Editing the PAM configuration manually

In most cases, you should not manually edit the PAM configuration on a computer unless absolutely necessary because changes can produce unexpected and undesirable results. If you choose to edit the file manually, you should use caution and limit the changes you make.

To manually edit the PAM configuration to use Centrify and Active Directory, you need to add several lines to the top of the appropriate PAM configuration file for the local operating environment.

For example, on Linux you need to add the following lines to the top of the /etc/pam.d/system-auth file:

auth     sufficient  pam_centrifydc.so debug
auth     requisite   pam_centrifydc.so deny debug
account  sufficient  pam_centrifydc.so debug
session  sufficient  pam_centrifydc.so homedir
password sufficient  pam_centrifydc.so try_first_pass
password requisite   pam_centrifydc.so deny

On Solaris and other platforms, you need to add the following lines to the top of the /etc/pam.conf file:

rlogin auth     sufficient  pam_centrifydc.so debug
rlogin auth     requisite   pam_centrifydc.so deny debug
login  auth     sufficient  pam_centrifydc.so debug
login  auth     requisite   pam_centrifydc.so deny debug
passwd auth     sufficient  pam_centrifydc.so try_first_pass debug
passwd auth     requisite   pam_centrifydc.so deny debug
other  auth     sufficient  pam_centrifydc.so debug
other  auth     requisite   pam_centrifydc.so deny debug
cron   account  sufficient  pam_centrifydc.so debug 
other  account  sufficient  pam_centrifydc.so debug
other  password sufficient  pam_centrifydc.so debug
other  session  sufficient  pam_centrifydc.so debug

Note:   In most operating environments, when new users log on successfully, the Centrify agent automatically attempts to create the user’s home directory. In Solaris environments, however, the home directory is often automounted over NFS, so the attempt to automatically create a new home directory for new users typically fails. If you use NFS to automount home directories, you can turn off the automatic creation of the home directory by setting the pam.homedir.create parameter in the centrifydc.conf file to false. For more information about setting this parameter, see pam.homedir.create.

By adding the appropriate lines to the beginning of the PAM configuration file, you ensure that Active Directory authentication takes precedence over other forms of authentication.