Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Unix JIT Task failed

Manju_SL
New Contributor III
New Contributor III

‎06/04/2024 05:37 AM

Hi Team, 

We are facing task failure for LINUX JIT request.  Pls recommend the steps for resolving the issue.

Configuration details

  • AWS RHEL Linux server : 8.x
  • Connection is getting established through password
  • Endpoint rule is configured for username
  • Manju_SL_0-1717504233503.png
  • PROVISION_ACCOUNT_COMMAND={"unix": {"command": "sudo useradd ${username} -p ${hashedPassword} -m -s /bin/bash -g users"}}

 

Below are the details of relevant logs. 

2024-06-04T20:22:08+08:00-ecm-worker--null-rl2nw--2024-06-04T12:22:07.96333787Z stdout F 2024-06-04 12:22:07,963 [quartzScheduler_Worker-5] DEBUG services.UnixImportService - Adding errorLine
 
2024-06-04T20:22:08+08:00-ecm-worker--null-rl2nw--2024-06-04T12:22:07.963367419Z stdout F 2024-06-04 12:22:07,963 [quartzScheduler_Worker-5] DEBUG services.UnixImportService - No errorLine data is available
 
2024-06-04T20:22:08+08:00-ecm-worker--null-rl2nw--2024-06-04T12:22:07.963881859Z stdout F 2024-06-04 12:22:07,963 [quartzScheduler_Worker-5] DEBUG provisoning.UnixProvisioningService - Error while assigning accountID: For input string: "null"
 
2024-06-04T20:22:08+08:00-ecm-worker--null-rl2nw--2024-06-04T12:22:07.963894468Z stdout F 2024-06-04 12:22:07,963 [quartzScheduler_Worker-5] DEBUG provisoning.UnixProvisioningService - Errorline after reading provisioning response : [sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper]
 
2024-06-04T20:22:08+08:00-ecm-worker--null-rl2nw--2024-06-04T12:22:07.963896997Z stdout F 2024-06-04 12:22:07,963 [quartzScheduler_Worker-5] DEBUG provisoning.UnixProvisioningService - Exit provisionAccountToUnix
 
2024-06-04T20:22:08+08:00-ecm-worker--null-rl2nw--2024-06-04T12:22:07.963905252Z stdout F 2024-06-04 12:22:07,963 [quartzScheduler_Worker-5] DEBUG provisoning.UnixProvisioningService - Got accountId from createAccount: null
 
2024-06-04T20:22:08+08:00-ecm-worker--null-rl2nw--2024-06-04T12:22:07.963907237Z stdout F 2024-06-04 12:22:07,963 [quartzScheduler_Worker-5] DEBUG provisoning.UnixProvisioningService - Got null accountId, setting accountTaskResult=false


Thanks, 

Manju

0 Kudos
6 REPLIES 6

sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎06/05/2024 10:42 PM

Hello @Manju_SL,

Was this working before , did you you change anything in the configuration.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

Manju_SL
New Contributor III
New Contributor III

‎06/05/2024 11:37 PM

Hello @sudeshjaiswal

This is a new configuration.
PROVISION_ACCOUNT_COMMAND = {"unix": {"command": "sudo -S useradd ${username} -p ${hashedPassword} -g users"}}
Found two issues. 
Account is having space. 

Form logs Unix AccountProvisioning before binding: {unix": {"command": "sudo -S useradd ${username} -p ${hashedPassword}  -g users"}}"

after binding: sudo -S useradd Manju Test -p ***  -g users


it is asking for password. 

Manju_SL_0-1717655437958.png

Thanks, 

Manju




 

0 Kudos

sudeshjaiswal
Saviynt Employee
Saviynt Employee
In response to Manju_SL

‎06/05/2024 11:57 PM

Hello @Manju_SL,

Pleasse use this command in the 
Provision_Account_Command.

sudo useradd  -m -s /bin/bash '${username}' -c '${user?.lastname}.${user?.firstname}/${user?.email}' -g users


Thanks

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

Manju_SL
New Contributor III
New Contributor III
In response to sudeshjaiswal

‎06/06/2024 12:34 AM

Hi @sudeshjaiswal 

Have updated Provision_Account_command. Latest error is JIT account creation failed. As null value is assigned. 

Below are details from logs. 

Unix AccountProvisioning before binding: sudo useradd -m -s /bin/bash '${username}' -c '${user?.lastname}.${user?.firstname}/${user?.email}' -g users
Unix AccountProvisioning Service command, after binding: sudo useradd -m -s /bin/bash 'Manju tst' -c 'tst.Manju/manju_tst@xxx.com' -g users
2024-06-06T07:06:08.412227051Z stdout F 2024-06-06 07:06:08,412 [quartzScheduler_Worker-9] DEBUG provisoning.UnixProvisioningService - Got accountId from createAccount: null
2024-06-06T07:06:08.41218142Z stdout F 2024-06-06 07:06:08,412 [quartzScheduler_Worker-9] DEBUG provisoning.UnixProvisioningService - Errorline after reading provisioning response : [sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper]

Regards, 

Manju

 

0 Kudos

Manju_SL
New Contributor III
New Contributor III

‎06/07/2024 01:17 AM

@sudeshjaiswal , 

When we mapped username into Endpoint role username had space so the query was not getting executed. 
Now mapped Firstname in the Endpoint role. The binding query that got created is right. 
2024-06-07T16:14:06+08:00-ecm-worker--null-rl2nw--2024-06-07T08:14:06.08926533Z stdout F 2024-06-07 08:14:06,089 [quartzScheduler_Worker-5] DEBUG provisoning.UnixProvisioningService - Unix AccountProvisioning Service command, after binding: sudo useradd -m -s /bin/bash 'Manju' -c 'test.Manju/manju_test@xxx.com' -g users

Later getting errors below error Assigning accountID. 

2024-06-07T15:34:10+08:00-ecm-worker--null-rl2nw--2024-06-07T07:34:09.858423538Z stdout F 2024-06-07 07:34:09,858 [Thread-14030] DEBUG provisoning.UnixProvisioningService - Error while assigning accountID: For input string: "null"
2024-06-07T15:34:10+08:00-ecm-worker--null-rl2nw--2024-06-07T07:34:09.858435923Z stdout F 2024-06-07 07:34:09,858 [Thread-14030] DEBUG provisoning.UnixProvisioningService - Errorline after reading provisioning response : [sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper]

0 Kudos

Manju_SL
New Contributor III
New Contributor III
In response to Manju_SL

‎06/09/2024 09:30 PM

@sudeshjaiswal , 

Found another issue related to JIT account creation on linux. From /var/log/secure. We are getting below errors. 
Jun  7 14:22:06 365693529df441f sshd[579912]: Accepted keyboard-interactive/pam for saviynt_ssh_connector from 10.199.1.6 port 36236 ssh2
Jun  7 14:22:06 365693529df441f systemd[579921]: [lsass-pam] [module:pam_lsass]pam_sm_acct_mgmt failed [login:saviynt_ssh_connector][error code:40016]
Jun  7 14:22:06 365693529df441f systemd[579921]: [lsass-pam] [module:pam_lsass]pam_sm_acct_mgmt failed [login:saviynt_ssh_connector][error code:40016]
Jun  7 14:22:06 365693529df441f systemd[579921]: [lsass-pam] [module:pam_lsass]pam_sm_acct_mgmt failed [login:saviynt_ssh_connector][error code:40016]
Jun  7 14:22:06 365693529df441f systemd[579921]: [lsass-pam] [module:pam_lsass]pam_sm_acct_mgmt failed [login:saviynt_ssh_connector][error code:40016]
Jun  7 14:22:06 365693529df441f sshd[579912]: pam_unix(sshd:session): session opened for user saviynt_ssh_connector by (uid=0)
Jun  7 14:22:06 365693529df441f sshd[579912]: pam_unix(sshd:session): session closed for user saviynt_ssh_connector

Pls suggest your inputs. 

Thanks,

Manju

 

0 Kudos
Copyright © 2024 Khoros, LLC