Click HERE to see how Saviynt Intelligence is transforming the industry. |
06/04/2024 05:37 AM
Hi Team,
We are facing task failure for LINUX JIT request. Pls recommend the steps for resolving the issue.
Configuration details
Below are the details of relevant logs.
Thanks,
Manju
06/05/2024 10:42 PM
Hello @Manju_SL,
Was this working before , did you you change anything in the configuration.
Thanks.
06/05/2024 11:37 PM
Hello @sudeshjaiswal.
This is a new configuration.
PROVISION_ACCOUNT_COMMAND = {"unix": {"command": "sudo -S useradd ${username} -p ${hashedPassword} -g users"}}
Found two issues.
Account is having space.
Form logs Unix AccountProvisioning before binding: {unix": {"command": "sudo -S useradd ${username} -p ${hashedPassword} -g users"}}"
after binding: sudo -S useradd Manju Test -p *** -g users
it is asking for password.
Thanks,
Manju
06/05/2024 11:57 PM
Hello @Manju_SL,
Pleasse use this command in the
Provision_Account_Command.
sudo useradd -m -s /bin/bash '${username}' -c '${user?.lastname}.${user?.firstname}/${user?.email}' -g users
Thanks
06/06/2024 12:34 AM
Have updated Provision_Account_command. Latest error is JIT account creation failed. As null value is assigned.
Below are details from logs.
Unix AccountProvisioning before binding: sudo useradd -m -s /bin/bash '${username}' -c '${user?.lastname}.${user?.firstname}/${user?.email}' -g users
Unix AccountProvisioning Service command, after binding: sudo useradd -m -s /bin/bash 'Manju tst' -c 'tst.Manju/manju_tst@xxx.com' -g users
2024-06-06T07:06:08.412227051Z stdout F 2024-06-06 07:06:08,412 [quartzScheduler_Worker-9] DEBUG provisoning.UnixProvisioningService - Got accountId from createAccount: null
2024-06-06T07:06:08.41218142Z stdout F 2024-06-06 07:06:08,412 [quartzScheduler_Worker-9] DEBUG provisoning.UnixProvisioningService - Errorline after reading provisioning response : [sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper]
Regards,
Manju
06/07/2024 01:17 AM
When we mapped username into Endpoint role username had space so the query was not getting executed.
Now mapped Firstname in the Endpoint role. The binding query that got created is right.
2024-06-07T16:14:06+08:00-ecm-worker--null-rl2nw--2024-06-07T08:14:06.08926533Z stdout F 2024-06-07 08:14:06,089 [quartzScheduler_Worker-5] DEBUG provisoning.UnixProvisioningService - Unix AccountProvisioning Service command, after binding: sudo useradd -m -s /bin/bash 'Manju' -c 'test.Manju/manju_test@xxx.com' -g users
Later getting errors below error Assigning accountID.
2024-06-07T15:34:10+08:00-ecm-worker--null-rl2nw--2024-06-07T07:34:09.858423538Z stdout F 2024-06-07 07:34:09,858 [Thread-14030] DEBUG provisoning.UnixProvisioningService - Error while assigning accountID: For input string: "null"
2024-06-07T15:34:10+08:00-ecm-worker--null-rl2nw--2024-06-07T07:34:09.858435923Z stdout F 2024-06-07 07:34:09,858 [Thread-14030] DEBUG provisoning.UnixProvisioningService - Errorline after reading provisioning response : [sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper]
06/09/2024 09:30 PM
Found another issue related to JIT account creation on linux. From /var/log/secure. We are getting below errors.
Jun 7 14:22:06 365693529df441f sshd[579912]: Accepted keyboard-interactive/pam for saviynt_ssh_connector from 10.199.1.6 port 36236 ssh2
Jun 7 14:22:06 365693529df441f systemd[579921]: [lsass-pam] [module:pam_lsass]pam_sm_acct_mgmt failed [login:saviynt_ssh_connector][error code:40016]
Jun 7 14:22:06 365693529df441f systemd[579921]: [lsass-pam] [module:pam_lsass]pam_sm_acct_mgmt failed [login:saviynt_ssh_connector][error code:40016]
Jun 7 14:22:06 365693529df441f systemd[579921]: [lsass-pam] [module:pam_lsass]pam_sm_acct_mgmt failed [login:saviynt_ssh_connector][error code:40016]
Jun 7 14:22:06 365693529df441f systemd[579921]: [lsass-pam] [module:pam_lsass]pam_sm_acct_mgmt failed [login:saviynt_ssh_connector][error code:40016]
Jun 7 14:22:06 365693529df441f sshd[579912]: pam_unix(sshd:session): session opened for user saviynt_ssh_connector by (uid=0)
Jun 7 14:22:06 365693529df441f sshd[579912]: pam_unix(sshd:session): session closed for user saviynt_ssh_connector
Pls suggest your inputs.
Thanks,
Manju