Environment
Novell Open Enterprise Server
(Linux based) Support Pack 2
Situation
Running Open Enterprise Server
Linux with the latest Support pack and patches available from the
OES update channel various errors are encountered backing up,
restoring and running tests with TSATEST which may include the
following:
- Unable to login with the root account using TSATEST although ADMIN is working fine. FFFDFFD7 login denied errors are seen.
- Insufficient privileges errors seen in TSA debug log file when attempting restore / backup jobs.
- Unable to restore to Reiser and NSS volumes with the same restore job. Doing separate restores for each file system type is required.
Resolution
Looking at a TSA debug log file
we can see that the errors are related to PAM authentication. The
TSAFS PAM configuration file in the /etc/pam.d directory is
configured as follows:
#%PAM-1.0
#uncomment to enable eDirectory authentication using NAM
auth sufficient /lib/security/pam_nam.so
#uncomment to enable eDirectory account management using NAM
account sufficient /lib/security/pam_nam.so try_first_pass
#uncomment to enable eDirectory session management using NAM
session sufficient /lib/security/pam_nam.so
#use unix authentication
auth required pam_unix_auth.so try_first_pass nullok
#use unix account management module for account
account required pam_unix_acct.so try_first_pass
#use unix session management module for account
session required pam_unix_session.so try_first_pass
We are concerned only about the second part in the file after the "#use unix authentication" line. The PAM configuration file for TSAFS needs to be modified to have TSAFS use the pam_unix2.so library. The TSAFS file should be changed as follows:
#use unix authentication
auth required pam_unix2.so try_first_pass nullok
#use unix account management module for account
account required pam_unix2.so try_first_pass
#use unix session management module for account
session required pam_unix2.so try_first_pass
After updating the file there is no need to restart the server. The changes are in effect immediately. It may however be necessary to reload TSAFS by issuing the following commands:
#%PAM-1.0
#uncomment to enable eDirectory authentication using NAM
auth sufficient /lib/security/pam_nam.so
#uncomment to enable eDirectory account management using NAM
account sufficient /lib/security/pam_nam.so try_first_pass
#uncomment to enable eDirectory session management using NAM
session sufficient /lib/security/pam_nam.so
#use unix authentication
auth required pam_unix_auth.so try_first_pass nullok
#use unix account management module for account
account required pam_unix_acct.so try_first_pass
#use unix session management module for account
session required pam_unix_session.so try_first_pass
We are concerned only about the second part in the file after the "#use unix authentication" line. The PAM configuration file for TSAFS needs to be modified to have TSAFS use the pam_unix2.so library. The TSAFS file should be changed as follows:
#use unix authentication
auth required pam_unix2.so try_first_pass nullok
#use unix account management module for account
account required pam_unix2.so try_first_pass
#use unix session management module for account
session required pam_unix2.so try_first_pass
After updating the file there is no need to restart the server. The changes are in effect immediately. It may however be necessary to reload TSAFS by issuing the following commands:
/opt/novell/sms/bin/smsconfig -u
tsafs
/opt/novell/sms/bin/smsconfig -l tsafs
Also see KB 3728366
regarding authentication problems with SMDR / TSATEST on Novell
Open Enterprise Server Linux related to Novell Linux User
Management module (LUM). /opt/novell/sms/bin/smsconfig -l tsafs