Su command fails after installing PIM Endpoint agent
search cancel

Su command fails after installing PIM Endpoint agent

book

Article ID: 29151

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

The customer had QUEST Vintela Authentication Services (VAS) installed on their machine and were able to run all standard OS commands properly without any issues.

Once PIM 12.8 endpoint was introduced into the environment (SunOS 5.10 update 11) the users lost the ability to execute the su command and were only able to run the PIM version (sesu). There were no errors being displayed except for:

#su 'sorry'

or

# su: unable to set credentials

Environment

Release: ACP1M005900-12.8-Privileged Identity Manager
Component: Privileged Identity Manager

Environment:
PIM 12.8 endpoint
SunOS 5.10 Update 11

Cause

Within the execution of the command su there were no errors or denials from PIM or VAS, although it would display: "INFO    : 0 no such process" in the trace that was set around the command. In the pam.conf file it only contained pam_sesos.so which only utilizes PIM to execute su. With the addition of the optional pam_vas3.so file it has the choice to go through either pam_seos.so OR pam_vas3.so to execute the command.

For a more precise method of discovering the pam_seos.so file that su is utilizing the following procedure can be done:

  1. Place the added line AFTER the CM su auth line (may cause su to stop working or may proceed to the pam_vas3.so)


  2. Set the pam_vas3 line from option to required (forces pam.conf to utilize pam_vas3 for su rather than pam_seos)


  3. Attempt a combination of the two above tests (results unpredictable as they would be based solely of the results of steps 1 & 2)

I would not however suggest removing the 'su auth option pam_seos.so' line as it may cause the same errors that were being received when pam_vas3.so was not added to the pam.conf (although it is a valid test I wouldn't remove the line completely as it may be needed for sanity checks).

 

Resolution

Modified  the pam.conf file with the following line:

 

**su auth optional pam_vas3.so create_homedir get_nonvas_pass try_first_pass**

and read as follows:

su auth optional pam_vas3.so create_homedir get_nonvas_pass try_first_pass

su auth    optional pam_seos.so

The addition of this line allows the su command to authenticate via the pam_vas3.so which was required for this user.

Powered by Wolken Software