Environment
Novell Identity Manager Driver - Linux and UNIX - Fan
Out
Situation
On Solaris 10, user memory is corrupted when an Oracle database tries to load. This happens whenever the "oracle" users logs in and the fan-out driver Pam lines are entered in PAM.CONF file. This prevents anyone from accessing the Oracle database.
Resolution
Re-order the lines in the PAM.CONF file so that the
other auth required
pam_unix_cred.so.1
is listed first
followed by the fan-out driver line
followed by the fan-out driver line
other auth
sufficient
pam_ascauth.so.1 stats
The following is from the pam_unix_cred man page for solaris
10 and explains more about the pam_unix_cred
-----------------------------------------------------------------
The pam_unix_cred module implements pam_sm_setcred(3PAM). It provides functions that establish user credential information. It is a module separate from the pam_unix_auth(5) module to allow replacement of the authentication functionality independently from the credential functionality.
The pam_unix_cred module must always be stacked along with whatever authentication module is used to ensure correct credential setting.
Authentication service modules must implement bothpam_sm_authenticate()andpam_sm_setcred().
----------------------------------------------------------------------------------------------------------------------------------
The pam_unix_cred module implements pam_sm_setcred(3PAM). It provides functions that establish user credential information. It is a module separate from the pam_unix_auth(5) module to allow replacement of the authentication functionality independently from the credential functionality.
The pam_unix_cred module must always be stacked along with whatever authentication module is used to ensure correct credential setting.
Authentication service modules must implement bothpam_sm_authenticate()andpam_sm_setcred().
PAM authentication modules should support certain call outs, including pam_sm_authenticate and pam_sm_setcred.
The Fan-out authenticatin module supports both. All the Fan-out pam_sm_setcred does is log "I got here" when it's in debug mode. There is nothing relevant to what we do that needs to be done in pam_sm_setcred.
Kerberos flavored pam modules might set up the kerberos tickets in pam_sm_setcred.
Sun made separate modules for pam_sm_authenticate and pam_sm_setcred. They call pam_sm_setcred from
pam_unix_cred. They put some proprietary code that supports"solaris projects" into their
pam_sm_setcred. If a customer uses "solaris projects" they need to re-order the lines in the pam.conf file.