topic Re: Restricted Sam question in Operating System - HP-UX

Restricted Sam question

Jimemac70 — Fri, 11 Apr 2008 18:21:41 GMT

I have 2 servers that I am trying to give some of my help desk team restricted SAM access. On my main server, I was able to set it up just fine and dandy.

When I repeated the same process on the second server, I get this message when trying to run sam from these accounts...

"Sorry, you must have superuser (root) privilege to enter SAM."

When I look at sam -r on the server that is correct, I see all the users listed and whether they have SAM priveledges.

Login Has SAM Priveleges
-------------------------------------
joeuser NO
helpdeskuser YES
... ...

On the server that is incorrect, that window is not in the sam -r at all. So I cannot see whether the users I gave access to actually have it.

The incorrect server has me select the user name by typing in the username, instead of selecting from a list like the correct server.

Example:
Load Privileges for Specific: [ User ->]
Select a User:

So my question is, why the difference? Both servers are running 11.11. I patch them at the same time so I'm 99 percent sure they are patched the same. Is there a patch I need?

Any ideas?

Thanks in advance!

Re: Restricted Sam question

Sajjad Sahir — Sat, 12 Apr 2008 10:13:54 GMT

I think u on the first server that user has the priveleges to run sam
in the second u didn't give
for more clarification can u post
/var/sam/samlog file
thats why is it is telling only super user can run it

Re: Restricted Sam question

Rasheed Tamton — Sun, 13 Apr 2008 08:20:20 GMT

Did you login as root on the second server
when issued the command:

sam -r

May be you were not logged in as root on the second server when issued sam -r

Please make sure about it.

Regards,
Rasheed Tamton.

Re: Restricted Sam question

Tim Nelson — Sun, 13 Apr 2008 13:27:56 GMT

an easy way to duplicate SAM access is:

copy /etc/sam/custom.cu ( this is custom application file)
copy /etc/sam/custom/username.cf ( these files give users access and menu security)

Re: Restricted Sam question

Jimemac70 — Mon, 14 Apr 2008 11:38:49 GMT

Attached is a snippet of the samlog. collj is one of the users I am trying to give access to. It looks like it worked fine, but I could be wrong.

I am sure I set it up as root.

And unfortunately I can't just copy the sam access from one server to the next, because I am creating different custom applications on both. That said, I do see the users I setup on the broken server and their .cf files. Those .cf files look fine as well.

Any more ideas?

Re: Restricted Sam question

Rasheed Tamton — Tue, 15 Apr 2008 04:49:05 GMT

Did you compare the uid on the /etc/passwd file for the concerned users on both the systems. Is there any differences like - uid 0, etc.

It is natural for a normal user to get the error message you specified above, if he/she does not have the correct privileges. Please make sure you checked all.

Re: Restricted Sam question

Jimemac70 — Tue, 15 Apr 2008 12:42:15 GMT

Sorry Rasheed I don't understand what you are asking.

Are you saying that the user id has to be uid=0, or root?

I compared the /etc/passwd files, and the only difference is the uid. However neither are 0.

Re: Restricted Sam question

Jimemac70 — Tue, 22 Apr 2008 14:29:14 GMT

Okay, so I found out the reason why the list of users wasn't displaying on the incorrect system was because I had more than 500 users. I finally did some user maintenance on the server and can see the list in the sam -r front page. I can even see that the users I gave restricted SAM priveledges to have a YES in there column.

However, they still get the error message when I try to invoke sam while I am logged on as them.

Any other ideas?

As for looking at the password file, what exactly am I looking for. Also you should know that I am on a trusted system, if that makes any difference.

Re: Restricted Sam question

Steven E. Protter — Tue, 22 Apr 2008 14:48:19 GMT

Shalom,

You say:
I'm 99 percent sure they are patched the same.

Don't be 99% certain be certain.

swlist -l product

Do it to a file and compare them.

You as administrator are responsible to make sure sam and other patches get into production.

A lot of times when misbehavior like this occurs it is a patching problem.

SEP

Re: Restricted Sam question

Jimemac70 — Tue, 22 Apr 2008 16:45:44 GMT

I compared them, the only difference is that the second server (the incorrect one) has Data Protector. Could it be the culprit?