IT Process Automation

Expand all | Collapse all

PAM service run as domain account, can't run script as other account

  • 1.  PAM service run as domain account, can't run script as other account

    Posted Feb 16, 2018 02:32 PM

    Okay so let's clarify my title.

     

    I have PAM in my sandbox environnement.

     

    The CA Process Automation service run as a domain account (zPAM_SB not to mention it), wich is part of the server's admin group.

     

    I can login on the server with this account. I can run a script on the server with this account.

     

    I have a simple .bat file containing :

    @echo off
    echo %USERNAME% > D:/temp/out.txt

     

    I have a simple process with a run program operator that run this .bat file.

     

     

    When PAM run as a domain account :

    If I try to run this .bat as someone else (my personnal credentials actually). It crashes and says : cannot create process as user xxxxxxx - A required privilege is not held by the client.

     

    If i do not specify a userid and a password to the run programm operator, the .bat file writes into out.txt as expected but it writes SYSTEM. Why the ****? PAM service runs as a zPAM_SB.

     

    Even the wrapper and the two java process run as a zPAM_SB.

     

     

    When PAM runs as local system account

    If I try to run this .bat as someone else (my personnal credentials). It runs fine and it writes my USERNAME correctly in out.txt.

     

     

     

     

    Can someone explain me this?

     

     

     



  • 2.  Re: PAM service run as domain account, can't run script as other account

    Posted Feb 19, 2018 01:52 PM

    MWNiebuhr ? Any help would be appreciated. I can open a support case if needed.



  • 3.  Re: PAM service run as domain account, can't run script as other account

    Posted Feb 20, 2018 05:10 AM

    Hi Pier-Olivier

     

    Someone from our North American Process Automation team will respond to yor question  later today. 

    Monday  was a public holiday in the US, hence why no-one was available to respond yesterday, but there will be someone available to respond later on today, so please be patient and you will get a response within this working day.

    Thanks

    Steve Trobridge 



  • 4.  Re: PAM service run as domain account, can't run script as other account

    Posted Feb 20, 2018 08:25 AM

    I was not aware of that. Thank you Steve.



  • 5.  Re: PAM service run as domain account, can't run script as other account

    Broadcom Employee
    Posted Feb 20, 2018 08:48 AM

    I have never fully understood this particular issue we frequently run into with the file operators.   What I understand is that Process Automation uses a system level permission, which is derived from the user that is starting the service and does not have more global 'domain' level permissions to restrict what actions can occur to the local system.

     

    I think the problem is that the local user zPAM_SB, cannot impersonate this other domain User.

     

    This is unfortunately one of those situations where you will need to 'fiddle' around a bit and figure out what works.  

     

    What happens if the service is started as "System Account" ?  

    Maybe try ensuring you are assigned to the Local Administrator group and not just deriving those permissions from the domain.

     

    Otherwise I would suggest a support case so we can investigate and run this by the engineering team if necessary.



  • 6.  Re: PAM service run as domain account, can't run script as other account

    Posted Feb 20, 2018 09:39 AM

    Hi Michael,

     

    Just for everything to be clear :

     

    zPAM_SB is not a local account. It is a domain account and it's part of the local admin group. Not nested groups.

     

    If the service is started as System Account everything works fine and the impersonnation takes place as expected.



  • 7.  Re: PAM service run as domain account, can't run script as other account

    Broadcom Employee
    Posted Feb 20, 2018 09:53 AM

    I am not sure what is going on, other than some odd permissions issue switching from the zPAM_SB user to the other account.  If using the system account is not a solution for you we will need to get the engineering team to comment.



  • 8.  Re: PAM service run as domain account, can't run script as other account

    Posted Feb 20, 2018 09:59 AM

    We can surely keep the system account as it was for the past 7 years.

     

    But i'm still curious to know what the engineers will come up as an explanation. I may need it as the security team could ask me why it's running as system account.

     

     

    Thanks.



  • 9.  Re: PAM service run as domain account, can't run script as other account

    Broadcom Employee
    Posted Feb 20, 2018 12:37 PM

    Pier-Olivier, I got a quick update back from SE who indicated:

     

    Whenever PAM Service is started with ‘X’ user account and executing the operator with ‘Y’ account (means, proving user ‘Y’ details in operator level) then it will try to switch the user account to Y to execute the operator.

     

    If user ‘X’ doesn’t have privileges to switch the user account to ‘Y’ then we will get the permission related errors.

     

     

    And was asked to find out what version of Windows you are having this problem on?



  • 10.  Re: PAM service run as domain account, can't run script as other account

    Posted Feb 20, 2018 02:03 PM

    I'm on windows server 2016.

     

    So when PAM's service runs with zPAM_SB, and then i execute a .bat containing the following :

    @echo off
    echo %USERNAME% > D:/temp/out.txt

     

    And the output is SYSTEM, it means that the user executing PAM's service is not able to run a .bat so PAM uses the system account?

     

     



  • 11.  Re: PAM service run as domain account, can't run script as other account

    Broadcom Employee
    Posted Feb 20, 2018 10:19 AM

    Pier-Olivier,

    Although the user is a domain account and member of the Administrators group, Windows can be quite particular with permissions.

    In the Local Security Policy on the Process Automation server, please check Local Policies > User Rights Assignment and specifically add the Administrator group to the following:

    Act as part of the operating system

    Log on as a batch job

    Log on as a service

     

    ~Jenn



  • 12.  Re: PAM service run as domain account, can't run script as other account

    Posted Feb 20, 2018 02:18 PM

    Act as part of the operating system (Admin group was not in this policy, added it.)

    Log on as a batch job (OK)

    Log on as a service (OK)

     

     

    After reboot, if PAM's service runs with a domain account it is not able to impersonate a user. And %USERNAME% returns SYSTEM.