Manualshelf

LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
131132133134135136137138139140
TIP: Enable LDAP logging only long enough to collect the data you need because logging can
significantly reduce performance and generate large log files.
You may want to move the existing log file and start with an empty file:
mv /var/adm/syslog/local0.log /var/adm/syslog/local0.log.save
Restart the syslogdaemon with the following command: (Refer to syslogd(1M)or details.)
kill -HUP 'cat /var/run/syslog.pid'.
6.19.2 Enabling and disabling PAM logging
When something is behaving incorrectly, enabling logging is one way to examine the events that
occur to determine where the problem is. Complete the following steps to enable PAM logging on
a particular client. Refer to pam(1), pam.conf(4), and Managing Systems and Workgroups for
more information about PAM.
1. Add the debug option to each line in /etc/pam.conf that contains libpam_krb5.so.1.
For example:
login account sufficient /usr/lib/security/libpam_krb5.so.1 debug
login account required /usr/lib/security/libpam_unix.so.1
su account sufficient /usr/lib/security/libpam_krb5.so.1 debug
su account required /usr/lib/security/libpam_unix.so.1
...
WARNING! Enabling the debug option in pam.conf might allow hackers to gain additional
information that would enable them to crack password security. For example, they could
attempt to log in as a super user (su) and discover that a password has expired (observing
the super user's behavior, the hackers could determine when he or she is likely to log in next).
2. Edit the file /etc/syslog.confand add a new line at the bottom similar to the following:
*.debug <tab>/var/adm/syslog/debug.log
3. Restart the syslog daemon with the following command. (Refer to syslogd(1M) for details.)
kill -HUP 'cat /var/run/syslog.pid'
4. Once logging is enabled, run the HP-UX commands or applications that exhibit the problem.
5. Restore the file /etc/syslog.confto its previous state to stop logging.
6. Restart the syslogdaemon with the following command: (Refer to syslogd(1M) for details.)
kill -HUP 'cat /var/run/syslog.pid'
7. Remove the debug options from /etc/pam.conf.
8. Examine the log file at /var/adm/syslog/debug.log to see what actions were performed
and if any are unexpected. Look for lines containing PAM.
6.19 Troubleshooting 135