search cancel

sewhoami Group connection table is empty for a user with a large number of groups ( max users PIM PAMSC)

book

Article ID: 239310

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

We received an issue where one user can not sesu to privileged account on LINUX machine while other user can.

They are both part of a large number of groups. I attached here the support.tar file and the comparison between working and non-working users.

 


CA Privileged Access Manager Server Control version 14.1 installed in /opt/CA/AccessControl
VeRsIoN: 14.10-40 (17) Compiled On:Jan 09 2022 23:36:55  Kernel: 3.10.0-862.el7.x86_64-RH75 _LINUX70-3100-862-RHELX86_64.X86_64 STOP 30034
CA Privileged Access Manager Server Control kernel extension is loaded.
CA Privileged Access Manager Server Control security daemon is running, pid=64140 (security)
CA Privileged Access Manager Server Control watchdog daemon is running, pid=64198 (watchdog)
CA Privileged Access Manager Server Control agent daemon is running, pid=64143 (agent)
CA Privileged Access Manager Server Control serevu daemon is not running.
CA Privileged Access Manager Server Control selogrd daemon is running, pid=64204 (selogrd)
CA Privileged Access Manager Server Control selogrcd daemon is not running.
CA Privileged Access Manager Server Control eacws daemon is not running.
CA Privileged Access Manager Server Control ReportAgent daemon is running, pid=21025 (ReportAgent )
CA Privileged Access Manager Server Control AgentManager daemon is running, pid=65270 (AgentManager )
CA Privileged Access Manager Server Control policyfetcher daemon is running, pid=149034 (policyfetcher )
CA Privileged Access Manager Server Control KBLAudMgr daemon is running, pid=64201 (seagent )
CA Privileged Access Manager Server Control auxiliary daemon is not running.
CA Privileged Access Manager Server Control uxauthd daemon is not running.
CA Privileged Access Manager Server Control AgentManager daemon is running, pid=65290 (/opt/CA/AccessControlShared/bin/AgentManager -watchdog)
CA Privileged Access Manager Server Control sepmdd daemon is not running.
CA Privileged Access Manager Server Control sersvd daemon is not running.
[[email protected] uat: /root] selang -s -c "list policy"
(localhost)
Policy1#01
Policy2#01
Policy3#01  -> this policy is giving the group sppt a permission 

 


username
ACEE Contents
User's Name : Username
ACEE's Handle : 29
Group Connections Table:
<Empty>
Categories : <None>
Profile Group : <None>
Security Label : <None>
User's Audit Mode : Failure LoginSuccess LoginFailure
User's Security Level : 0
Source Terminal : 10.101.10.101
Process Count for ACEE : 2
User's Mode : OS_user
ACEE's Creation Time : Wed Mar 30 12:12:37 2022

 

Cause

PAMSC endpoints running with versions before cp04 with this testfix DE530454 could not support reading through more than 128 groups. If a required group came after the first 127 groups it may not be seen and evaluated

Environment

Release : 14.1

Component : PAM SERVER CONTROL ENDPOINT UNIX/LINUX

Resolution

Test fix DE530454 resolves this issue