Identity Manager Fan-Out Driver Pam configuration with Solaris 10

  • 3194055
  • 16-Nov-2007
  • 26-Apr-2012


Novell Identity Manager Driver - Linux and UNIX - Fan Out


On Solaris 10, user memory is corrupted when an Oracle database tries to load. This happens whenever the "oracle" users logs in and the fan-out driver Pam lines are entered in PAM.CONF file. This prevents anyone from accessing the Oracle database.


Re-order the lines in the PAM.CONF file so that the
other auth required
is listed first
followed by the fan-out driver line
other auth sufficient stats
The following is from the pam_unix_cred man page for solaris 10 and explains more about the pam_unix_cred
The pam_unix_cred module implements pam_sm_setcred(3PAM). It provides functions that establish user credential information. It is a module separate from the pam_unix_auth(5) module to allow replacement of the authentication functionality independently from the credential functionality.
The pam_unix_cred module must always be stacked along with whatever authentication module is used to ensure correct credential setting.
Authentication service modules must implement bothpam_sm_authenticate()andpam_sm_setcred().

PAM authentication modules should support certain call outs, including pam_sm_authenticate and pam_sm_setcred.

The Fan-out authenticatin module supports both. All the Fan-out pam_sm_setcred does is log "I got here" when it's in debug mode. There is nothing relevant to what we do that needs to be done in pam_sm_setcred.

Kerberos flavored pam modules might set up the kerberos tickets in pam_sm_setcred.

Sun made separate modules for pam_sm_authenticate and pam_sm_setcred. They call pam_sm_setcred from
pam_unix_cred. They put some proprietary code that supports"solaris projects" into their
pam_sm_setcred. If a customer uses "solaris projects" they need to re-order the lines in the pam.conf file.