rohit_reflex
New Member.
1535 views

Error when execurint usrun pcksh

Hi

When trying to run the following, I get the error below. I have a PAM server on SLES and the agent installed on CentOS 6.
I don't see anything specific to the below error in the logs also.

[rohit@localhost bin]$ usrun pcksh
/usr/bin/usrun[39]: Cannot contact Command Control Remote Execution service on centos - Permission denied


Tx,
Rohit
0 Likes
7 Replies
AutomaticReply Absent Member.
Absent Member.

Re: Error when execurint usrun pcksh

rohit,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit https://www.microfocus.com/support-and-services and search the knowledgebase and/or check
all the other self support options and support programs available.
- Open a service request: https://www.microfocus.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.microfocus.com)
- You might consider hiring a local partner to assist you.
https://www.partnernetprogram.com/partnerfinder/find.html

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.microfocus.com/faq.php

Sometimes this automatic posting will alert someone that can respond.

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot.

Good luck!

Your Micro Focus Forums Team
http://forums.microfocus.com



0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Error when execurint usrun pcksh

What PAM packages have been installed on this server? (rohit@localhost CentOS 6)

Where is the cmdctrl Command Control Manager package located in this environment (i.e. which server is the PAM Manager)?

Has this agent been registered to this PAM Manager and are they both able to resolve each other's DNS address and connect via port 29120 (agent->manager, manager->agent)?

Is the agent / host listed as "online" in the Hosts Console? Select "Packages" for this host, are there any status problems reported there?

Has there been a command control rule configured that allows for specific commands (usrun <command>) ?
Please see an example from a policy template: Command Control Console > Select some rule in the left panel > Click the "Add Policy Template" button dropdown > Select "Allow Commands" policy template.

Otherwise, please set the logging to DEBUG and check the unifid.log for more details.
0 Likes
prasenjitmass Respected Contributor.
Respected Contributor.

Re: Error when execurint usrun pcksh

HI,
I've tried to capture session through pcksh for linux. Our PAM server is in SLES also agent is in SLES. also have an windows agent server added to PAM So, configured PAM as per documentation provided by netiq.
1) registered agent
2) created privileged account domain
3) add user group
4) add command
Rewrite: /usr/bin/pcksh -o audit 1
Commands: pcksh
shell


5) add rule
Session capture: yes
Authorized: yes
Run User: root

Now, When I'm logging into with non-privileged user and enter command : usrun pcksh , the following error displayed

IDMAD0\ram@linuxagent:~> usrun pcksh
/usr/bin/usrun[39]: Cannot contact Command Control Remote Execution service on 192.168.19.50 - Peer verification failure

*** PAM server : 192.168.19.48 (SLES)
PAM Agent : 192.168.19.49 (SLES)
PAM Agent : 192.168.19.50 (win server 2012)

Don't understood why error message specify that win server ip there.

Please help in this issue.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Error when execurint usrun pcksh

What server was this agent (linuxagent) registered to?

First, I suspect the 'PAM Agent : 192.168.19.50 win server 2012' has the cmdctrl manager package installed or at the very least has previously or this linuxagent has been accidentally registered to the .50 windows server.
If the .48 SLES server is your primary PAM Manager server (with cmdctrl manager package), then uninstall this package from the .50 windows server.
For troubleshooting purposes, we could remove this Windows Host for now from the Hosts Console to test, as it can be re-registered again later.

Second, I have seen a 'Peer verification failure' error before when time has not been synchronized between PAM Managers and Agents.
PAM relies on the time reported by the server operating system. Please refer to operating system documentation for more details regarding time synchronization strategies.

--

Questions leftover from before:

Has this agent been registered to the .48 SLES PAM Manager and are they both able to resolve each other's DNS address and connect via port 29120 (agent->manager, manager->agent)?
Steps to help verify this can be found here: https://www.novell.com/support/kb/doc.php?id=7016996

Is the agent / host listed as "online" in the Hosts Console?

Also, select "Packages" for this host and the manager, are there any status problems reported there?
0 Likes
prasenjitmass Respected Contributor.
Respected Contributor.

Re: Error when execurint usrun pcksh

Hi,
Command management through usrun is working fine in agent 192.168.19.49 (SLES), If there had any registration issue with agent the n applied rule did not work properly.
Strange matter is that , as per your opinion I've removed the windows agent 192.168.19.50 (win server 2012) from PAM web management Hosts list. Then also when I've run usrun pcksh , instead of ip of windows agent it reply the host name of windows agent.

Following list of commands I've run from 192.168.19.49 (SLES) as ADuser idmad0\ram,

login as: idmad0\ram
Using keyboard-interactive authentication.
Password:
Domain Controller unreachable, using cached credentials instead. Network resources may be unavailable
Last login: Mon Apr 23 16:15:44 2018 from 192.168.19.200
IDMAD0\ram@linuxagent:~> usrun /usr/sbin/useradd testuser5
IDMAD0\ram@linuxagent:~> usrun passwd testuser5
Changing password for testuser5.
New Password:
Reenter New Password:
Password changed.
IDMAD0\ram@linuxagent:~> usrun pcksh
/usr/bin/usrun[39]: Cannot contact Command Control Remote Execution service on pamwinagent - Permission denied
IDMAD0\ram@linuxagent:~>



linuxagent:~ # nslookup pamserver.idmad.local
Server: 192.168.19.47
Address: 192.168.19.47#53

linuxagent:~ # telnet 192.168.19.48 29120
Trying 192.168.19.48...
Connected to 192.168.19.48.
Escape character is '^]'.

pamserver:~ # telnet 192.168.19.49 29120
Trying 192.168.19.49...
Connected to 192.168.19.49.
Escape character is '^]'.

** Host , server appear as online

Then, where is the exact issue, pl help
0 Likes
prasenjitmass Respected Contributor.
Respected Contributor.

Re: Error when execurint usrun pcksh

Hi,
Problem of session management through usrun pcksh has resolved. I've created a new set of PAM Server and Agent, Configure rule, user group and command for that. Session has been captured for local user fine.
But for External user authentication (AD) it is not running.

What extra I've to configure for it ? In rule I've set following options:

Session capture: yes
Authorized: yes
Run User: root

Following execution if do with local user of agent:
login as: testuser5
Using keyboard-interactive authentication.
Password:
Last login: Wed Apr 25 11:37:52 2018 from 192.168.19.200
testuser5@agent:~> usrun pcksh
/usr/bin/usrun[39]: Cannot contact Command Control service - Permission denied
testuser5@agent:~> usrun pcksh
# /usr/sbin/useradd lisa1
# passwd lisa1
Changing password for lisa1.
New Password:
Reenter New Password:
Password changed.
# exit
testuser5@agent:~>


If do with AD user :

login as: idmad0\ram
Using keyboard-interactive authentication.
Password:
Last login: Fri Apr 13 15:32:19 2018 from 192.168.19.200
IDMAD0\ram@agent:~> usrun pcksh
/usr/bin/usrun[39]: Permission denied
IDMAD0\ram@agent:~> usrun pcksh
/usr/bin/usrun[39]: Permission denied
IDMAD0\ram@agent:~> usrun pcksh
/usr/bin/usrun[39]: Cannot contact Command Control service - Permission denied
IDMAD0\ram@agent:~> usrun pcksh
/usr/bin/usrun[39]: Permission denied
IDMAD0\ram@agent:~>
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Error when execurint usrun pcksh

For now, please remove any Rule Condition(s) that require a User Group.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.