Submit Task Requests to a Policy Server Daemon

Submit hosts need to know how to connect to a policy server daemon and how long to wait for failovers. The connections are defined by the submitmasters and masterport settings. Connection timing is controlled by the masterdelay and masterprotocoltimeout settings.

Policy Server Connection Settings

submitmasters

  • Version 4.0.0 and later: submitmasters setting available

The submitmasters setting provides a list of outgoing connection information for submitting task requests to Privilege Management for Unix and Linux policy server daemons.

The list can contain:

  • Host names
  • A single asterisk (*) denoting a Registry Name Service lookup
  • Netgroups in the form:
  • +@name
  • Hosts to exclude in the form:
  • -name
  • Netgroups to exclude in the form:
  • -@name
  • Absolute path names of a local pbmasterd. If spaces are required, then the string must be enclosed in quotation marks.
  • DNS SRV lookups, in the form:
  • _<pbul service name>._tcp.<domain name>.[:port=<port>[:interface=<IP or hostname>]]
  • External programs, in the form:
  • `/path/to/external/program`

The following are tried in sequence to determine the port value:

  1. The non-zero port value from a DNS SRV lookup
  2. The value specified within the submitmasters setting
  3. The value of the masterport setting
  4. The pbmasterd entry in services
  5. Port 24345
  1. The non-zero port value from a DNS SRV lookup
  2. The value specified within the submitmasters setting
  3. The value of the masterport setting
  4. The pbmasterd entry in services
  5. Port 24345
submitmasters myhost.mydomain
submitmasters sparky spot submitmasters host1 host2
submitmasters +@submitmasters -@badmasters -badhost
submitmasters sparky spot "/usr/sbin/pbmasterd -ar"
submitmasters _auto
submitmasters _pbmasters
submitmasters _pbmasters._tcp.mydomain.
submitmasters _pbmasters._tcp. mydomain.:port=12345
submitmasters `/bin/get_first_submitmaster`

No default value

Submit hosts

altsubmitmasters

  • Version 6.0 and earlier: altsubmitmasters setting not available.
  • Version 6.2.5 and later: altsubmitmasters setting available.

The altsubmitmasters setting enables you to control which policy server host a request is sent to, based on the user and the command.

altsubmitmasters user-list : command-list : host-list

where:

  • user-list is a space-separated list of user names.
  • command-list is a space-separated list of commands.
  • host-list is a space-separated list of hosts that follows the same rules as the host list in the submitmasters setting.

The lists are separated from each other by the character string " : " (that is, a space, a colon, and a space, without the quotation marks). You can specify multiple altsubmitmasters statements in the same settings file.

If you specify one or more policy server hosts in the altsubmitmasters list, be sure to include them in the run host’s acceptmasters list as well.

Caution should be used when using _auto for altsubmitmasters, as the runhost's acceptmasters list must include the hosts specified by the altsubmitmasters SRV lookup.

The user-list and command-list can include regular expression syntax such as *, ?, [, and ].

altsubmitmasters root : ls rm : host1 host2
altsubmitmasters m* : p* : host3
altsubmitmasters user1 user2: ps : host4
submitmasters host5
altsubmitmasters user1 user2: ps : _altmasters._tcp.mydomain.

In this example, the submit host sends any ls or rm requests from root to the hosts host1 or host2, any command that starts with the letter p from any user name that starts with the letter m to the host host3, any ps command issues by users user1 and user2 to host4, and any other requests to the host host5 (using the submithosts setting).

No default value

Submit hosts

masterport

  • Version 4.0.0 and later: masterport setting available.

The port numbers for Privilege Management daemons must use the non-reserved system ports. The allowed port numbers are 1024 to 65535 (inclusive).

The value for this setting follows the guidelines in Port Specifications.

masterport 12345
masterport pbmasterd
masterport 24345
  • Policy Server hosts
  • Submit hosts

randomizesubmitmasters

  • Version 6.0 and earlier: randomizesubmitmasters setting not available.
  • Version 6.2.5 and later: randomizesubmitmasters setting available.

The randomizesubmitmasters setting forces the submit host to choose a policy server host at random, rather than choosing the first policy server host that is specified in the submitmasters setting. This feature balances the load among multiple policy server hosts. System administrators must ensure that all policy server hosts are using the same version of the policy.

The randomizesubmitmasters keyword should not be used with the use of DNS SRV lookups.

randomizesubmitmasters yes
randomizesubmitmasters yes

Submit hosts