Error Message

User authentication fails when user tries to login to the VCS Java Console.

The problem is also seen if user tries to login using the "halogin" through the command line.   For example,

# halogin vcsuser1
Enter Password: xxxxxx
Domain Name [localhost]:localhost
Domain Type [unixpwd]:unixpwd
VCS ERROR V-16-1-53022 Broker (localhost) unable to authenticate user (vcsuser1) : error = (14)
VCS ERROR V-16-1-11332 Invalid credentials, unable to create halogin session

The following error is logged in the /var/VRTSvcs/log/vcsauthserver.log.

Dec 06 11:21:32 2013:50826,18,0,4035,24,debug,AT,8: (4035|24) ############################################
Dec 06 11:21:32 2013:50826,18,0,4035,24,debug,AT,8: (4035|24) New thread spawned to handle the client request.
Dec 06 11:21:32 2013:50826,18,0,4035,24,debug,AT,8: (4035|24) PAM auth failed for vcsuser1; (9; Authentication failed)
Dec 06 11:21:32 2013:50826,18,0,4035,24,debug,AT,8: (4035|24) Authentication failed for [vcsuser1]: invalid password.
Dec 06 11:21:32 2013:50826,18,0,4035,24,debug,AT,8: (4035|24) retrieved [xxxxxxxxxxxxx], computed [yyyyyyyyyyyyyy]
Dec 06 11:21:32 2013:50826,18,0,4035,24,debug,AT,8: (4035|24) UserName invalid for user vcsuser1 in authnis.cpp(188)
Dec 06 11:21:32 2013:50826,18,0,4035,24,debug,AT,8: (4035|24) AuthNisPlus::generateServerContext cannot authenticate user vcsuser1, domain
Dec 06 11:21:32 2013:50826,18,0,4035,24,debug,AT,8: (4035|24) Finished handling client request.Thread exiting.
Dec 06 11:21:32 2013:50826,18,0,4035,24,debug,AT,8: (4035|24) ############################################

The problem is caused by the Etrack incident listed in the Supplemental Material section.   VCS up to version 6.0.4 doesn't support MD5 password encryption algorithm on Solaris.

The supported passwd encryption algorithms on Solaris are listed in /etc/security/crypt.conf.

# cat /etc/security/crypt.conf
#
# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
#ident  "@(#)crypt.conf 1.2     08/05/14 SMI"
#
# The algorithm name __unix__ is reserved.

1       crypt_bsdmd5.so.1
2a      crypt_bsdbf.so.1
md5     crypt_sunmd5.so.1
5       crypt_sha256.so.1
6       crypt_sha512.so.1

In the following /etc/security/policy.conf file, the default __unix__ password encryption algorithm is deprecated and forces Solaris to use the MD5 algorithm (1 crypt_bsdmd5.so.1)

# egrep -v '^$|^#' /etc/security/policy.conf
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User
CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6            <<< Solaris will use crypt_bsdmd5.so.1 by default
CRYPT_ALGORITHMS_DEPRECATE=__unix__           <<< since __unix__ is deprecated
CRYPT_DEFAULT=1

The encrypted passwords generated by the two algorithms can be distinguished by their length.   For example,

# cat /etc/shadow
....
admin:xOAFZaRx7RduI:16106::::::                                             <<< encrypted password generated by __unix__ algorithm
admin1:$1$Xzrmf1zB$FU/89QMJmGH.vB64U4HyB/:16107::::::        <<< encrypted password generated by crypt_bsdmd5 alorightm

A fix for this issue is included with Storage Foundation HA 6.0.5. Visit Veritas SORT to download this patch.

A temporary workaround is to use password encryption algorithm other than MD5, e.g. SHA256, SHA512 or __unix__ until VCS patch 6.0.5 is applied.    After the password encryption algorithm is changed, the user passwords need to be recreated by the root user.  A password can be recreated by first deleting it using "passwd -d" and then setting a new temporary password using "password name_of_user".    Please check the file /etc/security/crypt.conf for a list of supported encryption algorithms.

# cat /etc/security/crypt.conf
#
# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#ident "@(#)crypt.conf 1.2 08/05/14 SMI"
#
# The algorithm name __unix__ is reserved.

1 crypt_bsdmd5.so.1
2a crypt_bsdbf.so.1
md5 crypt_sunmd5.so.1
5 crypt_sha256.so.1
6 crypt_sha512.so.1

Applies To

VCS running in secure mode on Solaris platform.