How to troubleshoot Pam on Solaris with the IDM Fanout driver

  • 3440991
  • 06-Dec-2007
  • 26-Apr-2012

Environment

Novell Identity Manager 3.5.1
Novell Identity Manager - Password Synchronization
Novell Identity Manager Driver - Core Fan Out
Novell Identity Manager Driver - Linux and UNIX - Fan Out

Situation

What information can be gathered to determine causes of problems with Pam on Solaris and how it is interacting with the Fan-out driver.

Resolution

To gather information, please do the following the steps listed below:
1. To turn debugging on for Pam, please do the following:
First make a copy of the pam.conf file located in the /etc directory. This will be a backup.
Then edit the /etc/pam.conf file by finding the lines you added into the file and adding the word 'debug' to the end of the line. Make sure there is a space before the word debug. The word debug should also be lowercase. Adding the word debug causes the PAM module to write debugging records to syslog.
The lines you added into the file for the fanout driver should look something like the following fragment from the sample pam.conf file that is provided with Platform Services for Solaris.
login auth sufficient /usr/lib/security/pam_ascauth.so.1 stats
login auth required /usr/lib/security/pam_unix.so.1 try_first_pass
other auth sufficient /usr/lib/security/pam_ascauth.so.1 stats
other auth required pam_unix_auth.so.1 try_first_pass
The syslog should now record entries from the pam.conf file. Normally this file is in the /var/adm/messages directory. The file is normally set up for log rotate so the file will be called syslog with an extension of a number.
There is a syslog.conf file in the /etc directory can be edited to set the level of debugging.
2. To determine the version of Solaris that you are running, please do the following at a command prompt: uname - a
3. To turn on tracing in the asamplat.conf file, first make a backup copy of the file located at the following location: ASAM/data/asamplat.conf
Then add the following line to the file.
TRACEFILE FilePath
FilePath specifies the location in the file system where debugging output is written.
For information about troubleshooting, see the applicable administration guide.
Example:
TRACEFILE \asam\debug.txt
4. Get a copy of the audit and operational files from the date that the problem happened. These files are located in the asam\data\coredriver\logs on the server running the core driver. They have a format of audit 2007-06-27.txt. There will also be a smaller file of the same name with a .ndx extension. This file does not need to be sent in with the txt file.
If you are getting a copy of the log from the current day, please wait 15-20 minutes after the problem happens before copying off the files in order to give the system time to write all the information to the file.
5. Provide version information by going into iManager, Fanout Utilities, component status and getting the build versions from the Core Driver, Platforms and Provisioning Status.
So in summary, to gather the information for your own troubleshooting or for Novell Support, please obtain the following information.
- A copy of the pam.conf file
- debug output from the pam.conf file from the syslog
- version of Solaris from the uname -a command
- A copy of the asamplat.conf file
- Tracing output from the file specified in the asamplat.conf file
- copies of the audit and operational log from the day the problem happened.
- Names of the users who are having the problem. Both the eDirectory name and the Solaris user name (if different).
- Versions of the Core Driver and Platform receiver.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.