Missing Admin user mode on the 'root' user
search cancel

Missing Admin user mode on the 'root' user

book

Article ID: 256948

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

Inadvertently 'Admin' user mode has been removed from the 'root' user. There is no other user that has 'Admin' user mode. 
Running 'su root' on selang prompt shows there is no "Admin" user mode.

PAMSC> su root
(localhost)
Data for USER 'root'
 -----------------------------------------------------------
User mode         : Auditor, Ignore-Holiday
Audit mode        : Login-Success, Failure, Login-Failure
Last accessed     : _CRONJOB_
Last access time  : 23-Dec-2022 14:01
Update time       : 23-Dec-2022 17:20
Updated by        : root          (USER   )

Trying to add 'Admin' user role on selang prompt fails as 'root' user doesn't have enough privilege now.

PAMSC> eu root Admin
(localhost)
ERROR: Operation not allowed
ERROR: You are not allowed to update the user type

How can we fix this problem?

Environment

PAMSC 14.1 Endpoint

Resolution

You need to rebuild the database. Please refer

Rebuild the Privileged Access Manager Server Control Database

Before re-importing the exported rule file, please do the following

Modify the following line (add 'admin')

From

editusr ('root') auditor ign_hol audit(FAILURE LOGINSUCCESS LOGINFAILURE)

  
To

editusr ('root') admin auditor ign_hol audit(FAILURE LOGINSUCCESS LOGINFAILURE)

and also find any other editusr line against root user and remove. E.g. if you find the following at the bottom then remove the line

  editusr root regular auditor ign_hol

Then re-import and do 'migrate -w'.

Here are the detailed steps.

1. Reboot OS if 'secons -s' doesn't work to shutdown PAMSC, otherwise just run 'secons -s' to shutdown PAMSC

2. Backup the seosdb to a backup location, e.g. ~/Download/backup2 directory

[root@wsang-xxxxxxxxx bin]# cp -R /opt/CA/PAMSC/seosdb ~/Download/backup2

3. Export and migrate from the backup directory

[root@wsang-xxxxxxxxx bin]# cd ~/Download/backup2/seosdb
[root@wsang-xxxxxxxxx seosdb]#
[root@wsang-xxxxxxxxx seosdb]# /opt/CA/PAMSC/bin/dbmgr -export -l -f ./export.txt
CA Privileged Access Manager Server Control dbmgr v14.10.40.182 - Database to Script Dump
Copyright (c) 2018 CA. All rights reserved

[root@wsang-xxxxxxxxx seosdb]# /opt/CA/PAMSC/bin/dbmgr -migrate -r ./migrate.txt

Processing class USER
Processing USER +devcalc.
Processing USER +policyfetcher.
Processing USER _seagent.
Processing USER _sebuildla.
Processing USER _seoswd.
Processing USER _undefined.
Processing USER nobody.
Processing USER root.
Processing USER <user>.

Processing class XUSER
Processing XUSER all.
Processing XUSER <user2>.
Processing XUSER <user3>.

Processing class PROGRAM
Processing PROGRAM /opt/CA/PAMSC/bin/sebuildla.
Processing PROGRAM /opt/CA/PAMSC/bin/sechkey.
Processing PROGRAM /opt/CA/PAMSC/bin/sesudo.
Processing PROGRAM _default.

Processing class HNODE
Processing HNODE __local__.
Done.

4. Now, before re-importing the database into a new fresh seosdb, I need to modify exported rule file, i.e. export.txt. I use 'vi' to open the export.txt and search for 'root' related rules in the file.

I found the following line

 editusr ('root') auditor ign_hol audit(FAILURE LOGINSUCCESS LOGINFAILURE)

I have modified this line to

 editusr ('root') admin auditor ign_hol audit(FAILURE LOGINSUCCESS LOGINFAILURE)

I searched more and at the bottom I found

 editusr root regular auditor ign_hol

I have deleted this line. And I search more and I don't find any 'editusr root' related rule anymore. I have saved the file.

5. Now, I need to import the exported rules into a new fresh seosdb. First of all, create /opt/CA/PAMSC/seosd_new directory and create a fresh db

[root@wsang-xxxxxxxxx PAMSC]# mkdir seosdb_new
[root@wsang-xxxxxxxxx PAMSC]# cd seosdb_new

[root@wsang-xxxxxxxxx seosdb_new]# ../bin/dbmgr -create -cq
Creating new database:
  1. Building database file.
  2. Initialize new database.
  3. Open new database.
  4. Add classes to new database.
  5. No user-defined classes added to database.
  6. Add properties to classes.
  7. Add objects to class SeOS and class UACC.
  8. Add predefined objects to database.
  9. No user-defined properties added to database.
  10. Close new database files.
Successfully created new CA Privileged Access Manager Server Control database.

6. Make sure you are in /opt/CA/PAMSC/seosd_new directory now and import the modified exported rule file.

[root@wsang-xxxxxxxxx seosdb_new]# ../bin/selang -l -d . -f ~/Download/backup2/seosdb/export.txt
CA Privileged Access Manager Server Control selang v14.10.40.182 - command line interpreter
Copyright (c) 2018 CA. All rights reserved.

Successfully updated CA Privileged Access Manager Server Control options
Successfully updated CA Privileged Access Manager Server Control options
Successfully updated CA Privileged Access Manager Server Control options
Successfully updated CA Privileged Access Manager Server Control options
< ... cut ... >

7. Do the migrate command

[root@wsang-xxxxxxxxx seosdb_new]# ../bin/dbmgr -migrate -w ~/Download/backup2/seosdb/migrate.txt
Processing +devcalc of class USER.
Processing +policyfetcher of class USER.
Processing nobody of class USER.
Processing root of class USER.
Processing <user> of class USER.
Processing all of class XUSER.
Processing <user2> of class XUSER.
Processing <user3> of class XUSER.
Done.

8. Replace /opt/CA/PAMSC/seosdb with seosdb_new

[root@wsang-xxxxxxxxx seosdb_new]# cd ..
[root@wsang-xxxxxxxxx PAMSC]# mv seosdb seosdb_old
[root@wsang-xxxxxxxxx PAMSC]# mv seosdb_new seosdb

9. Restart PAMSC and verify.

Powered by Wolken Software