Environment
Situation
Error 'Populate 3004-703 Check "/etc/security/login.cfg" file. ' when using the fan-out driver to provision a new user to an AIX computer where Novell Privileged User Manager (NPUM) is also installed. The problem occurs when assigning the user the NPUM crush "shell" as the default shell.
The login.cfg does not show anything unusual. The login.cfg file had shells for NPUM added. However, the same error occurs when using the login.cfg that was in use before NPUM was installed.
The user is able to be provisioned to a HP-UX computer or a Red Hat Enterprise Linux (RHEL) computer using the same POSIX attributes including the assigned crush shell.
Resolution
First narrow down the problem:
The error is displayed in the Fan-out driver logs and in the "Review Platform Errors" plug-in. Look in the syslog on your AIX system for the error and other useful information (command that was issued, return code, system messages, etc.). It may be necessary to configure syslog on the AIX system as AIX does not start the syslogd process by default. Refer to the AIX documentation or web resources for how to configure the /etc/syslog.conf and use the "refresh -s syslogd" command to start syslog on AIX.
How to fix the issue:
Assuming the syslog shows an error and the path to the shell being assigned to the user is different than the path to the shell configured in login.cfg, the following steps may resolve the issue. When this issue was seen previously, the attempted mkuser command on AIX gave a return code of -22 which prevented the mkuser command from succeeding.
Check the shell that is defined for the user when the user is added to the system. Even though NPUM will set up symbolic links for both /bin/crush and /usr/bin/crush on AIX, assigning /bin/crush will not work because login.cfg does not include this as a valid shell. The NPUM modified login.cfg includes the /usr/bin/crush in a default install.
To resolve the issue, change the shell assigned to the user to the same path for the crush shell as defined in login.cfg. In the examples above, this would be /usr/bin/crush. This shell should also work for a HP-UX and RHEL system.
ADDITIONAL INFORMATION
The crush shell is a "shell" that is part of Novell Privileged User Manager (NPUM). Technically, it is a client that invokes the rush shell that is part of NPUM and allows logging of the entire session running under rush. Specifying the default shell as /bin/crush works differently on AIX than on HP-UX and RHEL. Crush is a symbolic link.
Here are the symbolic links NPUM defines on the systems in question:
AIX
/usr/bin/crush -> /usr/bin/rush
/bin/crush -> /usr/bin/rush
HP-UX
/usr/bin/crush -> /usr/bin/rush
/bin/crush -> /usr/bin/rush
RHEL
/usr/bin/crush -> /usr/bin/rush
/bin/crush - No such file or directory
A difference with AIX vs. HP-UX or RHEL is that you have to add the NPUM shells to login.cfg on AIX. This may be a likely cause of the issue.