My Oracle Support Banner

IDCS: Linux PAM Not Connecting - AUTH-1021 And Pam Return Code 7 (Doc ID 2879275.1)

Last updated on MARCH 30, 2023

Applies to:

Identity Cloud Service (IDCS) - Version N/A to N/A
Information in this document applies to any platform.

Goal

Configuration of Linux PAM module is not successful: https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/typical-workflow-managing-linux-pam.html

 

I am not able to connect per the following step: https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/test-authentication-linux-using-oracle-identity-cloud-service.html

 

Logs (/opc/pam_nss.log) note the following upon testing login - How do I resolve the following error? 

 

AUTH-1021 And Pam Return Code 7

 

For a visual guide on the PAM module configuration, you may also visit: https://learnoci.cloud/how-to-enable-idcs-pam-on-oracle-linux-7-and-use-mfa-53164b36595c

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
 Configuration of Linux PAM module is not successful: https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/typical-workflow-managing-linux-pam.html
 Test Authentication into Linux Using Oracle Identity Cloud Service
 AUTH-1021 And Pam Return Code 7
Solution
 1) Create separate IDA (Identity Domain Administrator) application for user and group creation:
 2.a) - 
  
 2.b) Generate access token using application at 2.a) and use the client ID/secret to create Users + Groups: https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/create-group-posix-attributes.html 
  
 3) Ensure the PAM application is standalone with the proper roles ->  PAM module Confidential application needs to have the following roles: https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/configure-confidential-application.html
 
4) To rule out any PAM configuration steps missed, if you have a working client ID/secret from a separate PAM configuration, you can check the configuration for PAM using them. If not, please make sure the above (steps 1-3) is correctly created in IDCS and proceed with validating the PAM module configuration step 4.c.):
 
4.a) Point the wallet to a working client ID/secret + host to check PAM module configuration:

On the Linux environment, run the following commands as the root user -
https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/create-wallet.html
 
4.b.) If that does not allow you to connect and the same error shows, proceeded with verifying the configuration of the SSSD service and make sure the  /etc/pam.d/sshd has the correct authentication order per the guide -
https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/configure-linux-pam-module-using-sssd.html
 
4.c.) Edit the /etc/pam.d/sshd and add the pam_oracle_cloud module:


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.