Chat now with support
지원 담당자와 채팅

Privilege Manager for Sudo 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration Upgrade Privilege Manager for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Troubleshooting Privilege Manager Variables Privilege Manager programs Installation Packages Unsupported Sudo Options Privilege Manager for Sudo Policy Evaluation

Enabling tracing for Sudo Plugin

Since the Sudo Plugin is not a program, the /tmp/pmplugin.ini file needs be manually created in order to enable tracing for the Sudo Plugin itself.

To create the .ini file to enable tracing for the Sudo Plugin

  1. Run the following as root:
    printf 'FileName=/tmp/pmplugin.trc\nLevel=0xffffffff\n' > /tmp/pmplugin.ini
  2. Once you have finished getting the trace output you need, remove the /tmp/pmplugin.ini file to disable tracing.

Join fails to generate a SSH key for sudo policy

If you attempt to join a Sudo Plugin host and see a ssh-keyscan failure message similar to this:

** Generate ssh key [FAIL] 
   - failed to update known_hosts file:getaddrinfo <myhost>: Name or service not known

You might be using an unresolvable, short host name (as myhost in the above example) instead of the fully qualified domain name.

To workaround this issue, add the domain to the search line in the /etc/resolv.conf file.

Join to policy group failed on Sudo Plugin

When you join a host with the Sudo Plugin to a policy group you are required to enter a password. The Join password is the password for the pmpolicy user that was set when the qpm-server was configured. See Configuring the Privilege Manager for Sudo Primary Policy Server for more information about pmpolicy service account.

If the Join operation does not recognize the pmpolicy user password, you will receive an error message with the following snippet:

Enter join password for remote user:pmpolicy@example.com: 

[FAIL] 
   - Failed to copy file using ssh. 
   - Error: Failed to add the host to the list of known hosts 
      (/var/opt/quest/qpm4u/pmpolicy/.ssh/known_hosts). 
      Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive). 

   ** Failed to setup the required ssh access. 
   ** The pmpolicy password is required to copy a file to the primary 
   ** policy server. 
   ** To complete this configuration, please rerun this command and 
   ** provide the correct password. 

      - ERROR: Failed to configure pmclient user 
      - ERROR: Configuration of qpm4u unsuccessful. 
      - ERROR: Installation log file is 
        /opt/quest/qpm4u/install/pmjoin_plugin_output_20121022.log 
[1][root@sles10-qa ~]#

Run the Join operation again entering a correct password.

Load balancing and policy updates

pmpluginloadcheck is both a command and a background daemon (run with the –i flag). When run as a command, it checks, updates, and reports on the status of the policy server. You can use pmpluginloadcheck from a Sudo Plugin host.

When run as a daemon process, it keeps track of the status of the policy servers for failover and load-balancing purposes. On policy servers, pmpluginloadcheck is responsible for keeping the production policy file up to date for the offline policy cache.

NOTE: See pmpluginloadcheck for more information about the syntax and usage of this command.

관련 문서