Problem with IPM installer doing "whoami"

Answered Question
Mar 30th, 2007
User Badges:
  • Gold, 750 points or more

I forgot to bring up this issue that I had run into before with IPM 2.5. I'm upgrading to LMS 2.6 using a non-root user account, but with uid 0. This works fine installing the original LMS pieces (CS, RME, CM, etc.) However, the IPM 2.6 install script apparently performs a "whoami" (same as IPM 2.5) that catches the fact I'm not the 100% legit "root". Is there any workaround for this, or do I need to open a TAC case and get a bug filed? There's no way I'll be given the root accout password.


********************

ERROR: ipm script must be run as root for this option.


Cannot login to the CWB_IPM server with the given information.

Verify the password and server name and try again.


ERROR: ipm script must be run as root for this option.

Error: Administrative Password Enable failed.

Use 'ipm password' command to enable Administrative Password after install.

Server Upgrade completed. Generating the IPM reports....

*** Error ***<BR>Could not connect to database: Database server not found (DBD: login failed)<BR></BODY>

</HTML>


Correct Answer by Joe Clarke about 10 years 3 months ago

You can workaround this by temporarily removing the other user ID, install IPM, then restore it BELOW casuser. But what files do you need access to as a member of casusers that you do not have? The idea behind casusers is that a CiscoWorks administrator should be able to do all tasks required locally that cannot be done through the web.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Fri, 03/30/2007 - 08:48
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

We do not support installations using sudo or uid 0 equivalent accounts (i.e. we never tested such scenarios). As a workaround, you can modify the /opt/CSCOipm/bin/ipm.sh script, and change the checkrealroot() function to use an id-based test:


ID=`/usr/xpg4/bin/id -u -r`

if [ "$ID" != "0" ]; then


However, the above caveat applies.

yjdabear Fri, 03/30/2007 - 10:09
User Badges:
  • Gold, 750 points or more

Because of the prior failure due to whoami, I had to uninstall IPM before another install could be attempted. Then I modified /product/CSCO/CSCOipm/bin/ipm.sh as shown as soon as I saw it created. Did this modification cause the pkg verification error?


INFO: Creating symlink from /product/CSCO/CSCOcwbS/db/CSCOipm/stopDbServer.sh

INFO: to /product/CSCO/CSCOipm/bin/stopDbServer.sh

INFO: Creating symlink from /product/CSCO/CSCOcwbS/vbroker/bin/osagent

INFO: to /product/CSCO/CSCOipm/bin/osagent

INFO: Creating symlink from /product/CSCO/CSCOcwbS/vbroker/bin/osfind

INFO: to /product/CSCO/CSCOipm/bin/osfind

INFO: Creating symlink from /product/CSCO/CSCOcwbS/bin/CWB_msgLogServer

INFO: to /product/CSCO/CSCOipm/bin/CWB_msgLogServer

INFO: Creating symlink from /product/CSCO/CSCOipm/clientSoftware/Solaris

INFO: to /product/CSCO/CSCOipm/htdocs/Solaris

INFO: Creating symlink from /product/CSCO/CSCOipm/clientSoftware/NT

INFO: to /product/CSCO/CSCOipm/htdocs/NT


INFO: Adding ipmAging utility to cron.


INFO: Updating properties files...


ipm.conf


INFO: Creating symlink from /product/CSCO/CSCOipm/etc/ipm.conf

INFO: to /product/CSCO/CSCOcwbS/etc/ipm.conf


Installation of was successful.


INFO: Checking Installation.

INFO: Package CSCOcwbS installed OK. Verifying... OK.

INFO: Package CSCOipm-s installed OK. Verifying... BAD.

ERROR: Problems found during Base Installation:

ERROR: Failed pkgs:

ERROR: Invalid pkgs: CSCOipm-s

ERROR: Base component(s) failed package verification. See prior ERRORS.

ERROR: ****

ERROR: The system will not be started due to an installation failure

ERROR: of one or more Base components.

ERROR: ****

============================- Error Summary -===========================

ERROR: Problems found during Base Installation:

ERROR: Failed pkgs:

ERROR: Invalid pkgs: CSCOipm-s

ERROR: Base component(s) failed package verification. See prior ERRORS.

ERROR: ****

ERROR: The system will not be started due to an installation failure

ERROR: of one or more Base components.

ERROR: ****


========================================================================


Started : Fri Mar 30 13:00:39 EDT 2007

Finished: Fri Mar 30 13:05:47 EDT 2007


yjdabear Fri, 03/30/2007 - 10:40
User Badges:
  • Gold, 750 points or more

Then I held off modifying /product/CSCO/CSCOipm/bin/ipm.sh until after

INFO: Package CSCOipm-s installed OK. Verifying...



But eventually it still failed again. Does this mean I need to remove the whoami in IPM 2.6's setup.sh?



Registering IPM with CMIC...


Registering IPM with CCR...


Registering IPM with PSU...


Integrating IPM server with CiscoWorks Common Services... is successful

INFO: Updating Database Stored Procedures...


ERROR: ipm script must be run as root for this option.


Cannot login to the CWB_IPM server with the given information.

Verify the password and server name and try again.


ERROR: Database Passwords not synchronised.

ERROR: ipm script must be run as root for this option.

Error: Administrative Password Enable failed.

Use 'ipm password' command to enable Administrative Password after install.


To use this product, set your path to:


/product/CSCO/CSCOipm/bin:$PATH



Check the documentation for supported browsers and versions.


============================- Error Summary -===========================

ERROR: ipm script must be run as root for this option.

ERROR: Database Passwords not synchronised.

ERROR: ipm script must be run as root for this option.


========================================================================


Joe Clarke Fri, 03/30/2007 - 11:01
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

The problem is not in the IPM installer, but still in the ipm.sh script. Since you are already uid 0, can you not do:


su - root


Then complete the installation? This will not require you to have root's password.

yjdabear Fri, 03/30/2007 - 11:33
User Badges:
  • Gold, 750 points or more

Good one. Never thought of that. I'll try that route.


Still the same error, even though whoami is returning "root" now:


Registering IPM with CMIC...


Registering IPM with CCR...


Registering IPM with PSU...


Integrating IPM server with CiscoWorks Common Services... is successful

INFO: Updating Database Stored Procedures...


ERROR: ipm script must be run as root for this option.


Cannot login to the CWB_IPM server with the given information.

Verify the password and server name and try again.


ERROR: Database Passwords not synchronised.

ERROR: ipm script must be run as root for this option.

Error: Administrative Password Enable failed.

Use 'ipm password' command to enable Administrative Password after install.


To use this product, set your path to:


/product/CSCO/CSCOipm/bin:$PATH



Check the documentation for supported browsers and versions.


============================- Error Summary -===========================

ERROR: ipm script must be run as root for this option.

ERROR: Database Passwords not synchronised.

ERROR: ipm script must be run as root for this option.


========================================================================


Started : Fri Mar 30 14:28:02 EDT 2007

Finished: Fri Mar 30 14:37:07 EDT 2007


Joe Clarke Fri, 03/30/2007 - 11:44
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

What does whoami report when you "su - root"? It really should say root:


marcus@rtp-christmas# \su - root

Sun Microsystems Inc. SunOS 5.9 Generic May 2002

# /usr/ucb/whoami

root

#


I have to use \su since I have an alias to su which builds my environment properly.

yjdabear Fri, 03/30/2007 - 11:59
User Badges:
  • Gold, 750 points or more

Wait, I take everything back. I just doublechecked on another box, that /usr/ucb/whoami

always reports "root" as long as the uid is 0, regardless of whether the account I su to is "root" or otherwise. So I've been "root" to "whoami" all along. There must be more to the real root than uid 0 and the name. Here's my previous query in Dec, 2006.


http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Network%20Management&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddcf365/0#selected_message


Doesn't look like there's any way around getting the root access.

Joe Clarke Fri, 03/30/2007 - 12:37
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

What does ls -l /opt/CSCOipm/bin/ipm look like?

yjdabear Fri, 03/30/2007 - 12:57
User Badges:
  • Gold, 750 points or more

Since each failure requires an uninstall, these have been basically new installs of IPM 2.6.


ls -l /product/CSCO/CSCOipm/bin/ipm


-rwxr-x--- 1 a***d casusers 62068 Nov 30 2004 /product/CSCO/CSCOipm/bin/ipm


a***d is an App ID set up with the same UID as casuser, so I can manipulate the files owned by casuser without going into the uid 0 account (whose password expires every 24 hours). We knew casuser had to be above a***d in /etc/passwd, lest the latter takes over file ownerships of casuser. Your question prompted me to look at /etc/passwd again. It looks like somewhere along the line, casuser has been added to /etc/passwd anew. So now a***d is in the middle, while casuser is at the end of /etc/passwd.


Joe Clarke Fri, 03/30/2007 - 13:10
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Okay, that may be part of your problem. This is what is happening. The ipm executable does a getpwnam on casuser and gets back a UID. It then does a setuid call to that UID prior to executing the ipm.sh script. Part of this script's job is to check to make sure it's running as casuser. It does that by doing a whomai, and checking to see that the user is casuser.


So, if the UID for casuser maps to another username, you will break IPM. casuser MUST appear before this other username in /etc/passwd so that the forward and reverse mapping prefers casuser over this other user.


I can't stress enough how unsupported your configuration is. Not only will you break the UID/user mappings, chaning ownership of files breaks the package map. What you should be doing is putting your username in the casusers group. This will give you access to everything you need without messing up file permissions or ownership.

yjdabear Fri, 03/30/2007 - 13:19
User Badges:
  • Gold, 750 points or more

Well, I think we had that setup because there're certain LMS files laid down, owned by casuser (the user) but not writable to casusers (the group).


But isn't it a glitch (from what I can see) that the IPM install process removes the existing casuser in /etc/passwd and appends a new one to the end? The timestamp seems to indicate so:


-r--r--r-- 1 root other 9637 Mar 30 15:57 passwd

Joe Clarke Fri, 03/30/2007 - 13:28
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Yes, the IPM installer attempts to set casuser's shell to /dev/null regardless of the existing value. This results in casuser being taken out of its existing place in the file, and appended to the end. This can be problematic, but will not longer be a problem in LMS 3.0.

Correct Answer
Joe Clarke Fri, 03/30/2007 - 13:33
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You can workaround this by temporarily removing the other user ID, install IPM, then restore it BELOW casuser. But what files do you need access to as a member of casusers that you do not have? The idea behind casusers is that a CiscoWorks administrator should be able to do all tasks required locally that cannot be done through the web.

Actions

This Discussion