Automic Workload Automation

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

Run Unix Job with AD User

  • 1.  Run Unix Job with AD User

    Posted Mar 21, 2018 07:01 AM
    Hi All,

    Can I run a UNIX job by having the ActiveDirectory user in the Login object. Is it even possible? It seems like it would work only for the local users existed on the target host. Actually, I don't want the dedicated Automic user to execute all the jobs. Could anyone help me out with this?

    Please look at the following error.

    U02001007 User '<AD USER>' is unknown or an invalid password has been provided.

    Thanks,
    Srujan.


  • 2.  Run Unix Job with AD User



  • 3.  Run Unix Job with AD User

    Posted Mar 21, 2018 09:37 AM
    Thanks FrankMuffke :D

    Just asking out of curiosity, Can I have a detailed explanation on what happens internally when a UNIX job gets executed ? How does this authentication works? How the connection to the target host establishes? What are the components of Agent's INI file that it would look for?

    Thanks,
    Srujan.


  • 4.  Run Unix Job with AD User



  • 5.  Run Unix Job with AD User

    Posted Mar 21, 2018 10:14 AM
    Just asking out of curiosity, Can I have a detailed explanation on what happens internally when a UNIX job gets executed ?
    Hi,

    As luck has it, the sample ini file for the latest V12.1 agent seems to be a lot more verbose than earlier ini files. It has the following comment section:

    [STARTCMD]
    ;
    ; start_Type: Method that is applied to start jobs.
    ; fork - The job starts with fork function.
    ; batch - The job starts with a batch command.
    ;
    start_Type=fork
    ;
    [...]
    ;
    ;
    ; Only for Linux:
    ; [STARTCMD]
    ; Bourne-Shell=nohup at -c $(su - &user -c \"&jobFile 1>> &jobReport 2>&1\")&
    ; C-Shell=nohup at -c $(su - &user -c \"&jobFile 1>> &jobReport 2>&1\")&
    ; Korn-Shell=nohup at -c $(su - &user -c \"&jobFile 1>> &jobReport 2>&1\")&
    ; Other-Shell=nohup at -c $(su - &user -c \"&jobFile 1>> &jobReport 2>&1\")&

    While these are of course just explainatory comments in the file, it's my best guess as to how stuff gets executed, at least for the shells prefixed with "-" (as in "-bash").

    More insights can be gained by either analyzing the syscalls with "strace -f", or possibly as mentioned from Automic themselves.

    Hth,
    Carsten


  • 6.  Run Unix Job with AD User

    Posted Mar 23, 2018 06:02 AM
    FrankMuffke Carsten_Schmitz_7883

    Just like how we manually access the machine with our AD user, which is again a non local user,but still able to being authenticated. Why shouldn't Automic allows such authentication instead of going by local user or PAM. Will it not be a limitation or any other technical reason behind this? Any plans that we may soon integrate AD to execute jobs in future releases? :)

    Thanks,
    Srujan.


  • 7.  Run Unix Job with AD User

    Posted Mar 23, 2018 06:48 AM
    Hi Robert_Schausberger_8294

    Can you please give a little outlook if there are plans in PM to support AD users running unix jobs?

    Just like how we manually access the machine with our AD user, which is again a non local user,but still able to being authenticated. Why shouldn't Automic allows such authentication instead of going by local user or PAM. Will it not be a limitation or any other technical reason behind this? Any plans that we may soon integrate AD to execute jobs in future releases?

    THX & have agreat weekend
    Wolfgang


  • 8.  Run Unix Job with AD User

    Posted Mar 23, 2018 06:49 AM
    Srujan_Pathuri_9871

    Hopefully Rober can give us a little outlook....

    Nevertheless it would be a good idea posting this @ ideas.automic.com

    cheers, Wolfgang


  • 9.  Run Unix Job with AD User

    Posted Mar 26, 2018 05:00 AM
    Srujan Pathuri said:
    FrankMuffkeCarsten_Schmitz_7883

    Just like how we manually access the machine with our AD user, which is again a non local user,but still able to being authenticated.
    Hi.

    Are you sure it's not PAM? Have you tried it already, do you get an error message when trying to use that user? Out of curiosity, can you tell us what the product is called you are using for the AD integration?

    Most AD integration products do in fact provide a user via PAM, which should (as far as the documentation goes) work with Automic. In fact, I am not aware of any other ways (apart from really ugly kernel modules or in-memory hacks and disregarding NIS) to get non-native users into a Linux system.

    Cheers,
    Carsten




  • 10.  Run Unix Job with AD User

    Posted Mar 26, 2018 07:43 AM
    Hi Carsten_Schmitz_7883

    We are using Likewise product to integrate with AD. Do you have any idea on how to use PAM module for Likewise. We got stuck over here. Please do help us.

    I tried login with PAM but the agent is ending abnormally right after executing the job.

    Thanks,
    Srujan.


  • 11.  Run Unix Job with AD User

    Posted Mar 26, 2018 07:57 AM
    Carsten_Schmitz_7883    The job which has been waiting for the host be active gets executed when I restarted the agent and I got the following error in the messages tab. 

    3/26/2018 11:50:04 AM U00011650 Server 'AUTOMIC#WP005' / Client '0100': Host '<host>' ended abnormally. (Index='0000000001' CP='MQ1CP001')
    3/26/2018 11:49:12 AM U00029003 Cannot open file '/home/AE/agents/linux/bin/./../out/OAACFWPI.TXT(ReadFileAuthority())', error code '2', error description: 'No such file or directory'.
    3/26/2018 11:49:12 AM U00011000 'REPORT' (RunID: '0001016105') could not be started on '<host>'. See next message.
    3/26/2018 11:49:11 AM U00011022 Client '0100': The status of 'JOBS.UNIX.TEST' ('0001017102') is undefined because host '<host>' aborted prematurely or was canceled.

    uazynynwmbd9.jpghttps://us.v-cdn.net/5019921/uploads/editor/vg/uazynynwmbd9.jpg" width="1497">
    -Srujan.


  • 12.  Run Unix Job with AD User

    Posted Mar 26, 2018 07:57 AM
    Hi.

    I don't know Likewise, but after some quick research:

    • Likewise builds upon winbind
    • winbind uses PAM, or can at least optionally use PAM
    • PAM should work with Automic (disclaimer: I never tried it, but FrankMuffke linked documentation which says it works

    Can you "su" to an AD user in a UNIX shell? If this works, Automic should work.

    If not, do you have a filecalled "pam_winbind.conf" or similar anywhere on your system? If not, you need to configure your Likewise to use PAM (see for instance https://wiki.archlinux.org/index.php/Active_Directory_Integration#pam_winbind.conf).

    I maintain that once you have Likewise configured for PAM, and can "su" to AD users in a shell, Automic should be able to use them. If not, please send us the error message.

    Hth,

    Carsten



  • 13.  Run Unix Job with AD User

    Posted Mar 26, 2018 07:59 AM
    Srujan Pathuri said:
    Carsten_Schmitz_7883    The job which has been waiting for the host be active gets executed when I restarted the agent and I got the following error in the messages tab. 

    uazynynwmbd9.jpghttps://us.v-cdn.net/5019921/uploads/editor/vg/uazynynwmbd9.jpg" width="1497">
    -Srujan.
    I doubt this error has anything to do with PAM or AD integration. Your agent can not read a file, possibly because it could not write it in the first place. You have probably configured that "out" directory shown in the error message in your agent's .ini file, but the "out" directory may be missing or have wrong permissions.


  • 14.  Run Unix Job with AD User

    Posted Mar 26, 2018 09:44 AM
    Hi.

    Can you "su" to an AD user in a UNIX shell? If this works, Automic should work.

    Carsten_Schmitz_7883

    Thanks for your research. Yes the user with sudo privileges can "su" to an AD user.
    If not, do you have a file called "pam_winbind.conf" or similar anywhere on your system? If not, you need to configure your Likewise to use PAM (see for instance https://wiki.archlinux.org/index.php/Active_Directory_Integration#pam_winbind.conf).


    And fortunately, the winbind.conf file is present in the path /etc/security/. Should I need to change this conf file across all the systems in the datacenter or can I centrally configure this file such that it would reflect on all the systems.

    Regards,
    Srujan.


  • 15.  Run Unix Job with AD User

    Posted Mar 26, 2018 09:49 AM
    Carsten Schmitz said:
    Srujan Pathuri said:
    Carsten_Schmitz_7883    The job which has been waiting for the host be active gets executed when I restarted the agent and I got the following error in the messages tab. 

    uazynynwmbd9.jpghttps://us.v-cdn.net/5019921/uploads/editor/vg/uazynynwmbd9.jpg" width="1497">
    -Srujan.
    I doubt this error has anything to do with PAM or AD integration. Your agent can not read a file, possibly because it could not write it in the first place. You have probably configured that "out" directory shown in the error message in your agent's .ini file, but the "out" directory may be missing or have wrong permissions.
    It worked fine till I modified the agent's authentication mode to PAM. :(  The user permissions were still the same and not sure why it is unable to write to "out" directory now.

    Regards,
    Srujan.


  • 16.  Run Unix Job with AD User

    Posted Mar 26, 2018 11:13 AM
    Carsten_Schmitz_7883    The job which has been waiting for the host be active gets executed when I restarted the agent and I got the following error in the messages tab. 

    uazynynwmbd9.jpghttps://us.v-cdn.net/5019921/uploads/editor/vg/uazynynwmbd9.jpg" width="1497">
    -Srujan.
    I doubt this error has anything to do with PAM or AD integration. Your agent can not read a file, possibly because it could not write it in the first place. You have probably configured that "out" directory shown in the error message in your agent's .ini file, but the "out" directory may be missing or have wrong permissions.
    It worked fine till I modified the agent's authentication mode to PAM. :(  The user permissions were still the same and not sure why it is unable to write to "out" directory now.
    Sorry, but still looks like an issue with the "out" directory. Try making it chmod 777 temporarily (!), see if that helps. Or "su" to the user in a shell and try to navigate to "out" and try to write a file there as that user.

    If you see a permission issue as the result of these tests, you need to sort out the permissions of that AD integration.

    Best regards,
    Carsten


  • 17.  Run Unix Job with AD User

    Posted Mar 26, 2018 11:16 AM
    Srujan Pathuri said:
    And fortunately, the winbind.conf file is present in the path /etc/security/. Should I need to change this conf file across all the systems in the datacenter or can I centrally configure this file such that it would reflect on all the systems.

    Regards,
    Srujan.
    If you need to change anything to that file, I believe you need to change it on each and every host, unless you have it on an NFS share or something. This is the sort of thing where Puppet comes handy, or looping over all hostnames with ssh :)

    But as I said above, I think it's a permission issue with that AD user and "out". Possibly you don't need to change the file once you narrow down the permission problem more.


  • 18.  Run Unix Job with AD User

    Posted Mar 26, 2018 01:08 PM

    Sorry, but still looks like an issue with the "out" directory. Try making it chmod 777 temporarily (!), see if that helps. Or "su" to the user in a shell and try to navigate to "out" and try to write a file there as that user.

    If you see a permission issue as the result of these tests, you need to sort out the permissions of that AD integration.

    Best regards,
    Carsten
    Carsten_Schmitz_7883

    I tried with both local user and AD user, but the result is same, I guess the problem is with the PAM library file mentioned in the INI file. I have gone through the log file in agent's temp directory and found the following error line. Even I have setup the PAM library permissions to 777 but it is still showing the same error.

    U02000087 Error 'libpam.so: cannot open shared object file: No such file or directory' while loading the file 'libpam.so'. Please check, if there are dependencies to other files.

    The major issue here is the agent is ending abnormally as soon as I execute the job. The above error is popping up when I restarted the agent. 

    Regards,
    Srujan.


  • 19.  Run Unix Job with AD User

    Posted Mar 27, 2018 04:07 AM
    Hi,

    U02000087 Error 'libpam.so: cannot open shared object file: No such file or directory' while loading the file 'libpam.so'. Please check, if there are dependencies to other files.

    Hmmm ... for some reason the agent is looking for a shared object for PAM. Not sure why it needs that, but ...

    You probably need to find that file (find / -type f -name libpam.so) and make sure the directory it is found in is part of the LD_LIBRARY_PATH of the agent (so in the shell that starts the agent, you need to "export LD_LIBRARY_PATH=somepath;some_other_path).

    We're now deeply in the realms of fiddling with the LD_LIBRARY_PATH and hoping that it has no side effects. Improper configuration of LD_LIBRARY_PATH can have severe and seemingly unrelated side effects with Automic (I know, it cost me dearly once), so I suggest you make backups of all the environment files you change and keep track of all the changes you make, so you can roll them back if needed.

    edit: if your system is anything like mine, you may find you don't even have a libpam.so, but only versioned copies of it, such as /usr/lib/libpam.so.0 and /usr/lib/libpam.so.0.83.1. If so, you may need to place a symlink to make one of your versioned libraries known as libpam.so, but this again can potentially have severe side effects, so again keep track of any changes.

    Apart from that, I can probably not help you much further, this possibly needs to be debugged way beyond the bounds of what can be done in a web forum or what Automic support usually provides (though you may certainly give their Support a try also).

    Best regards,

    Carsten



  • 20.  Run Unix Job with AD User

    Posted Mar 27, 2018 06:14 AM

    Carsten_Schmitz_7883

    edit: if your system is anything like mine, you may find you don't even have a libpam.so, but only versioned copies of it, such as /usr/lib/libpam.so.0 and /usr/lib/libpam.so.0.83.1. If so, you may need to place a symlink to make one of your versioned libraries known as libpam.so, but this again can potentially have severe side effects, so again keep track of any changes.


    Yes, even we have the following versioned copies of PAM libraries located at /lib64/
    /lib64/libpam.so.0
    /lib64/libpam.so.0.82.2

    And I have placed one of the above path in the agent's INI file and restarted the agent. The agent is started without any issues but I wonder why the agent is getting crashed when I execute the job. :(

    You probably need to find that file (find / -type f -name libpam.so) and make sure the directory it is found in is part of the LD_LIBRARY_PATH of the agent (so in the shell that starts the agent, you need to "export LD_LIBRARY_PATH=somepath;some_other_path).
    When I tried to find the libpam.so, the output is null, may be we don't have libpam.so present in our system. 

    A similar case is found in Automic regarding this agent crash when PAM authentication is used.
    https://community.automic.com/discussion/6849/how-to-start-a-linux-automic-agent-with-an-ad-user-account

    Regards,
    Srujan.


  • 21.  Run Unix Job with AD User

    Posted Mar 27, 2018 07:30 AM
    Hi,

    And I have placed one of the above path in the agent's INI file and restarted the agent.

    You mean similar to, or like this?

    [PAM]
    Libname=/path/to/libpam.so.0

    If this and/or placing it in LD_LIBRARY_PATH doesn't work, I'd humbly suggest to take that up with the "official" Automic support. Since they advertise the feature, I kind of see it as in their court to make an attempt at helping you to configure it (assuming you are on one of their supported platforms).

    Best of luck!

    Kind regards,
    Carsten


  • 22.  Run Unix Job with AD User

    Posted Mar 27, 2018 10:07 AM
    Hey Carsten_Schmitz_7883

    Big thanks for your continuous efforts in helping us. I am glad to tell you that PAM authentication is working successfully and AD user can be able to execute job now. :smiley:

    Since libpam.so is not available earlier, I have downloaded the "libpam.so" library through a RPM package and made sure that the directory of lib is in LD_LIBRARY_PATH environment variable. Also given permissions to AD user to write files to both 'out' and 'temp' directories. 

    Regards,
    Srujan.


  • 23.  Re: Run Unix Job with AD User

    Posted May 25, 2018 09:11 AM

    Hi  Srujan,

     

    I am facing the same issue and we are using sssd authentication in our Linux systems.

    I also get the same error while using the AD user to execute a job.

    Could you please brief me with all the positive steps taken to get this worked out.

     

     

    Thanks

    Shani



  • 24.  Run Unix Job with AD User

    Posted Mar 27, 2018 10:25 AM
    Hi Srujan_Pathuri_9871 ,

    great news, glad to hear it finally works. And thanks for letting us know :)

    All the best,
    Carsten