LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)
IMPORTANT: Before modifying your pam.conf file, keep a backup of the original pam.conf
file that includes the simplified authentication model. In this way, you can resort to the backup if
your modified file causes problems. For example, you might inadvertently enter an invalid library
name or erase a library name, causing login to be impossible for everyone. If no one is logged
in with root permissions, the file errors cannot be fixed. If you have a backup file, you can recover
by rebooting the OS into single-user mode and then using the backup of the original pam.conf
file.
When you make new changes to the pam.conf, test login from some other console or window.
If you can log in as root and as a test user, you can assume your changes are valid. If you cannot
log in as such, try to repair the problem or use the pam.conf backup copy.
IMPORTANT: HP recommends that the PAM_KERBEROS module be listed prior to the PAM_UNIX
library and be marked as sufficient so that if PAM_KERBEROS authentication fails, the PAM_UNIX
module is next and the user with access privileges for the local system can still log in. This allows
the privileged user to access the system to fix problems and reboot the system, if necessary.
However, if the PAM_KERBEROS library (or any other libraries prior to PAM_UNIX) is inadvertently
removed from the location specified by its module_path, and the pam.conf file is not revised
accordingly, then PAM returns an error and that privileged user is unable to access the local system.
The sample files provided in this appendix reflect the recommendation to keep the root user (or
someone with access privileges for the local system) in the local /etc/passwd on each client
machine, allowing for local account management of the root user. This is an important step toward
guaranteeing local access to the system in case the network is down.
IMPORTANT: Never remove a product that is defined as a service module object library in a
pam.conf file until you have first removed use of that library from the file.
To create the /etc/pam.conf example file on an HP-UX 11i v2 (or later) system, follow these
steps (see also Section 2.4.5.3 (page 46)).
1. Copy the /etc/pam.krb5 file to the /etc/pam.conf file.
2. For Trusted Mode only (see the sample file in Section C.2 (page 152)), edit the /etc/pam.conf
file and change the control flag for the libpam_krb5.so.1 entries to "required" in the
session management section.
For security policy enforcement, configure the PAM_AUTHZ library as shown in Section C.3
(page 154).
3. Add the try_first_pass option to the libpam_unix.so.1 entry in the password
management section; this prevents prompting " old password" twice when a local user
changes his password or logs in with an expired password.
4.
For more information about PAM and the pam.conf file, see the pam(3) and pam.conf(4)
manpages, and the Managing Systems and Workgroups: A Guide for HP-UX System Administrators
document at the following location:
http://www.hp.com/go/hpux-core-docs (click HP-UX 11i v2)
NOTE: In the following sample pam.conf files, significant configuration changes are highlighted
in bold print.
C.1 Sample PAM configuration file typical for integration with Windows
This section includes a sample PAM configuration file typical for integration with Windows ADS.
In the following sample pam.conf file, in the case of authentication (auth) management, each
stacked service is authenticated first by the PAM_HPSEC module, then by the PAM_KERBEROS
module, and finally by the PAM_UNIX module. Because Kerberos authentication is designated as
sufficient, if its authentication succeeds, then PAM returns success status. The PAM_UNIX
module is invoked only if the PAM_KERBEROS authentication fails. The try_first_pass option
used as an option for PAM_UNIX causes PAM to test the password that the user entered for the
preceding module of the stack (in this case, PAM_KERBEROS); if it does not match the database
150 Sample PAM configuration (pam.conf) files for Windows ADS