Solving adapter installation and operational problems

You can obtain information that might be helpful in troubleshooting adapter installation and operational problems.

About this task

The term "adapter user name" is used throughout this procedure. The "adapter user name" is the UNIX account that is supplied on the IBM® Security Privileged Identity Manager service form for the administrator name. This account is the account that is used by the adapter to open a connection to the target workstation.
Note: The following steps are written for the AIX operating system and must be updated with correct commands for other UNIX or Linux operating systems.

Procedure

  1. Set log level to Debug.
    See the IBM Security Dispatcher Installation and Configuration Guide. If possible, get only the log file with the failed request.
  2. Get the software versions from the log files.
    Perform the following searches:
    Table 1. Search strings for software versions
    Software Log file search string
    Dispatcher RMIDispatcherImpl: Starting
    Assembly line UNIX/Linux Adapter AL version
    Posix connector Loaded com.ibm.di.connector.osconnector.PosixConnector
    RXA library RXA Version
  3. Get the operating system version.
    On an AIX workstation issue the commands:
    % instfix -i | grep AIX_ML
% oslevel -q –s
  4. Ensure that OpenSSH version 4.7 or later is installed. Other versions of OpenSSH might function properly with this adapter, however if an issue is traced to OpenSSH, you might need to update your OpenSSH version to get support.
  5. For OpenSSH configuration issues, do the following steps:
    1. Ensure that the UsePrivilegeSeparation attribute is set to yes in the sshd_config file.
      The default value of UsePrivilegeSeparation is yes. If set to no the adapter account is locked.
    2. Ensure that the ClientAliveInterval attribute in the sshd_config file is either commented out or set to 0.
      The default value of ClientAliveInterval is 0.
  6. On a remote workstation, issue the following ssh commands and capture the results. 
    % ssh username@ip-address "ssh -V"
    If sudo is used, issue these commands:
    % ssh username@ip-address "sudo ls /tmp"
% ssh username@ip-address "which sudo"
    The username is the adapter user name. The ip-address is the IP address of the UNIX system that is being managed.
  7. For reconciliation issues, do the following steps:
    1. Copy the AIXPConnRes.sh reconciliation file from the adapter solution directory to the AIX /tmp directory.
    2. Log in to the AIX system with the "adapter user name".
    3. Change the directory to the /tmp directory.
    4. Ensure that you have execute permission on the AIXPConnRes.sh file, chmod 777 AIXPConnRes.sh.
    5. Run the following command and save the recon.out file: 
      AIXPConnRes.sh "grep -e :" true > recon.out 2>&1
      For Linux systems, depending on the command that is specified on the service form for the Command used to query failed logins field, use one of these commands:
      LinuxPConnRes.sh "grep -e :" true : "faillog -u %USER%"

LinuxPConnRes.sh "grep -e :" true : "faillock --user %USER%"

LinuxPConnRes.sh "grep -e :" true : "pam_tally2 --user %USER%"
      If sudo is not used, replace the value true with false. False is the value for the root user.
      All reconciliation files are in the adapter solution directory. The following table lists the names of the reconciliation files for various operating systems.
      Table 2. Reconciliation file names
      Platform Reconciliation file name
      AIX file system AIXPConnRes.sh
      HPUX not trusted HPNTrustPConnRes.sh
      HPUX trusted HPTrustPConnRes.sh
      Linux no shadow LinuxPConnRes.sh
      Linux with shadow LinuxShadowPConnRes.sh
      Solaris SolarisPConnRes.sh
  8. For sudo issues, do the following steps:
    1. Verify sudo setup per installation guide.
      See Super user creation on a supported operating system.
    2. Use the adapter user name to log in to the target system.
    3. Use sudo to do manual commands on the target system.
      For example, 
      sudo mkuser test1
sudo passwd test1
sudo rmuser test1
  9. For ssh issues, use ssh and sudo to do manual commands on the target system.
    For example, log in to a system that has connectivity to the target system and issue the commands:
    For sudo users
    ssh user@target "sudo mkuser test1"
ssh user@target "sudo passwd test1"
ssh user@target "sudo rmuser test1"
    For nonsudo users
    ssh user@target "mkuser test1"
ssh user@target "passwd test1"
ssh user@target "rmuser test1"