Since the Sudo Plugin is not a program, the /tmp/pmplugin.ini file needs be manually created in order to enable tracing for the Sudo Plugin itself.
To create the .ini file to enable tracing for the Sudo Plugin
printf 'FileName=/tmp/pmplugin.trc\nLevel=0xffffffff\n' > /tmp/pmplugin.ini
If you attempt to join a Sudo Plugin host and see a ssh-keyscan failure message similar to this:
** Generate ssh key [FAIL] - failed to update known_hosts file:getaddrinfo <myhost>: Name or service not known
You might be using an unresolvable, short host name (as myhost in the above example) instead of the fully qualified domain name.
To workaround this issue, add the domain to the search line in the /etc/resolv.conf file.
When you join a host with the Sudo Plugin to a policy group you are required to enter a password. The Join password is the password for the pmpolicy user that was set when the qpm-server was configured. See Configuring the Privilege Manager for Sudo Primary Policy Server for more information about pmpolicy service account.
If the Join operation does not recognize the pmpolicy user password, you will receive an error message with the following snippet:
Enter join password for remote user:firstname.lastname@example.org: [FAIL] - Failed to copy file using ssh. - Error: Failed to add the host to the list of known hosts (/var/opt/quest/qpm4u/pmpolicy/.ssh/known_hosts). Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive). ** Failed to setup the required ssh access. ** The pmpolicy password is required to copy a file to the primary ** policy server. ** To complete this configuration, please rerun this command and ** provide the correct password. - ERROR: Failed to configure pmclient user - ERROR: Configuration of qpm4u unsuccessful. - ERROR: Installation log file is /opt/quest/qpm4u/install/pmjoin_plugin_output_20121022.log [root@sles10-qa ~]#
Run the Join operation again entering a correct password.
pmpluginloadcheck is both a command and a background daemon (run with the –i flag). When run as a command, it checks, updates, and reports on the status of the policy server. You can use pmpluginloadcheck from a Sudo Plugin host.
When run as a daemon process, it keeps track of the status of the policy servers for failover and load-balancing purposes. On policy servers, pmpluginloadcheck is responsible for keeping the production policy file up to date for the offline policy cache.
© 2020 One Identity LLC. ALL RIGHTS RESERVED. Feedback Nutzungsbedingungen Datenschutz