Error when execurint usrun pcksh

Hi

When trying to run the following, I get the error below. I have a PAM server on SLES and the agent installed on CentOS 6.
I don't see anything specific to the below error in the logs also.

[rohit@localhost bin]$ usrun pcksh
/usr/bin/usrun[39]: Cannot contact Command Control Remote Execution service on centos - Permission denied


Tx,
Rohit
  • rohit,

    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.

    These forums are peer-to-peer, best effort, volunteer run and that if your issue
    is urgent or not getting a response, you might try one of the following options:

    - Visit https://www.microfocus.com/support-and-services and search the knowledgebase and/or check
    all the other self support options and support programs available.
    - Open a service request: https://www.microfocus.com/support
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.microfocus.com)
    - You might consider hiring a local partner to assist you.
    https://www.partnernetprogram.com/partnerfinder/find.html

    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://forums.microfocus.com/faq.php

    Sometimes this automatic posting will alert someone that can respond.

    If this is a reply to a duplicate posting or otherwise posted in error, please
    ignore and accept our apologies and rest assured we will issue a stern reprimand
    to our posting bot.

    Good luck!

    Your Micro Focus Forums Team
    http://forums.microfocus.com


  • What PAM packages have been installed on this server? (rohit@localhost CentOS 6)

    Where is the cmdctrl Command Control Manager package located in this environment (i.e. which server is the PAM Manager)?

    Has this agent been registered to this PAM Manager and are they both able to resolve each other's DNS address and connect via port 29120 (agent->manager, manager->agent)?

    Is the agent / host listed as "online" in the Hosts Console? Select "Packages" for this host, are there any status problems reported there?

    Has there been a command control rule configured that allows for specific commands (usrun <command>) ?
    Please see an example from a policy template: Command Control Console > Select some rule in the left panel > Click the "Add Policy Template" button dropdown > Select "Allow Commands" policy template.

    Otherwise, please set the logging to DEBUG and check the unifid.log for more details.
  • HI,
    I've tried to capture session through pcksh for linux. Our PAM server is in SLES also agent is in SLES. also have an windows agent server added to PAM So, configured PAM as per documentation provided by netiq.
    1) registered agent
    2) created privileged account domain
    3) add user group
    4) add command
    Rewrite: /usr/bin/pcksh -o audit 1
    Commands: pcksh
    shell


    5) add rule
    Session capture: yes
    Authorized: yes
    Run User: root

    Now, When I'm logging into with non-privileged user and enter command : usrun pcksh , the following error displayed

    IDMAD0\ram@linuxagent:~> usrun pcksh
    /usr/bin/usrun[39]: Cannot contact Command Control Remote Execution service on 192.168.19.50 - Peer verification failure

    *** PAM server : 192.168.19.48 (SLES)
    PAM Agent : 192.168.19.49 (SLES)
    PAM Agent : 192.168.19.50 (win server 2012)

    Don't understood why error message specify that win server ip there.

    Please help in this issue.
  • What server was this agent (linuxagent) registered to?

    First, I suspect the 'PAM Agent : 192.168.19.50 win server 2012' has the cmdctrl manager package installed or at the very least has previously or this linuxagent has been accidentally registered to the .50 windows server.
    If the .48 SLES server is your primary PAM Manager server (with cmdctrl manager package), then uninstall this package from the .50 windows server.
    For troubleshooting purposes, we could remove this Windows Host for now from the Hosts Console to test, as it can be re-registered again later.

    Second, I have seen a 'Peer verification failure' error before when time has not been synchronized between PAM Managers and Agents.
    PAM relies on the time reported by the server operating system. Please refer to operating system documentation for more details regarding time synchronization strategies.

    --

    Questions leftover from before:

    Has this agent been registered to the .48 SLES PAM Manager and are they both able to resolve each other's DNS address and connect via port 29120 (agent->manager, manager->agent)?
    Steps to help verify this can be found here: https://www.novell.com/support/kb/doc.php?id=7016996

    Is the agent / host listed as "online" in the Hosts Console?

    Also, select "Packages" for this host and the manager, are there any status problems reported there?
  • Hi,
    Command management through usrun is working fine in agent 192.168.19.49 (SLES), If there had any registration issue with agent the n applied rule did not work properly.
    Strange matter is that , as per your opinion I've removed the windows agent 192.168.19.50 (win server 2012) from PAM web management Hosts list. Then also when I've run usrun pcksh , instead of ip of windows agent it reply the host name of windows agent.

    Following list of commands I've run from 192.168.19.49 (SLES) as ADuser idmad0\ram,

    login as: idmad0\ram
    Using keyboard-interactive authentication.
    Password:
    Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable
    Last login: Mon Apr 23 16:15:44 2018 from 192.168.19.200
    IDMAD0\ram@linuxagent:~> usrun /usr/sbin/useradd testuser5
    IDMAD0\ram@linuxagent:~> usrun passwd testuser5
    Changing password for testuser5.
    New Password:
    Reenter New Password:
    Password changed.
    IDMAD0\ram@linuxagent:~> usrun pcksh
    /usr/bin/usrun[39]: Cannot contact Command Control Remote Execution service on pamwinagent - Permission denied
    IDMAD0\ram@linuxagent:~>



    linuxagent:~ # nslookup pamserver.idmad.local
    Server: 192.168.19.47
    Address: 192.168.19.47#53

    linuxagent:~ # telnet 192.168.19.48 29120
    Trying 192.168.19.48...
    Connected to 192.168.19.48.
    Escape character is '^]'.

    pamserver:~ # telnet 192.168.19.49 29120
    Trying 192.168.19.49...
    Connected to 192.168.19.49.
    Escape character is '^]'.

    ** Host , server appear as online

    Then, where is the exact issue, pl help
  • Hi,
    Problem of session management through usrun pcksh has resolved. I've created a new set of PAM Server and Agent, Configure rule, user group and command for that. Session has been captured for local user fine.
    But for External user authentication (AD) it is not running.

    What extra I've to configure for it ? In rule I've set following options:

    Session capture: yes
    Authorized: yes
    Run User: root

    Following execution if do with local user of agent:
    login as: testuser5
    Using keyboard-interactive authentication.
    Password:
    Last login: Wed Apr 25 11:37:52 2018 from 192.168.19.200
    testuser5@agent:~> usrun pcksh
    /usr/bin/usrun[39]: Cannot contact Command Control service - Permission denied
    testuser5@agent:~> usrun pcksh
    # /usr/sbin/useradd lisa1
    # passwd lisa1
    Changing password for lisa1.
    New Password:
    Reenter New Password:
    Password changed.
    # exit
    testuser5@agent:~>


    If do with AD user :

    login as: idmad0\ram
    Using keyboard-interactive authentication.
    Password:
    Last login: Fri Apr 13 15:32:19 2018 from 192.168.19.200
    IDMAD0\ram@agent:~> usrun pcksh
    /usr/bin/usrun[39]: Permission denied
    IDMAD0\ram@agent:~> usrun pcksh
    /usr/bin/usrun[39]: Permission denied
    IDMAD0\ram@agent:~> usrun pcksh
    /usr/bin/usrun[39]: Cannot contact Command Control service - Permission denied
    IDMAD0\ram@agent:~> usrun pcksh
    /usr/bin/usrun[39]: Permission denied
    IDMAD0\ram@agent:~>
  • For now, please remove any Rule Condition(s) that require a User Group.