-
Title
The pmjoin_plugin command to join host to Privilege Manager for Sudo policy server fails: ERROR: Failed to configure pmclient user -
Description
pmjoin_plugin command to join host to Privilege Manager for Sudo policy server fails to configure pmclient user.
Error message in join output:
- ERROR: Failed to configure pmclient user
If the policy server is a Linux system then you may see an error similar to the following in the secure log output:---------------------Aug 16 13:08:04 server1 sshd[400]: pam_krb5[400]: disallowing NULL authtok for 'pmpolicy'--------------------- -
Cause
Possible configuration issue in sshd_config on the plugin client. -
Resolution
RESOLUTION 1:
1- Ensure that the plugin client server has the following set to yes in /etc/ssh/sshd_config
PubkeyAuthentication yes
2 - If you make changes to the sshd_config file, you must restart sshd.
Privilege manager for Sudo is using ssh-keys, therefore it needs this setting to be yes.RESOLUTION 2:
1 - Run the Join operation again entering a correct password.
When you join a host with the Sudo Plugin to a policy group you are required to enter a password. The Join password is the password for the pmpolicy user that was set when the qpm-server (Primary Policy server) was configured.
TROUBLESHOOTING:
1 - Get a trace of the plugin client join attempt by doing the following:1 - Configure tracing by running the following command on the client as root: /opt/quest/sbin/pmpoljoin_plugin -z on
2 - Run the join command again from the client: /opt/quest/sbin/pmjoin_plugin
3 - Check the /tmp/pmpoljoin_plugin.trc file.
4 - Stop the tracing by running the following command: /opt/quest/sbin/pmpoljoin_plugin -z off2 - Check for any ssh errors.
3 - Check the system log or secure log on the policy server.