Automic Workload Automation

  • Private Community

  • 1.  Configuring PAM

    Posted Oct 05, 2016 04:01 AM
    Just some advice when setting up PAM (Pluggable Authentication Modules)

    In Linux: 
    As root, create a file in /etc/pam.d  with the same name as the Agent binary (e.g. ucxjlx6) and add the following to the file:
    #%PAM-1.0
    auth          include      system-auth
    account     include      system-auth
    password  include      system-auth

    in AIX:
    Add the following lines to /etc/pam.conf:
    # Automic Unix Agent ucxja64
    ucxja64 auth required /usr/lib/security/64/pam_aix
    ucxja64 account required /usr/lib/security/64/pam_aix
    ucxja64 password required /usr/lib/security/64/pam_aix

    More information is about PAM Configuration http://docs.automic.com/documentation/AE/11.2/english/AE_WEBHELP/help.htm?product=awa#ucaaks.htm

    Configuring authentication via PAM (optional)

    Host:
    Authentication via (Pluggable Authentication Modules) is now supported for the agents of the following UNIX platforms: Solaris, Linux and AIX.
     
    1. PAM library installation 
                 The PAM library must be installed on your system (depends on the platform you use).

    2. PAM library configuration 
                The configuration process depends on the UNIX platform that you use.
                Typically, you will handle it by using the files /etc/pam.d or /etc/pam.conf
                The name of the service complies with the name of the executable agent file (ucxj???).

    3. Configuring the agent 
                In the INI file of the UNIX agent, set the parameter authentication= ([MISC] section) to "pam".
                In the parameter libname= ([PAM] section), you must specify the path and the file name of the PAM library:
     
                     [MISC]
                     authentication=pam

                     [PAM]
                     libname=/usr/lib/libpam32.o

    For further information regarding PAM-Configuration (unix Administrator) please see following link: 
    http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html



  • 2.  Configuring PAM

    Posted Jan 04, 2017 04:44 PM
    Hi Daniel,

    As your article is often referenced for PAM issues with Automic, I was wondering if you could help me with a quandry. I am working with a SUSE system.

    After some work I was able to get the account to authenticate, but am now getting a permission error when trying to execute a job...

    sh: /home/_automic/ServiceManager/bin/../../Agents/linux/bin/../temp/JAAEPPQN.TXT: Permission denied

    The login is successful, but the Active Directory mapped account cannot write to it's own directory it seems. I am using the agent Log On As to set as this particular user (_automic) as well. 

    I have even gone so far as to make the temp folder chmod 777...

    Here is my ucxjlx6 file within the pam.d directory. I copied this directly from the 'login' file located in the same directory. It differs from the file you listed above, but that configuration was still giving me the 'user unknown or bad password' error:

    # cat ucxjlx6 #%PAM-1.0 auth    requisite       pam_nologin.so auth    [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so auth    include common-auth account include common-account password        include common-password session  required       pam_loginuid.so session include common-session session  optional       pam_lastlog.so  nowtmp session optional        pam_mail.so standard session  optional       pam_ck_connector.so
    Thanks in advance!!


  • 3.  Configuring PAM

    Posted Jan 09, 2017 02:06 AM
    Hi Ethan_Schumann_7885

    many thanks for your info and question. 
    Have you tried starting / running the Agent with the 'root' USER ? 
    If so, what is the outcome  ? 
    If you run into the same issue, please activate the traces on the Agent: RA=9 and TCP/IP = 9

    Should you have any further questions or queries, feel free to contact me anytime.

    Best Regards
    Daniel Hausdorf



  • 4.  Configuring PAM

    Posted Jan 09, 2017 09:56 AM
    Hey Daniel_Hausdorf_6982,

    I found the issue, and it was something simple :). I was running the agent as a user other than root. The Service Manager directory was owned by root, so the funky pathing that Automic installs by default caused the issue.

    /home/_automic/ServiceManager/bin/../../Agents/linux/bin/../temp/JAAEPPQN.TXT: Permission denied
    My user was not able to descend into the ServiceManager directory before going up 2 levels and back down into Agent directory.

    I addressed the permissions issues and all was resolved.

    Thanks for taking the time to respond!



  • 5.  Configuring PAM

    Posted Jan 09, 2017 10:00 AM
    Hi Ethan_Schumann_7885

    Many thanks for response. 
    Those are great news. Good to hear that its working correctly now. 

    Should you have any further questions or queries, feel free to contact me anytime.

    Cheers
    Daniel


  • 6.  Configuring PAM

    Posted Feb 17, 2017 06:15 AM
    Just a general Info, it is more important which user runs the Agent process itself, than the user in the Login object


  • 7.  Configuring PAM

    Posted Feb 28, 2017 03:52 PM
    Hi,

    The following content in /etc/pam.d/ucxjlx6  may also work:

    #%PAM-1.0
    auth sufficient pam_unix.so nullok try_first_pass
    auth sufficient pam_krb5.so use_first_pass
    auth requisite pam_succeed_if.so uid >= 200 quiet
    auth required pam_deny.so

    account required pam_unix.so broken_shadow
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid < 500 quiet

    password requisite pam_cracklib.so try_first_pass retry=3
    password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
    password sufficient pam_krb5.so use_authtok
    password required pam_deny.so

    session optional pam_krb5.so
    session optional pam_keyinit.so revoke
    session optional pam_mkhomedir.so
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid



    Thanks Lucas_Amorim_9853

    Thanks
    Bobby


  • 8.  Re: Configuring PAM

    Posted Aug 08, 2018 01:54 PM

    Does anyone have any details / information about PAM with Solaris?  I'm getting conflicting instructions on how this needs to be done.

     

    I have created a ucxju64 file in /etc/pam.d - but what goes IN the file?

     

    Additionally, in the agent INI file for the PAM library name - is it supposed to be:

     

    libname=/usr/lib/libpam32.o

     

    or

     

    libname=/usr/lib/ucxju64

     

    ??

     

    All of a sudden (we didn't make any changes) we're suddenly getting this error:

     

    U02001007 User 'esp-dev-svc' is unknown or an invalid password has been provided.

     

    The thing is - the password is fine.  The jobs only fail intermittently.  So 5 minutes later the job will run without any problems.  I hate when things aren't consistent - it just makes it that much more confusing / difficult to figure out.

     

    So I am revisiting my agent installation and - not sure how it was working in the first place, but apparently PAM isn't configured correctly.

     

    Any ideas / help are appreciated.  Thanks.