Skip to Content

sapuxuserchk authentication failure


Hello,

lately we have deployed the hostagent to all of our sap servers. Now I have some messages at /var/log/syslog/all at several (not all) Servers like

May 19 11:57:10 hges2022 sapuxuserchk: pam_unix_auth(sapstartsrv:auth): authentication failure; logname= uid=2000 euid=0 tty= ruser= rhost= user=sapadm

May 19 11:57:12 hges2022 sapuxuserchk: _rebind_proc

May 19 11:57:12 hges2022 sapuxuserchk: _rebind_proc

May 19 11:57:12 hges2022 sapuxuserchk: _rebind_proc

This appears several time per minute.

I have already found note http://service.sap.com/sap/support/notes/927637. I have installed the latest hostagent (207). I have removed sapususerchk from the direcories /usr/sap/<SID>/<Instance>/exe.

Im am using new sap kernel versions, for example 742 PL 101.

We are not using PAM-Authentication anywhere.

I can not find any reason, why this message appears at some servers, but not at others.

Do you have any idea what to do, to solve the problem causing this messages?

Best regards

Andreas

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

7 Answers

  • Posted on May 19, 2015 at 10:54 AM

    Could you check with SAP Note 1063897 - sapstartsrv user authentication on HP-UX

    Regards,

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on May 21, 2015 at 10:46 AM

    Hello,

    Have a look with SAP Note 958253 - SUSE LINUX Enterprise Server 10: Installation notes

    PAM configuration needed for "sapstartsrv" and "sapcontrol".

    SLES 10 SP3 or later:

    After having installed the Web Service Interface (which uses "sapstartsrv" and "sapcontrol") the following configuration stepts are required:

    The sapstartsrv file within directory /etc/pam. d has to be created and has to contain the following lines:

    #%PAM-1.0

    auth requisite pam_unix_auth.so nullok

    SLES 10, SLES 10 SP1 and SLES 10 SP2:

    After having installed the Web Service Interface (which uses "sapstartsrv" and "sapcontrol"), it might not be possible to authenticate a local created user (i.e. a user entered into the "/etc/passwd" and "/etc/shadow" files), if the SLES 10 system was not installed using the "md5" encryption method as default encryption method (see also above under section "Installing SUSE LINUX Enterprise Server 10 (SLES 10)"). This is due to a known limitation in the PAM authentication module "pam_unix_auth.so" used by "sapstartsrv" and "sapcontrol" via the PAM configuration file "/etc/pam.d/sapstartsrv".

    This sapstartsrv file within directory /etc/pam. d has to be created and has to contain the following lines:

    #%PAM-1.0

    auth requisite pam_unix_auth.so nullok

    Unfortunately, this PAM module is only capable of authenticating passwords that have been encrypted with either the "DES" or "MD5" encryption method, but not "blowfish", which is the default in SLES 10.

    To change the default used encryption method, do as follows:

    Start "yast2" as the "root" user.

    Select "Security and Users".

    Select "Local Security".

    If the "Security Settings" has "Customer Settings" selected, click on "Next" button, otherwise click on "Details...".

    Under "Password Encryption Method", select either "MD5" (preferred method to make use of) or "DES".

    Click on the "Next" button until the "Finish" button appears.

    Click on the "Finish" button to save the changes.

    In addition, you have to edit the variable "CRYPT_FILES" in the file "/etc/default/passwd", using your favorite editor, setting the assigned value to either "MD5" (preferred) or "DES" (possible, but is less secure). After having changed the default used encryption method as described above, you have to reencrypt the password for the user used by the calls of "sapstartsrv" and "sapcontrol" by issueing the command "passwd <username>" as "root" and entering the wanted password twice.

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on May 19, 2015 at 12:23 PM

    Hi Andreas,

    Because of the error message "sapuxuserchk: _rebind_proc" I assume you are using LDAP-authentication?

    saphostagent installs the PAM config file /etc/pam.d/sapstartsrv which uses pam_unix_auth.so as default.

    I assume you need to modify it or add LDAP authentication there too.

    Helge

    Add a comment
    10|10000 characters needed characters exceeded

    • Hello Helge,

      we are using a local user sapadm and local users <sid>adm. We use LDAP only for Administrators.

      We do not use the pam-authentication.

      I have the same pam-configration at another server, where I do not get the authentication failures.

      Best Regards

      Andreas

  • Posted on May 20, 2015 at 04:34 AM

    Hello,

    something new to think about.

    This issue appears at productive system but not at quality assurance system and I am using same configurations and patches on LINUX, SAP Kernel, SAP Parameters service/admin_users and service/protectedwebmethods

    I am still searching for differences of the Systems.

    Best Regards

    Andreas

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on May 21, 2015 at 09:59 AM

    Hi Andreas,

    For me the issue could be as because of sshd_config file.From the same OS file

    # Set this to 'yes' to enable PAM authentication, account processing,

    # and session processing. If this is enabled, PAM authentication will

    # be allowed through the ChallengeResponseAuthentication and

    # PasswordAuthentication. Depending on your PAM configuration,

    # PAM authentication via ChallengeResponseAuthentication may bypass

    # the setting of "PermitRootLogin without-password".

    # If you just want the PAM account and session checks to run without

    # PAM authentication, then enable this but set PasswordAuthentication

    # and ChallengeResponseAuthentication to 'no'.

    #UsePAM no

    Any changes under the file could be the possible reasons of getting messages sapuxuserchk: pam_unix_auth(sapstartsrv:auth): authentication failure; under /var/log/...... location.

    Regards,

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on May 27, 2015 at 01:54 PM

    Hi

    Simply run

    saproot.sh <SID> as user root from the following exe locations

    /usr/sap/SID/<INSTANCE>/exe

    /sapmnt/<SID/exe

    And the right permissions will be achieved for the file sapuxuserchk

    Thanks ,

    Manu

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Nov 19, 2015 at 09:48 AM

    Hello,

    after I could not solver this Problem here, I have opened a customer message. They have analyzed that wrong credentials of several agents (SOLMAN, SMD, LVM) seem to be the cause of the problems.

    The pam was working fine.

    Bets Regards

    Andreas

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.