Tuesday, June 24, 2014

Utilities: addebug

Background

The addebug command is used to use the log feature of the Centrify client for UNIX, Linux and Mac OS X.  Logs written to /var/log/centrifydc.log, however in HP-UX the location is /var/admin/syslog.  Only turn on debugging if you're troubleshooting a problem and you'll have to elevate (with sudo or dzdo) to use addebug and review the log.

Location

The utility is located in the /usr/share/centrifydc/bin folder.

Basic Usage
  • Use /usr/share/centrifydc/bin/addebug on to start debugging
  • Use /usr/share/centrifydc/bin/addebug off to stop debugging 
  • Use /usr/share/centrifydc/bin/addebug clear to clear the logs
For more information, read the manual page for addebug  (man addebug).

What to look for

Modules
Centrify  implements directory lookups with Name Server Switch (NSS) and Pluggable Authentication Modules (PAM) for authentication, this means that you need to become familiar with some of  these calls:
  • NSS calls:  These are name server switch function calls.  For example (oversimplifying) an application may use a call to determine the user's UID from the login name.  These calls start with "NSS".
  • PAM calls:  These function calls implement the account, authentication, session and password modules that are implemented with the solution. These calls start with "pam_"
File Descriptors
FDs identity the transactions, they make it easy for the log reader to follow the same transaction.  They are labeled with "fd:nn"  (nn is the descriptor number).  

Keywords, Phrases and Functions
During the troubleshooting process, you'll become familiar with several keywords that will help you determine what happened during the transaction.  For example, here are a few:
  • pam_sm_authenticate:  search for this call to determine the beginning of PAM authentications.
  • "User is ours" / "User is not ours":  This phrase appears in a file descriptor when the function PAMUserIsOurResponsibility determines that the user is indeed an AD user that needs to be processed or not.

No comments:

Post a Comment