SSO Client receives Error: "Unknown user name or bad password" when connecting to a Solaris UNIX based SSO Server.

Document ID : KB000022794
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

If your SSO Client receives the Error: "Unknown user name or bad password" and you have a Solaris Unix based SSO Server the following problem may exist. Your SSO Server logs will also show a similar error as well.

This document applies to SSO 8.1 on Solaris 10 but can also affect SSO 12.1 as well.

Solution:

Possible Problem:

The SSO Server process (PolicyServer) on a Solaris 10 based machine cannot create semaphores that are required to protect its internal resource and fails to connect to Directory. As a result, Directory lookup fails and cannot authenticate the user. Maximum number of semaphore identifiers is limited by Solaris and this needs to be increased in order to allow the SSO Server to obtain the required semaphore identifiers from OS.

Symptoms:

To verify this problem exists check the following;

  • All Services are running and you can connect to Directory from an LDAP browser.

  • The full error you will see in the Client logs is below.

    "CC_AUTH_PLUGIN (0x11) ETWAC_AUTH_INVALID_CRED (0x507)

    • Unknown user name or bad password

    • Reported by Authentication Plug-in"

  • The errors in the SSO Server Trace logs are below;

    06/17/10 09:22:48|[0x0000000c]|WARN|UserDbLDAP| Failed to lock Ldap handle.
    slot=0

    ---and also---

    06/17/10 09:22:48|[0x0000000c]|WARN|SSO Server| Authentication plug-in Error. Unknown user name or bad password. Reported by Authentication Plug-in.

  • On Solaris 10, use the following procedure to check if the current value specified for
    your max private semaphore resource controls is too low.

    1. To view the current values of the resource control, you will need to look up the project ID on the system and then check the maximum space available for private semaphores (default is 120 k).

  • Please run the below commands and substitute the project ID from the first command in the second command as appropriate (replace the ?)

    • o id -p

    • o prctl -n project.max-sem-ids -i project?

      EXAMPLE:

      See the below example commands and output:
      -bash-3.00# id -p
      uid=0(root) gid=0(root) projid=3(default)
      -bash-3.00# prctl -n project.max-sem-ids -i project 3
      project: 3: default
      NAME       PRIVILEGE      VALUE      FLAG      ACTION      RECIPIENT
      project.max-sem-ids
                        privileged             128             -              deny                  -
                        system                 16.8M       max           deny                  -

Solutions:

The solution is to increase the semaphores for the project and ID associated with the SSO Policy Server. In this case it does not have a specific project and we need to modify the default system project for the root user (Root is the only user who can start SSO PolicyServer).

Below are 2 methods know to be used to accomplish this. Please consult your Solaris System administrator for the preferred method they use in their environment.

IMPORTANT: The steps below should ONLY be performed by your Solaris Systems administrator; you should adjust the commands and parameters based on your OS level and system configuration.

Before changing OS settings like it is important to know if this is a Solaris Zone. If this is a Zone refer to Solaris for procedures changing the settings below.

To find the project ID

  • id -p

  • OUTPUT: uid=0(root) gid=0(root) projid=3(default)

Use the project name from the id -p command below

  • projmod -sK "project.max-sem-ids=(privileged,1024,deny)" default

  • projects -l

After this command I rebooted the server and then verified the default project now has the increased semaphores.

  • prctl -n project.max-sem-ids -i project 3

  • OUTPUT:
    project: 3: default
    NAME      PRIVILEGE      VALUE      FLAG      ACTION      RECIPIENT
    project.max-sem-ids
                      privileged             1.02K          -              deny                   -
                      system                 16.8M        max           deny                   -

Projmod information:

http://docs.sun.com/app/docs/doc/816-5166/projmod-1m?l=en&n=1&a=view

Alternate Method:

Although this method is easier to implement it has been said to be considered obsolete on Solaris 10. With that said it has been reported to work on Solaris 10, since there does seem to be debate on the proper method in Solaris 10 please use at your own risk.

  • Change the privileged semaphore by modifying the file /etc/system, adding the following lines at the end of it:

    set semsys:seminfo_semmni=1024
    set semsys:seminfo_semmsl=1024

  • Restart the System

  • Verify the fix

  • a. Find the project ID

  • id -p

  • OUTPUT: uid=0(root) gid=0(root) projid=3(default)

    Verify the default project now has the increased semaphores.

  • prctl -n project.max-sem-ids -i project 3

  • OUTPUT:

    project: 3: default
    NAME      PRIVILEGE      VALUE      FLAG      ACTION      RECIPIENT
    project.max-sem-ids
                      privileged        1.02K             -             deny                   -
                      system              16.8M          max           deny                   -