When does the PAM A2A client return error 408 null null, fail to get script name?

book

Article ID: 131061

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

After installing the A2A client on a Solaris host, a test of the client fails with the following error:
> /opt/cloakware/cspmclient/bin/cspmclient clienttest 
408 null null, fail to get script name

We are running the command in the bash shell, which is configured in a login script and is not the default shell for the user as defined in /etc/passwd.

What is the meaning of the 408 error code and how can we resolve it?

Environment

This applies to any PAM A2A client on any supported OS.

Resolution

The A2A client always checks whether it is called from a script, in which case it has to determine the name of the script being executed so that it can verify script mappings. The check is performed by searching for the full path of a shell binary, such as /bin/bash or /bin/sh, in the process tree. If a full shell path is found, PAM will look for the child process to determine the script name. For a user logging into the default shell, the shell process with show up in the process tree with name "-<shell>", e.g. "-bash" or "-ksh". This will not trigger the script logic. But if the user enters a different shell by explicitly calling it either from the command line or from a login script, there will be a shell process with the full path in the process tree and the A2A client will look for the name of the script. If the user does not invoke a script but executes the cspmclient command directly from the command line, no script name will be found and error 408 with message "fail to get script name" will be returned.
To avoid this problem, either stay in the default shell and execute the cspmclient binary from there, or put the command in a script and execute the script.