Chat now with support
Chat with Support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Out of memory error

If you see java.lang.OutOfMemoryError in the logs then may need to adjust your JVM memory allocation. See JVM memory tuning suggestions for details.

Post install configuration fails on Unix or Mac

If you installed Management Console for Unix on a Unix or Linux computer that has Authentication Services installed and is joined to an Active Directory domain and encountered the following error message when running the post installation configuration of the mangement console: "Can't find domain controller for <domain>", verify your installation configuration.

To verify the installation configuration

  1. Verify that DNS is valid and that the server can connect to the domain.
  2. Verify that you are configured for a domain in the same forest to which you are joined.

    Note: If the computer is not joined to a domain, you could have configured the mangement console for any domain reachable by DNS.

  3. If you have Authentication Services installed, verify that the host.keytab file is valid by running the following command without error:
    /opt/quest/bin/vastool -u host/ -k <path_to_keytab> info id

    Note: Typically, the host.keytab file is located at: /etc/opt/quest/vas/host.keytab.

  4. If you recently joined or rejoined and there are multiple domain controllers in the domain, wait for the computer object to be replicated to all domain controllers in the forest.
  5. Verify that the clocks for the Management Console for Unix server and the Active Directory domain controller are synchronized.

    Kerberos requires that the Management Console for Unix server and Active Directory domain controller clocks are within five minutes of each other.

Privilege Manager feature issues

Management Console for Unix integrates with Privilege Manager, including the ability to centrally manage policy. The following topics may help you resolve some of the common problems you might encounter.

Join to policy group failed

When you join a remote Sudo Plugin host to a policy group you are required to enter a password in the Joined password box. The join password is the password for the pmpolicy user that was set when the qpm-server was configured. See Configuring the primary policy server for details.

If the join operation does not recognize the pmpolicy user password, you will receive an error message with the following snippet:

Enter password for pmpolicy@<host>:
       [FAIL]
       - Failed to copy file using ssh.

       - Error: Failed to add the host to the list of known hosts
       (/var/opt/quest/qpm4u/pmpolicy/.ssh/known_hosts).
       Permission denied, please try again.
       Permission denied, please try again.
       Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

       ** Failed to setup the required ssh access.
       ** The pmpolicy password is required to copy a file to the primary
       ** policy server.
       ** To complete this configuration, please rerun this command and
       ** provide the correct password.

Run the join operation again entering a correct password.

Related Documents