When you define allow hosts in the profile based policies using the hosts fully qualified domain name this is not recognised when you execute a Privilege Manager command
e.g.
Your profile contains
authHosts={ "yourclient1.yourdomain.com" };
Â
Example command
bash-4.0# pmrun id
********************************************************************
** Quest Privilege Manager for Unix Version 5.5.2 (006) **
** This request is being authorized on master :yourmaster.yourdomain.com
** User "root" has submitted a request from host "yourclient1.yourdomain.com" to run the command "id"
********************************************************************
** Profile "admin" does not allow a command to run on host "yourclient1.yourdomain.com"
Request accepted by the "demo" profile
User : root
Host : yourclient1.yourdomain.com
Command : id
WORKAROUND
It's possible to check fqdn's instead of shortnames by making two small changes to the /opt/quest/qpm4u/policies/profileBasedPolicy.conf, around line 650. There are two if statements that check shortnames to the authHosts lists. Changing "shortsubmithost" to "submithost" and "shortrunhost" to "runhost" in these two if statements, will make the policy check using fqdn's. The entries that require changing are shown below.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center