Pluggable Authentication Modules (PAM)

For instructions on how to generate a PAM debug log, see Generate a PAM Debug Log for AD Bridge.

PAM Configuration Changes on an Upgrade

The following configuration changes occur automatically during an AD Bridge upgrade.

At the start of the AD Bridge upgrade, if the machine is joined to a domain, both the PAM and nsswitch modules are unconfigured. This allows for a safe upgrade in the event the upgrade fails. Access to the machine is still possible.

Commands to unconfigure modules:

/opt/pbis/bin/domainjoin-cli configure --disable pam
/opt/pbis/bin/domainjoin-cli configure --disable nsswitch

Toward the end of the AD Bridge upgrade, if the machine is joined to a domain, both the PAM and nsswitch modules are configured again to restore functionality.

Commands to configure modules:

/opt/pbis/bin/domainjoin-cli configure --enable pam
/opt/pbis/bin/domainjoin-cli configure --enable nsswitch

Troubleshoot PAM Error

Warning: Unknown PAM configuration

The PAM module cannot be configured for the <MODULE> service. Either this service is unprotected (does not require a valid password for access), or it is using a PAM module that this program is unfamiliar with. Please email technical support and include a copy of /etc/pam.conf or /etc/pam.d.

Cause

During the PAM configuration phase of the domainjoin process there is an unknown PAM module that AD Bridge does not recognize. If this is a resumable error then this is not in a critical area and the lsass module is not added to that file. This can still cause issues on later upgrades.

Resolution

There are a few ways to address this issue:

  • Remove the unknown module and re-add the module after the domainjoin. This can still present itself as an issue on later upgrades.
  • Use --ignore-pam and manually add lsass into your PAM files. We do not recommend this unless you have a strong understanding of PAM.
  • Remove the need for the unknown module from PAM entirely.
  • Submit a request for the module to be supported by AD Bridge.

Dismiss the Network Credentials Required Message

After leaving the screen saver on a Gnome desktop that is running the Gnome Display Manager, or GDM, you might see a pop-up notification saying that network authentication is required or that network credentials are required. You can ignore the notification. The GDM process that tracks the expiration time of a Kerberos TGT might not recognize the updated expiration time of a Kerberos TGT after it is refreshed by AD Bridge.