It’s useful and easy to debug on SuSE as compared to setting up to do this on Solaris or elsewhere. Solaris supports pam.conf rather than the DIRMODE pam.d of Linux. Still, the following steps trick vastool into working against the file rather than the directory configuration files:

• open at least one root shell
• create (or get a copy of) pam.conf tailored to show the problem
• copy it to /etc
• make a back-up copy, pamela.conf
• move pam.d to pamela.d

At this point, vastool can be debugged using one of the root shells since anything vastool operation involving pam.conf implies root privileges. Once finished, perform these remaining steps:

• remove pam.conf
• move pamela.d to pam.d
• make certain that sudo ls works in a non-root shell before killing the root shell(s) created for this exercise

syslog

Note, for example, that Solaris doesn’t support *.* in syslog. PAM logs to the auth facility though so auth.debug works on all platforms.

...and your screensaver came and locked the screen or the building lost power. (I run the grub loader; I don’t know what to do for lilo.) Reboot and when the opportunity arises, press F2 as indicated for “more options.” This gives you the loader command line. Append the following to it:

	init=/bin/bash

And continue on. It will come up in bash, you can restore PAM to its pristine state. In the case of VAS (all we’re thinking about here anyway), merely edit /etc/pam.d/common-* and remove all the lines containing the VAS PAM stuff, “pam_vas3.so.” Also, in common-auth, the mention “use_first_pass” must be removed from the line on which it is found.

After taking care of these PAM files, resync, and reboot. The inability to authenticate should be fixed although VAS will have to be configured again:

	vastool configure pam

It’s best to keep console 1 logged in as root so that ctrl alt F1 will get you into it whence you can fix your PAM files. ctrl alt F7 will get you back into your GUI.

It’s possible to include files in a PAM configuration file. This happens two ways.

	include filename

...includes filename in the PAM file at that point. This approach might be a little more common in the case of /etc/pam.conf implementations. (I don’t know for sure.)

Here, however, is PAM file /etc/pam.d/sshd on SuSE Linux 10.2:

	#%PAM-1.0
	auth      requisite            pam_nologin.so
	auth      include              common-auth
	account   include              common-account
	password  include              common-password
	session   required             pam_loginuid.so
	session   include              common-session
	auth      include              common-auth
	# Enable the following line to get resmgr support for
	# ssh sessions (see /usr/share/doc/packages/resmgr/README)
	#session  optional             pam_resmgr.so    fake_ttyname

In this case, inclusion works the same, but essentially replaces the whole line it’s on with the file. Thus, after the first inclusion shown here in red, for authentication, this file becomes as follows. Note that our VAS annotation is present since it’s in /etc/pam.d/common-auth.

	#%PAM-1.0
	auth      requisite            pam_nologin.so
	#%PAM-1.0
	#
	# This file is autogenerated by pam-config. All changes
	# will be overwritten.
	#
	# Authentication-related modules common to all services
	#
	# This file is included from other service-specific PAM confg files,
	# and should contain a list of the authentication modules that define
	# the central authentication scheme for use on the system
	# (e.e., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
	# traditional Unix authentication mechanisms.
	#
	auth      sufficient   pam_vas3.so   create_homdir  get_nonvas_pass  debug trace
	auth      requisite    pam_vas3.so   echo_return
	auth      required     pam_unix2.so  use_first_pass
	account   include              common-account
	password  include              common-password
	session   required             pam_loginuid.so
	session   include              common-session
	auth      include              common-auth
	# Enable the following line to get resmgr support for
	# ssh sessions (see /usr/share/doc/packages/resmgr/README)
	#session  optional             pam_resmgr.so    fake_ttyname

On SuSE Linux, /etc/pam.d/common-account, -auth, -password and -session contain the common elements for those PAM task types. On Red Hat, the same objective is achieved by the file /etc/pam.d/sys-auth. There is nothing magic about these files and any name could be used by hand-crafting, but the operating systems create those files automatically at first.

What the heck, here is the script...

	#!/bin/sh
	# This sets up /etc/resolv.conf to be suitable for mucking about in the Vintela
	# testing domains. Must be run as root, obviously.
	if [ $EUID != 0 ]; then
	  echo "   Must be root to do this!"
	  echo "   resolv.sh [normal|test|dev]"
	  cat /etc/resolv.conf
	elif [ "$1" == "normal" ]; then
	  if [-f "/etc/resolv.conf.orig" ]; then
	    rm /etc/resolv.conf
	    cp /etc/resolv.conf.orig /etc/resolv.conf
	    cat /etc/resolv.conf
	  else
	    echo "No resolv.conf.orig to start with..."
	  fi
	elif [ "$1" == "test" ]; then
	  if [-f "/etc/resolv.conf.test" ]; then
	    rm /etc/resolv.conf
	    cp /etc/resolv.conf.test /etc/resolv.conf
	    cat /etc/resolv.conf
	    echo ""
	    echo "   Reminder: rdesktop -u administrator -p test123 a.vas"
	  else
	    echo "No resolv.conf.test to start with..."
	  fi
	elif [ "$1" == "dev" ]; then
	  if [-f "/etc/resolv.conf.dev" ]; then
	    rm /etc/resolv.conf
	    cp /etc/resolv.conf.dev /etc/resolv.conf
	    cat /etc/resolv.conf
	    echo ""
	    echo "   Reminder: vmware-console [administrator password is Test1234 a.dev]"
	  else
	    echo "No resolv.conf.dev to start with..."
	  fi
	fi
	# vim: set tabstop=2 shiftwidth=2 expandtab:

...and here are the three files, all on /etc:

	resolv.conf.orig:
	domain vintela.com
	nameserver 10.5.33.1
	nameserver 10.5.33.2

	resolv.conf.test:
	search test.vintela.com vas vintela.com
	nameserver 192.168.131.1

	resolv.conf.dev:
	search dev vas vintela.com
	nameserver 192.168.144.5