to help with this. Easiest would be for you to open a support case about it, and we could take it from there.

    If you would prefer to continue in here, lets start with some debug. Were the steps above followed? Did the sample application work? Actually, if it did or didnt, any syslog messages ( possibly in the auth/secure log instead of messages ) when the attempt to authenticate is made?
  • In reply to seth ellsworth:

    Hey Seth,
    Well - I was hoping to be able to work this through the normal technical support SR route but I was directed to this community being told this was out of the scope of what technical support can help with - even though I got the code and steps from tech. support originally. The steps were followed. Please keep in mind I'm not the developer working on this on my side but I take his word on what he did. When we ran the vastool configure pam sys-auth I expected the pam.conf file to get updated with the necessary vas lines. This did not happen - should it have? I had the Unix sysadmin manually add the following...
    sys-auth account sufficient pam_vas3.so
    sys-auth account requisite pam_vas3.so echo_return
    sys-auth account required pam_aix
    The Dell/Quest test code resulted in...
    PAM_AUTH_ERR ( Bad authentication )

    The developer found very similar code from IBM. When he tried that he got...
    Application not configured properly in pam.conf file:Authentication failed

    Userauthentication: cj94571 NOTMYPASSWORD
    User's Authentication error.
  • In reply to scott.herforth:

    Sorry to hear they didn't allow the case, though I can see how on the surface it seems off point. I have asked to have that looked at again.

    That looks like it should work for account, but it would need an auth line and session as well.

    Try making it this:
    sys-auth auth sufficient pam_vas3.so create_homedir get_nonvas_pass try_first_pass
    sys-auth auth requisite pam_vas3.so echo_return
    sys-auth auth required /usr/lib/security/pam_aix use_first_pass
    sys-auth account sufficient pam_vas3.so
    sys-auth account requisite pam_vas3.so echo_return
    sys-auth account required /usr/lib/security/pam_aix
    sys-auth password sufficient pam_vas3.so
    sys-auth password requisite pam_vas3.so echo_return
    sys-auth password required /usr/lib/security/pam_aix
    sys-auth session required pam_vas3.so create_homedir
    sys-auth session requisite pam_vas3.so echo_return
    sys-auth session required /usr/lib/security/pam_aix

    Yes, ran as root, /opt/quest/bin/vastool configure pam sys-auth should have generated the lines for you.
  • In reply to seth ellsworth:

    Seth - thanks a bunch! Adding in the auth and session lines did the trick. The test app now authenticates successfully. Thanks again.