Generate a PAM Debug Log for AD Bridge

You can set the level of reporting in the PAM debug log for the AD Bridge authentication service on a Linux or Unix computer. PAM stands for pluggable authentication modules.

The log levels are:

  • disabled
  • error
  • warning
  • info
  • verbose

The logged data is sent to your system's syslog message repository for security and authentication. The location of the repository varies by operating system.

Here are the typical locations for a few platforms:

  • Ubuntu: /var/log/auth.log
  • Red Hat: /var/log/secure
  • Solaris: Check the syslog.conf file or rsyslog.conf file

The following procedure demonstrates how to change the value of the PAM key's LogLevel entry with the config command-line utility.

  1. Use the details option to list the values that the PAMLogLevel setting accepts:
/opt/pbis/bin/config --details PAMLogLevel
Name: PAMLogLevel
Description: Configure PAM lsass logging detail level
Type: string
Current Value: "disabled"
Acceptable Value: "disabled"
Acceptable Value: "error"
Acceptable Value: "warning"
Acceptable Value: "info"
Acceptable Value: "verbose"
Current Value is determined by local policy.
  1. As root change the setting to error so that AD Bridge will log PAM errors:
/opt/pbis/bin/config PAMLogLevel error
  1. Confirm that the change took effect:
/opt/pbis/bin/config --show PAMLogLevel
local policy

For more information on the arguments of config, run the following command:

/opt/pbis/bin/config --help