IBM Support

AIX AUTH Troubleshooting: "Illegal User" message

How To


Summary

How to troubleshoot an "Illegal User" error

Objective

In this example, a local user reported a login failure. The specific error message was not reported by the user. The administrator confirmed the following:

  • The local user has a valid entry in /etc/passwd
  • The password is valid
  • The user account is not locked

Steps

1) Collect syslog information from the "auth" system.
# vi /etc/syslog.conf
Add the following line:
auth.info /var/log/messages
# touch /var/log/messages
# stopsrc -s syslogd
# startsrc -s syslogd
2) Attempt the user login.

3) Examine the errors in /var/log/messages
For example,
auth|security:err|error sshd[1234567]: error: PAM: Authentication failed for illegal user userA from xxx.xxx.xxx.xxx
The "illegal user" message is from a Pluggable Authentication Modules (PAM). 
4) Examine the user configuration.
# lsuser -a SYSTEM userA

userA SYSTEM=CENTRIFYDC OR CENTRIFYDC[NOTFOUND] AND (compat)
5) Check the authentication grammar for 'SYSTEM' in /etc/security/user.
# vi /etc/security/user
See:
default:
 SYSTEM = "CENTRIFYDC OR CENTRIFYDC[NOTFOUND] AND (compat)"
userA:
 admin = false
In this example, the user has a local account, but CentrifyDC is the first PAM authentication method.

Temporary Resolution:
6) Add the SYSTEM attribute for userA for local user testing:
# vi /etc/security/user
userA:
Add:
   SYSTEM = compat
Recommended Action:  
7) Resolve the user issue with CentrifyDC (or other third-party PAM authentication product), then remove the 'SYSTEM' attribute from the 'userA' stanza in /etc/security/user,  so the user is authenticated through the expected PAM.
8) Disable the syslog information from the "auth" system when it is no longer required.
# vi /etc/syslog.conf
Comment out the following line (use '#'):
# auth.info /var/log/messages
# stopsrc -s syslogd
# startsrc -s syslogd

Additional Information

SUPPORT
AIX support teams do not use, or support CentrifyDC, One Identity (VAS), or other third-party user management systems. Consult your product vendor to resolve issues with their PAM methods.

If you require more AIX assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.  

1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.

2. Capture any logs or data relevant to the situation.

3. Contact IBM to open a case:

   -For electronic support, see the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, see the web page:
      https://www.ibm.com/planetwide/

4. Provide a clear, concise description of the issue.

 - For more information, see: Working with IBM AIX Support: Describing the problem.

5. If the system is accessible, collect a system snap, and upload all of the details and data for your case.

 - For more information, see: Working with IBM AIX Support: Collecting snap data

[{"Type":"SW","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzlAAA","label":"Security->Authentication"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
14 April 2021

UID

ibm16443385

Page Feedback