Chat now with support
Chat with Support

Safeguard for Sudo 7.1.1 - Administration Guide

Introducing Safeguard for Sudo Planning Deployment Installation and Configuration Upgrade Safeguard for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Troubleshooting Safeguard Variables Safeguard programs Installation Packages Unsupported Sudo Options Safeguard for Sudo Policy Evaluation

Join fails to generate a SSH key for sudo policy

If you attempt to join a Sudo Plugin host and see a ssh-keyscan failure message similar to this:

** Generate ssh key [FAIL] 
   - failed to update known_hosts file:getaddrinfo <myhost>: Name or service not known

You might be using an unresolvable, short host name (as myhost in the above example) instead of the fully qualified domain name.

To workaround this issue, add the domain to the search line in the /etc/resolv.conf file.

Join to policy group failed on Sudo Plugin

When you join a host with the Sudo Plugin to a policy group you are required to enter a password. The Join password is the password for the pmpolicy user that was set when the qpm-server was configured. See Configuring the Safeguard for Sudo Primary Policy Server for more information about pmpolicy service account.

If the Join operation does not recognize the pmpolicy user password, you will receive an error message with the following snippet:

Enter join password for remote user:pmpolicy@example.com: 

[FAIL] 
   - Failed to copy file using ssh. 
   - Error: Failed to add the host to the list of known hosts 
      (/var/opt/quest/qpm4u/pmpolicy/.ssh/known_hosts). 
      Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive). 

   ** Failed to setup the required ssh access. 
   ** The pmpolicy password is required to copy a file to the primary 
   ** policy server. 
   ** To complete this configuration, please rerun this command and 
   ** provide the correct password. 

      - ERROR: Failed to configure pmclient user 
      - ERROR: Configuration of qpm4u unsuccessful. 
      - ERROR: Installation log file is 
        /opt/quest/qpm4u/install/pmjoin_plugin_output_20121022.log 
[1][root@sles10-qa ~]#

Run the Join operation again entering a correct password.

Load balancing and policy updates

pmpluginloadcheck is both a command and a background daemon (run with the –i flag). When run as a command, it checks, updates, and reports on the status of the policy server. You can use pmpluginloadcheck from a Sudo Plugin host.

When run as a daemon process, it keeps track of the status of the policy servers for failover and load-balancing purposes. On policy servers, pmpluginloadcheck is responsible for keeping the production policy file up to date for the offline policy cache.

See pmpluginloadcheck for more information about the syntax and usage of this command.

Policy servers are failing

The primary and secondary policy servers must be able to communicate with each other and the remote hosts must be able to communicate with the policy servers in the policy group.

For example, if you run pmpluginloadcheck on a Sudo Plugin host to determine that it can communicate with other policy servers in the group, you might get output similar to the following:

++ Checking host:myhost.example.com (10.10.181.87) ... [FAIL]

There are several possible reasons for failure:

  • Policy server host is down
  • Network outage
  • Service not running on policy server host
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating