Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Management Console for Unix Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix Hosts Working with Host Systems Managing Local Groups Managing Local Users Active Directory Integration Authentication Services Integration Privilege Manager Integration Reporting Setting Preferences Security Troubleshooting Tips
Auto Profile Issues Active Directory Issues Auditing and Compliance Cannot Create a Service Connection Point Check Authentication Services Agent Status Commands Not Available CSV or PDF Reports Do Not Open Database Port Number Is Already in Use Elevation Is Not Working Hosts Do Not Display Import File Lists Fakepath Information Does Not Display in the Console Java Applet Failures License Info in Report is not Accurate Out of Memory Error Post Install Configuration Fails on Unix or Mac Privilege Manager Feature Issues Profile Task Never Completes questusr Account was Deleted Readiness Check Failed Recovering From a Failed Upgrade Reports Are Slow Reset the Supervisor Password Running on a Windows 2008 R2 Domain Controller Service Account Login Fails Setting Custom Configuration Settings Single Sign-on (SSO) Issues JVM Memory Tuning Suggestions Start/Stop/Restart Management Console for Unix Service Tool Bar Buttons Are Not Enabled UID or GID Conflicts
System Maintenance Command Line Utilities Web Services Database Maintenance

Post Install Configuration Fails on Unix or Mac

If you installed Management Console for Unix on a Unix or Mac computer that has Authentication Services installed and is joined to an Active Directory domain and encountered the following error message when running the post installation configuration of the mangement console: 'Can't find domain controller for <domain>', verify your installation configuration.

To verify the installation configuration on a Mac

  1. Verify that DNS is valid and that the server can connect to the domain.
  2. Verify that you are configured for a domain in the same forest to which you are joined.

    Note: If the computer is not joined to a domain, you could have configured the mangement console for any domain reachable by DNS.

  3. If you have Authentication Services installed, verify that the host.keytab file is valid by running the following command without error:
    /opt/quest/bin/vastool -u host/ -k <path_to_keytab> info id

    Note: Typically, the host.keytab file is located at: /etc/opt/quest/vas/host.keytab.

  4. If you recently joined or rejoined and there are multiple domain controllers in the domain, wait for the computer object to be replicated to all domain controllers in the forest.
  5. Verify that the clocks for the Management Console for Unix server and the Active Directory domain controller are synchronized.

    Kerberos requires that the Management Console for Unix server and Active Directory domain controller clocks are within five minutes of each other.

Privilege Manager Feature Issues

Management Console for Unix integrates with Privilege Manager, including the ability to centrally manage policy. The following topics may help you resolve some of the common problems you might encounter.

Join to Policy Group Failed

When you join a remote Sudo Plugin host to a policy group you are required to enter a password in the Joined password box. The Join password is the password for the pmpolicy user that was set when the qpm-server was configured. (See Configure the Primary Policy Server for details.)

If the Join operation does not recognize the pmpolicy user password, you will receive an error message with the following snippet:

Enter password for pmpolicy@<host>:
       [FAIL]
       - Failed to copy file using ssh.

       - Error: Failed to add the host to the list of known hosts
       (/var/opt/quest/qpm4u/pmpolicy/.ssh/known_hosts).
       Permission denied, please try again.
       Permission denied, please try again.
       Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

       ** Failed to setup the required ssh access.
       ** The pmpolicy password is required to copy a file to the primary
       ** policy server.
       ** To complete this configuration, please rerun this command and
       ** provide the correct password.

Run the Join operation again entering a correct password.

Join to Policy Group Option is Not Available

If you run the Check Client for Policy Readiness with no errors and the console indicates that the host is "Ready to join" a policy group, yet the Join to Policy Group option is not available, this topic will help you troubleshoot the issue.

To join a host to a policy group, the host must meet all of the following conditions:

  • When using a sudo policy type, to join a policy group, the selected host(s) must have Sudo 1.8.1 (or higher), the Sudo Plugin software installed, and be added and profiled to the mangement console.
  • When using pmpolicy type, the host must have the PM Agent software installed on it (see Install Privilege Manager Agent or Plugin Software).
  • A service account must be configured on the primary policy server (see Configure a Service Account).
  • A policy group must be active (see Activate Policy Groups).
  • If you select multiple hosts to join, they must be of the same type (sudo or pmpolicy). However, when selecting multiple primary servers, the Join option will be disabled because each primary server belongs to a different policy group.

Once you meet these conditions, you can run the Join to Policy Group option from the Prepare panel of the All Hosts view (see Join the Host to a Policy Group for details).

Related Documents