HPE Community
Operating System - HP-UX
1754318 Members
2980 Online
108813 Solutions
New Discussion юеВ

Restricted Sam question

 
Jimemac70
Occasional Advisor

тАО04-11-2008 11:21 AM

тАО04-11-2008 11:21 AM

Restricted Sam question

I have 2 servers that I am trying to give some of my help desk team restricted SAM access. On my main server, I was able to set it up just fine and dandy.

When I repeated the same process on the second server, I get this message when trying to run sam from these accounts...

"Sorry, you must have superuser (root) privilege to enter SAM."

When I look at sam -r on the server that is correct, I see all the users listed and whether they have SAM priveledges.

Login Has SAM Priveleges
-------------------------------------
joeuser NO
helpdeskuser YES
... ...

On the server that is incorrect, that window is not in the sam -r at all. So I cannot see whether the users I gave access to actually have it.

The incorrect server has me select the user name by typing in the username, instead of selecting from a list like the correct server.

Example:
Load Privileges for Specific: [ User ->]
Select a User:


So my question is, why the difference? Both servers are running 11.11. I patch them at the same time so I'm 99 percent sure they are patched the same. Is there a patch I need?

Any ideas?

Thanks in advance!
0 Kudos
Reply
9 REPLIES 9
Sajjad Sahir
Honored Contributor

тАО04-12-2008 03:13 AM

тАО04-12-2008 03:13 AM

Re: Restricted Sam question

I think u on the first server that user has the priveleges to run sam
in the second u didn't give
for more clarification can u post
/var/sam/samlog file
thats why is it is telling only super user can run it
0 Kudos
Reply
Rasheed Tamton
Honored Contributor

тАО04-13-2008 01:20 AM

тАО04-13-2008 01:20 AM

Re: Restricted Sam question

Did you login as root on the second server
when issued the command:

sam -r

May be you were not logged in as root on the second server when issued sam -r

Please make sure about it.

Regards,
Rasheed Tamton.
0 Kudos
Reply
Tim Nelson
Honored Contributor

тАО04-13-2008 06:27 AM

тАО04-13-2008 06:27 AM

Re: Restricted Sam question

an easy way to duplicate SAM access is:

copy /etc/sam/custom.cu ( this is custom application file)
copy /etc/sam/custom/username.cf ( these files give users access and menu security)
0 Kudos
Reply
Jimemac70
Occasional Advisor

тАО04-14-2008 04:38 AM

тАО04-14-2008 04:38 AM

Re: Restricted Sam question

Attached is a snippet of the samlog. collj is one of the users I am trying to give access to. It looks like it worked fine, but I could be wrong.

I am sure I set it up as root.

And unfortunately I can't just copy the sam access from one server to the next, because I am creating different custom applications on both. That said, I do see the users I setup on the broken server and their .cf files. Those .cf files look fine as well.

Any more ideas?
0 Kudos
Reply
Rasheed Tamton
Honored Contributor

тАО04-14-2008 09:49 PM

тАО04-14-2008 09:49 PM

Re: Restricted Sam question

Did you compare the uid on the /etc/passwd file for the concerned users on both the systems. Is there any differences like - uid 0, etc.

It is natural for a normal user to get the error message you specified above, if he/she does not have the correct privileges. Please make sure you checked all.
0 Kudos
Reply
Jimemac70
Occasional Advisor

тАО04-15-2008 05:42 AM

тАО04-15-2008 05:42 AM

Re: Restricted Sam question

Sorry Rasheed I don't understand what you are asking.

Are you saying that the user id has to be uid=0, or root?

I compared the /etc/passwd files, and the only difference is the uid. However neither are 0.
0 Kudos
Reply
Jimemac70
Occasional Advisor

тАО04-22-2008 07:29 AM

тАО04-22-2008 07:29 AM

Re: Restricted Sam question

Okay, so I found out the reason why the list of users wasn't displaying on the incorrect system was because I had more than 500 users. I finally did some user maintenance on the server and can see the list in the sam -r front page. I can even see that the users I gave restricted SAM priveledges to have a YES in there column.

However, they still get the error message when I try to invoke sam while I am logged on as them.

Any other ideas?

As for looking at the password file, what exactly am I looking for. Also you should know that I am on a trusted system, if that makes any difference.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-22-2008 07:48 AM

тАО04-22-2008 07:48 AM

Re: Restricted Sam question

Shalom,

You say:
I'm 99 percent sure they are patched the same.

Don't be 99% certain be certain.

swlist -l product

Do it to a file and compare them.

You as administrator are responsible to make sure sam and other patches get into production.

A lot of times when misbehavior like this occurs it is a patching problem.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Jimemac70
Occasional Advisor

тАО04-22-2008 09:45 AM

тАО04-22-2008 09:45 AM

Re: Restricted Sam question

I compared them, the only difference is that the second server (the incorrect one) has Data Protector. Could it be the culprit?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.