Remote job only runs with root credentials

Hello supporters,

I'm using the multi platform edition. Master runs on a linux machine, agent runs on an AIX machine. When I create a simple test job (with "run program or batch file") it only runs with root credentials otherwise the job fails with exit code 255.
When a do a test connection to the remote agent using *not* root user - connection is successful (of course root itself is also).
When I force a wrong password in the job credentials I can find "User authentication failed." in schedule.log - as I would expect.
But when I use the correct password (see above) the job fails with exit code 255.
I'm *not* using PAM authentication method.

Of course I could call the job as 'root' user with "su - <another>" but that's not want I want and I think it should work using the job credentials.
BTW : Master and agent are started with user 'root'.

Any ideas?

When running this job, the scheduler attempt to use "su" command to switch the job process to the user account security context whose account is specified in job properties. This happens if the account is not the same as the user account running the scheduler. On AIX you need to be root to use "su" Any other user account cause the job to fail because of insufficient privileges.

Because this topic is brought up frequently, let me give some heads up, to save your time. If you cannot use root for whatever reason, but still need to run jobs using different user accounts, install several copies if 24x7 into different user home directories or subdirectories. Start run each agent copy using different user account and set them to use different port numbers. In the scheduler configure a separate profile agent for each agent instance using matching port numbers. Assign differ user jobs to different profiles as required.

Hope this helps.

Hmmm - OK. During your answer I just tested the same thing against a Linux agent and this is working fine. If I create the job with "su - <other>" in the command line entry then this also works on AIX agent.

I completly understand what you are trying to explain, but:

As I said : Master (Linux) AND agent (AIX) are both started with user 'root'. So I would expect (Quote : "This happens if the account is not the same as the user account running the scheduler.") that "su" IS run with root privileges (because the agent is started with) root. And "su" as root to switch to another user wouldn't even ask for a password. Not in Linux nor in AIX.
I would agree when agent is started with normal user and the job should be run as root.
BTW : Using "su - root" on the shell as a normal user on AIX shows the same behavior as on Linux. You are asked for root password. If you know it you're 'root', if not you're not.

But for now it's a fact I can't ignore : Linux agent works with user/password other than 'root' - AIX does not! But why? I don't understand...

Thanks for your support.

Here's the debug.log from AIX when running the test job:

2007-08-23 16:26:26,178 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - runJob(): start
2007-08-23 16:26:26,201 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.security.SecurityService - authNativeUser: dcs login ok
2007-08-23 16:26:26,201 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - execProcess(): command line [/home/dcs/bin/test.sh] in work directory [/home/dcs]
2007-08-23 16:26:26,202 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - runAs() username=dcs command=/home/dcs/bin/test.sh workDir=/home/dcs
2007-08-23 16:26:26,202 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - exec : ./runas.pl,dcs,/home/dcs/bin/test.sh,/home/dcs
2007-08-23 16:26:26,263 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - waitForProcess(): start
2007-08-23 16:26:26,264 [Thread-44] DEBUG com.softtreetech.jscheduler.business.runner.AbstractJobRunner$TimeoutVerifier - run(): start
2007-08-23 16:26:26,264 [Thread-44] DEBUG com.softtreetech.jscheduler.business.runner.AbstractJobRunner$TimeoutVerifier - run(): end due to zero timeout
2007-08-23 16:26:26,354 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - waitForProcess(): end
2007-08-23 16:26:26,354 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.AbstractJobRunner - isFailed(...) : exit code 255
2007-08-23 16:26:26,355 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.AbstractJobRunner - isFailed(...) : Enumeration found [0]
2007-08-23 16:26:26,356 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - killProcess start
2007-08-23 16:26:26,434 [Job #118 - bamacc:test] ERROR com.softtreetech.jscheduler.business.runner.JobExecutorImpl - Job errors: Job completed with exit code 255. This exit code does not satisfy job exit code condition. Job failed.

Here's exactly the same job. I ONLY changed the "remote agent" entry pointing to a Linux agent:

2007-08-23 16:25:26,043 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - runJob(): start
2007-08-23 16:25:26,052 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.security.SecurityService - authNativeUser: dcs login ok
2007-08-23 16:25:26,059 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - execProcess(): command line [/home/dcs/bin/test.sh] in work directory [/home/dcs]
2007-08-23 16:25:26,059 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - runAs() username=dcs command=/home/dcs/bin/test.sh workDir=/home/dcs
2007-08-23 16:25:26,059 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - exec : ./runas.pl,dcs,/home/dcs/bin/test.sh,/home/dcs
2007-08-23 16:25:26,072 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - waitForProcess(): start
2007-08-23 16:25:26,072 [Thread-9] DEBUG com.softtreetech.jscheduler.business.runner.AbstractJobRunner$TimeoutVerifier - run(): start
2007-08-23 16:25:26,072 [Thread-9] DEBUG com.softtreetech.jscheduler.business.runner.AbstractJobRunner$TimeoutVerifier - run(): end due to zero timeout
2007-08-23 16:25:26,173 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - waitForProcess(): end
2007-08-23 16:25:26,173 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.AbstractJobRunner - isFailed(...) : exit code 0
2007-08-23 16:25:26,173 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - killProcess start
2007-08-23 16:25:26,173 [Job #118 - bamacc:test] DEBUG com.softtreetech.jscheduler.business.runner.ProgramJobRunner - runJob(): end

For me it looks that the user/password tests are successful on both agents but the job on the Linux agent runs - the one on AIX does not.
May be you can see "something"....

I found out what's causing the problem : the runas.pl Skript.

On Linux:

[root@kasten 24x7_Scheduler]# ./runas.pl dcs "/home/dcs/bin/test.sh" "/home/dcs"
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "de_DE.de"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").

-> OK. Job has been run. Exit code 0 (on the shell).

On AIX:

root@bam00:"/usr/local/24x7_Scheduler"$ ./runas.pl dcs "/home/dcs/bin/test.sh" "/home/dcs"
setrgid() not implemented at ./runas.pl line 23.

-> Exit code 255!

Now I'm outing me as a total perl noob. Do you know a solution?

Wonderful, I was looking exactly at this runas.pl script when your post resurfaced on the board. Please give me a few minutes to find the solution. I guess, you may need to set some environment variables for locale or just make a small change in the script pointing it to specific settings.

Not that we are talking about different things : Forget the locale-warnings from Linux. They seem to be normal and the job is running fine!

Problem is the "setrgid() not implemented at ./runas.pl line 23. " message on AIX. I just "googled" around and so far I'm not able to find useful tips about that. May be you... :-))

Thanks a lot.

Please take a look at http://forum.freespire.org/showthread.php?t=1358

Also, check http://search.cpan.org/~nwclark/perl-5.8.8/INSTALL#make_test, in the document, search for "LC_ALL=C;export LC_ALL"

Hope this helps.

In regard to "setrgid()": Indeed this is not implemented, and as far as I know there is no good workaround. I can only suggest changing the Perl script as below, using just straight "su" Any jobs that you run this way will need to set the environment explicitly if any user-specific environment settings are required.

Code:

#!/usr/bin/perl
# runner.pl <user> <cmdline> <dir>
# on succes returns process output & process exitcode
# on error:
# !! if something goes wrong
# script should die with exitcode -77
# & write message to the default output, starting with "ERROR4234"

#print "params: ($ARGV[0]) ($ARGV[1]) ($ARGV[2])\n";

# for system commands ( i.e. ls )
if(!(chdir $ARGV[2]))
{
$! = -77;
die "ERROR4234 Can't cd to $ARGV[2]\n";
}

exec ("su", "-", $ARGV[0], "-c", $ARGV[1]);

$! = -77;
die "ERROR4234 Can't exec $ARGV[1]\n";

I haven't tested this script yet, don't have access to an AIX system at this moment.

That exactly what I thought : just customizing the perl script. I'll catch my perl-colleague-guru and tie him to my desk...
Really seems that there is no quick-solution for AIX. I'll try to find some hints/tips out there in the internet. If I find one I'll post it here.

Thanks a lot so far.