I've recently upgraded to Windows 7, and am enjoying the menu of open putty sessions displayed when I hover my mouse over the putty icon in my toolbar. HOWEVER, one aspect which bothers me is how the menu displays. Initially it displays a horizontal list of icons for each session, expanding the list up to 10 sessions, after which it tranforms that list to a vertical list of lines in a single window, one line for each session. My issue is that once the horizontal list exceeds 6 sessions, the session names contained in the icons get truncated from the right to the point that they are no longer unique, rendering them useless. Consequently, once I open a 7th session, I proceed to open another 4 simply to maintain the usability of my session menu. Does anyone know a way to customize either the point at which the menu transfers to a horizontal list, or the session name truncation so that it truncates from the left instead of the right?
↧
Putty 0.62 session menu with Windows 7
↧
VAS & Printing to Windows Printers - How!?
We have an active directory network with a print server sharing printers.
We have linux,mac clients who need to print to these printers, in the past I have used an LPD server on the windows print server, however, I would like to rationalise and have all clients printing through windows/samba type printing.
However, on a client with cups 1.3.9 when I create an entry for a printer smb://windowsprintserver/sharename the client, does not print, instead, pops up an authentication box, which I would like to be the signed on authenticated user, rather than asking.
I attempted to enable kerberos on cups, and this has made things even worse with kern.log filling with entries like
kernel: [11509.141476] type=1502 audit(1267433423.817:6485): operation="file_lock" requested_mask="::k" denied_mask="::k" fsuid=0 name="/var/opt/quest/vas/vasd/vas_misc.vdb" pid=17283 profile="/usr/sbin/cupsd"
Has anbody a guide on using QAS to print to windows printers via smb (or any other method?)
We have linux,mac clients who need to print to these printers, in the past I have used an LPD server on the windows print server, however, I would like to rationalise and have all clients printing through windows/samba type printing.
However, on a client with cups 1.3.9 when I create an entry for a printer smb://windowsprintserver/sharename the client, does not print, instead, pops up an authentication box, which I would like to be the signed on authenticated user, rather than asking.
I attempted to enable kerberos on cups, and this has made things even worse with kern.log filling with entries like
kernel: [11509.141476] type=1502 audit(1267433423.817:6485): operation="file_lock" requested_mask="::k" denied_mask="::k" fsuid=0 name="/var/opt/quest/vas/vasd/vas_misc.vdb" pid=17283 profile="/usr/sbin/cupsd"
Has anbody a guide on using QAS to print to windows printers via smb (or any other method?)
↧
↧
Error in Service Module
RHEL 6.1
Machine is joined to domain, AD account is able to login to other QAS machines.
Whenever I attempt to login from main screen I just get the error "Error in Service Module"
Any thoughts?
↧
adding VAS users to local group file in AIX
I just converted using VAS on our AIX. I noticed you can't add an VAS user to the /etc/group file using "smit group" because the user is no longer in the /etc/passwd file. Is there a way in AIX that you change the registry file to say "VAS" and file?
↧
Authentication failing for user
Hi all,
Recently we have migrated our environment from weblogic 8.1 to weblogic 10.3 and from sun java to JRockit 6 provided by oracle.
After migrating our code in new environment, user authentication on VSJ is failing. I am seeing below errors in my logs for failures:
Error Message:Successfully got TGT forrajeev_yadav@amer.dell.combut failed to do GSSAPI toHTTP/salesedge.dell.com@AMER.DELL.COM[caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Message not sent, max time exceeded.)]
Any urgent help on this issue is appreciated.
↧
↧
javax.security.auth.login.LoginException: Could not obtain TGT
Hi,
Not sure if this is the correct place to post this question, but we are getting this error when trying to authenticate a user. This seems to happen only sporadically.
May I know what are the possible causes of this error? Is it due to load / concurrency ?
We are using Weblogic 8.1.
Thanks so much for your help!
cheers
Karen
(providers.KerberosQSJProvider 81 ) javax.security.auth.login.LoginException: Could not obtain TGT (providers.KerberosQSJProvider 83 ) Could not obtain TGT javax.security.auth.login.LoginException: Could not obtain TGT at com.dstc.security.kerberos.jaas.KerberosLoginModule.getTGT(KerberosLoginModule.java:1472) at com.dstc.security.kerberos.jaas.KerberosLoginModule.login(KerberosLoginModule.java:414) at jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source) at java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown Source) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610) at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607) at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
Not sure if this is the correct place to post this question, but we are getting this error when trying to authenticate a user. This seems to happen only sporadically.
May I know what are the possible causes of this error? Is it due to load / concurrency ?
We are using Weblogic 8.1.
Thanks so much for your help!
cheers
Karen
(providers.KerberosQSJProvider 81 ) javax.security.auth.login.LoginException: Could not obtain TGT (providers.KerberosQSJProvider 83 ) Could not obtain TGT javax.security.auth.login.LoginException: Could not obtain TGT at com.dstc.security.kerberos.jaas.KerberosLoginModule.getTGT(KerberosLoginModule.java:1472) at com.dstc.security.kerberos.jaas.KerberosLoginModule.login(KerberosLoginModule.java:414) at jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source) at java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown Source) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610) at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607) at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
↧
quest-openssh.5.2.1.13
Hello Quest support,
I've downloaded the latest version (5.2.1.13) of Quest openssh for AIX 5.3, available on:
http://rc.quest.com/topics/openssh/
After installing it on AIX 6.1 I cannot start the ssh daemon. It keeps failing and generating the following message on the AIX error log:
---------------------------------------------------------------------------
LABEL: SRC_SVKO
IDENTIFIER: BC3BE5A3
Date/Time: Tue Feb 1 09:27:41 CUT 2011
Sequence Number: 12988
Machine Id: 00C8CFA44C00
Node Id: ddasy040
Class: S
Type: PERM
WPAR: Global
Resource Name: SRC
Description
SOFTWARE PROGRAM ERROR
Probable Causes
APPLICATION PROGRAM
Failure Causes
SOFTWARE PROGRAM
Recommended Actions
MANUALLY RESTART SUBSYSTEM IF NEEDED
Detail Data
SYMPTOM CODE
65280
SOFTWARE ERROR CODE
-9017
ERROR CODE
0
DETECTING MODULE
'srchevn.c'@line:'376'
FAILING MODULE
sshd-quest
---------------------------------------------------------------------------
The version of the AIX that I'm using is:
$ oslevel -s
6100-05-03-1036
Any advice?
↧
Successfully got TST but failed to GSSAPI
I am trying to plug QSJ to our application and stuck on the below error. Could anyone please shed me a light how to fix it.
Thank you
011-09-02 08:51:05,554 [ERROR] [com.wedgetail.idm.sso.util.CommonsSsoLogger] Successfully got TGT for qsjsvc@DS.SHARKIE.COM but failed to do GSSAPI to qsjsvc
GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database
KrbError:
Error code: 7
Error message: null
Client name: null
Client realm: null
Client time: null
Server name: qsjsvc
Server realm: DS.SHARKIE.COM
Server time: Fri Sep 02 08:51:05 EDT 2011)
at com.dstc.security.kerberos.gssapi.GSSKrbException.create(GSSKrbException.java:208)
at com.dstc.security.kerberos.gssapi.GSSContext.initSecContext(GSSContext.java:310)
at com.dstc.security.kerberos.gssapi.GSSContext.initSecContext(GSSContext.java:280)
at com.wedgetail.idm.sso.util.Util.checkSPNs(Util.java:245)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator2(AbstractAuthenticator.java:582)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:325)
at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:131)
at com.quest.vsj.examples.forms.FormsAuthFilter.init(FormsAuthFilter.java:217)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:275)
at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:397)
at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:108)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3696)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4343)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:566)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Caused by: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database
KrbError:
Error code: 7
Error message: null
Client name: null
Client realm: null
Client time: null
Server name: qsjsvc
Server realm: DS.SHARKIE.COM
Server time: Fri Sep 02 08:51:05 EDT 2011
at com.dstc.security.kerberos.Kerberos.getKrbTGSRepFromKDC(Kerberos.java:1361)
at com.dstc.security.kerberos.Kerberos.requestServiceTicket(Kerberos.java:1314)
at com.dstc.security.kerberos.Kerberos.requestServiceTicket(Kerberos.java:1338)
at com.dstc.security.kerberos.gssapi.DefaultCredentialManager.requestServiceTicket(DefaultCredentialManager.java:194)
at com.dstc.security.kerberos.gssapi.ClientHandShaker.getServiceTicket(ClientHandShaker.java:740)
at com.dstc.security.kerberos.gssapi.ClientHandShaker.huntServiceTicket(ClientHandShaker.java:304)
at com.dstc.security.kerberos.gssapi.ClientHandShaker.handle(ClientHandShaker.java:202)
at com.dstc.security.kerberos.gssapi.GSSContext.initSecContext(GSSContext.java:301)
... 24 more
2011-09-02 08:51:05,570 [ERROR] [com.wedgetail.idm.sso.util.CommonsSsoLogger] All SPNs failed verification.
2011-09-02 08:51:05,570 [ERROR] [com.wedgetail.idm.sso.util.CommonsSsoLogger] Error during initAuthenticator()
com.wedgetail.idm.sso.ConfigException: All SPNs failed verification.
at com.wedgetail.idm.sso.util.Util.checkSPNs(Util.java:273)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator2(AbstractAuthenticator.java:582)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:325)
at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:131)
at com.quest.vsj.examples.forms.FormsAuthFilter.init(FormsAuthFilter.java:217)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:275)
at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:397)
at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:108)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3696)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4343)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:566)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Sep 2, 2011 8:51:05 AM org.apache.catalina.core.StandardContext filterStart
SEVERE: Exception starting filter authFilter
com.wedgetail.idm.sso.ConfigException: All SPNs failed verification.
at com.wedgetail.idm.sso.util.Util.checkSPNs(Util.java:273)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator2(AbstractAuthenticator.java:582)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:325)
at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:131)
at com.quest.vsj.examples.forms.FormsAuthFilter.init(FormsAuthFilter.java:217)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:275)
at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:397)
at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:108)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3696)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4343)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:566)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Sep 2, 2011 8:51:05 AM org.apache.catalina.core.StandardContext start
↧
Getting a kerberose exception: Could not locate KDC for Kerberos Realm.
Hi
Im new to quest SSO(VSJ).Im facing the below exception when I tried to run a stand alone java program which uses the quest SSO api.Also can some one please help me out on how to pass vsj.properties file to a stand alone JAVA program.This issue is not seen when I use sun implementation for kerberose.
Caused by: com.dstc.security.kerberos.KerberosConfigException: Could not locate KDC for Kerberos Realm "QA2008.COM"
at com.dstc.security.kerberos.DefaultConfig.getKdcs(DefaultConfig.java:323)
at com.dstc.security.kerberos.DefaultConfig.getKdcs(DefaultConfig.java:224)
at com.dstc.security.kerberos.impl.DefaultKdcResolver.getKdc(DefaultKdcResolver.java:58)
at com.dstc.security.kerberos.DefaultKerberosMessageHandler.send(DefaultKerberosMessageHandler.java:84)
at com.dstc.security.kerberos.Kerberos.sendRequestToKDC(Kerberos.java:1832)
at com.dstc.security.kerberos.Kerberos.getKrbTGSRepFromKDC(Kerberos.java:1357)
at com.dstc.security.kerberos.Kerberos.requestServiceTicket(Kerberos.java:1314)
at com.dstc.security.kerberos.Kerberos.requestServiceTicket(Kerberos.java:1338)
at com.dstc.security.kerberos.gssapi.DefaultCredentialManager.requestServiceTicket(DefaultCredentialManager.java:194)
at com.dstc.security.kerberos.gssapi.ClientHandShaker.getServiceTicket(ClientHandShaker.java:715)
at com.dstc.security.kerberos.gssapi.ClientHandShaker.huntServiceTicket(ClientHandShaker.java:295)
at com.dstc.security.kerberos.gssapi.ClientHandShaker.handle(ClientHandShaker.java:193)
at com.dstc.security.kerberos.gssapi.GSSContext.initSecContext(GSSContext.java:301)
Im new to quest SSO(VSJ).Im facing the below exception when I tried to run a stand alone java program which uses the quest SSO api.Also can some one please help me out on how to pass vsj.properties file to a stand alone JAVA program.This issue is not seen when I use sun implementation for kerberose.
Caused by: com.dstc.security.kerberos.KerberosConfigException: Could not locate KDC for Kerberos Realm "QA2008.COM"
at com.dstc.security.kerberos.DefaultConfig.getKdcs(DefaultConfig.java:323)
at com.dstc.security.kerberos.DefaultConfig.getKdcs(DefaultConfig.java:224)
at com.dstc.security.kerberos.impl.DefaultKdcResolver.getKdc(DefaultKdcResolver.java:58)
at com.dstc.security.kerberos.DefaultKerberosMessageHandler.send(DefaultKerberosMessageHandler.java:84)
at com.dstc.security.kerberos.Kerberos.sendRequestToKDC(Kerberos.java:1832)
at com.dstc.security.kerberos.Kerberos.getKrbTGSRepFromKDC(Kerberos.java:1357)
at com.dstc.security.kerberos.Kerberos.requestServiceTicket(Kerberos.java:1314)
at com.dstc.security.kerberos.Kerberos.requestServiceTicket(Kerberos.java:1338)
at com.dstc.security.kerberos.gssapi.DefaultCredentialManager.requestServiceTicket(DefaultCredentialManager.java:194)
at com.dstc.security.kerberos.gssapi.ClientHandShaker.getServiceTicket(ClientHandShaker.java:715)
at com.dstc.security.kerberos.gssapi.ClientHandShaker.huntServiceTicket(ClientHandShaker.java:295)
at com.dstc.security.kerberos.gssapi.ClientHandShaker.handle(ClientHandShaker.java:193)
at com.dstc.security.kerberos.gssapi.GSSContext.initSecContext(GSSContext.java:301)
↧
↧
Netgroups using AD native groups
I have posed this to VAS product management (Eyes, Wilson) but interested to see other interest in supporting netgroups from native AD groups, i.e. a netgroup triple exposed from NSS but data held in native AD groups rather than rfc2307 netgroup objects.
Any potential gotchas with this solution (apart from fact that AD becomes one "NIS" domain and a flat name space for netgroups)? Do any platforms not support netgroups through NSS for anything other than NIS? I am not talking of using NIS ypdaemon but equivalent of nss_ldap.
Since netgroups are the UNIX equivalent of AD distribution groups and do not impact gid security group limits this appears to be an interesting option.
Any potential gotchas with this solution (apart from fact that AD becomes one "NIS" domain and a flat name space for netgroups)? Do any platforms not support netgroups through NSS for anything other than NIS? I am not talking of using NIS ypdaemon but equivalent of nss_ldap.
Since netgroups are the UNIX equivalent of AD distribution groups and do not impact gid security group limits this appears to be an interesting option.
↧
Using Active Directory aliases - CNAME
I have a machine with a NetBIOS name of devmgr02. It has a name resolvable to devmgr02.example.com. I also have a host alias for this machine called dev.example.com. This is being handled by Active Directory. I don't have any issues with access to dev.example.com for anything we related, except with VSJ. It seems that VSJ (maybe it's WebSphere's fault) wants to use the physical host name devmgr02 for the Principal instead of dev. It appears as if VSJ asks for the host name or the IP address is used to reverse resolve the hostname which has 2 entries and devmgr02 is the first entry to be returned. Now, it doesn't seem that this happens in all cases, but often enough that it causes a problem.
I would like to avoid having to create new SPNs and keytabs every time we upgrade our servers from one machine to another ( while keeping the first machine running setup and configuration of the new machine ), but don't see a way to do this. Creating new SPNs and keytabs is painful from the perspective that the Windows server admins have to do the work and their priorities aren't always my priorities, not to mention the additional work required each time.
I did see an entry in the forums here that talked about using setspn -A when behind a load balancer, does this somehow apply?
Any ideas?
[3/22/07 11:28:33:800 CDT] 0000009e CommonsSsoLog E com.wedgetail.idm.sso.util.CommonsSsoLogger error Session ID: faw34234awf3f4w34afwe4
Request: /somecontextroot
Remote: 172.1.1.1
Principal: HTTP/dev.example.com@EXAMPLE.COM
Message: Could not authorize request: com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: org.ietf.jgss.GSSException, major code: 11, minor code: -1
major string: General failure, unspecified at GSSAPI level
minor string: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type 23, KVNO 4, Principal "HTTP/devmgr02.example.com@EXAMPLE.COM" using key:
Principal: HTTP/dev.example.com@EXAMPLE.COM
Type: 1
TimeStamp: Thu Nov 17 15:57:32 CST 2005
KVNO: -1
Key: [23, aa aa aa aa aa aa aa a aa aa aa aa aa aa aa aa ]
Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem]
[Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?]
Request: /somecontextroot
Remote: 172.1.1.1
Principal: HTTP/dev.example.com@EXAMPLE.COM
Message: Could not authorize request: com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: org.ietf.jgss.GSSException, major code: 11, minor code: -1
major string: General failure, unspecified at GSSAPI level
minor string: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type 23, KVNO 4, Principal "HTTP/devmgr02.example.com@EXAMPLE.COM" using key:
Principal: HTTP/dev.example.com@EXAMPLE.COM
Type: 1
TimeStamp: Thu Nov 17 15:57:32 CST 2005
KVNO: -1
Key: [23, aa aa aa aa aa aa aa a aa aa aa aa aa aa aa aa ]
Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem]
[Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?]
When it performs a basic fallback authentication, it responds with:connecting to devmgr02.example.com not connecting to dev.example.com.
My next post will includes the commands we use for ktpass and jkutil.
My next post will includes the commands we use for ktpass and jkutil.
↧
new Quest PuTTY snapshot (0.60_q2)
A new snapshot build of Quest PuTTY 0.60_q2 is now available for testing.
http://rc.quest.com/pub/rc/putty/snapshot/0.60_q2.144/
There are only a few minor changes in this build since the last release (0.60_q1):
- we addressed a problem where PuTTY, Plink etc would spin on Vista, taking 100% CPU whenever the server disconnected unexpectedly.
- the package format has been improved to support automatic upgrading, and division into merge modules.
↧
Configuring VSJ for multiple domains for a web/stand alone JAVA client.
Back Ground:
We have an existing Kerberos utility (developed using sun GSS API), which can be used by either web application/a standalone java based application to accept service ticket for a specific service or delegate GSS credentials to fetch a service ticket for another service.
Requirement:
Since our utility was developed using sun GSS API, it only works if all the services exists in single domain as the sun GSS API cannot understand reference tickets generated for cross domain authentication.
We now have a plan to develop this utility that allows to communicate services exist in multiple domains, for this purpose we are planning to use VSJ. We still wanted the client remain the same(either web application or a standalone application) for this utility.
1. Is there a way to integrate VSJ with the existing Kerberos utility(just by providing the VSJ security provider), so that without changing the existing utility code the cross domain authentication is successful?
2. If step1 is not possible, What configuration steps/additional VSJ APIs need to be used to achieve cross functionality. If any specific guide/documentation/any pointers available please point me to the same.
Thanks,
Naga
↧
↧
VAS-Authentication without HTTP/ -Service-Account?
Hi everybody!
I am trying to bring up VAS authentication for one of our webservers. The machine has been joined to our AD previously and unix user authentication is working fine.
Unfortunately our rights in AD are pretty restricted, I am not able to create anything else but machine-accounts in AD, so the setup-script fails to create the HTTP/-thing.
Is there any way to use the machine account to authenticate users without having to create a HTTP/-service-account?
↧
How to enable logging with log4j
Maybe I'm too stupid for "easy" things like this but I'm not able to configure log4j for VSJ WebLogic Edition. I've read the documentation(weblogic and standard version) and followed the instructions for configuring log4j but nothing happend.
I've added to my log4j.properties the following lines:
log4j.logger.com.dstc=DEBUG, logfile
log4j.logger.com.wedgetail=DEBUG, logfile
My own logs in the implemented code is logged in logfile too.
I would like to see some log-entries of the AuthFilter and other vsj-stuff.
Has anyone a idea??
I've added to my log4j.properties the following lines:
log4j.logger.com.dstc=DEBUG, logfile
log4j.logger.com.wedgetail=DEBUG, logfile
My own logs in the implemented code is logged in logfile too.
I would like to see some log-entries of the AuthFilter and other vsj-stuff.
Has anyone a idea??
↧
DB2_sys-auth local vs AD users
This may be a simple question, but I'm not able to find the answer thus far... We are running VAS on our DB2 servers (AIX). We are going to be installing the db2_sys-auth for authentication with VAS.
Currently, one business area is using an IBM kerb module for DB2 which will lookup a user's group member from AD, regardless of whether the user is local or in Active Directory. (My understanding is the IBM plugin can't handle the kerb ticket, so it does an ldap query instead).
Ok, the actual question... if half of my users will be Active Directory users connecting to DB2, I know that db2_sys-auth will work, because we've proven that in our environment already. But, if the other half of the users are local, can we still utilize their corresponding AD account's group membership for authorization to DB2? If so, do their corresponding AD accounts have to be Unix enabled?
Thanks in advance...
Currently, one business area is using an IBM kerb module for DB2 which will lookup a user's group member from AD, regardless of whether the user is local or in Active Directory. (My understanding is the IBM plugin can't handle the kerb ticket, so it does an ldap query instead).
Ok, the actual question... if half of my users will be Active Directory users connecting to DB2, I know that db2_sys-auth will work, because we've proven that in our environment already. But, if the other half of the users are local, can we still utilize their corresponding AD account's group membership for authorization to DB2? If so, do their corresponding AD accounts have to be Unix enabled?
Thanks in advance...
↧
Kerberos Error: Message Stream modified
Hi,
I'm using SSO with BOXIR2 that use VSJ,
the SSO is working fine until someday SSO is stop with below error messages:
So how to fix this kinda error?
5609 http-8080-Processor25 ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
5609 http-8080-Processor25 ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication - GSSException Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
5609 http-8080-Processor25 WARN com.crystaldecisions.sdk.occa.security.internal.LogonService - doUserLogon(): failed to logon, logoninfo=user:xxx%xxx,method:GSSCredential,auth=secWinAD,aps=xxx.xx.com
com.crystaldecisions.sdk.exception.SDKException$SecurityError: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department.
cause:GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
detail:The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department.
The exception originally thrown was GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.b.a(Unknown Source)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.d.a(Unknown Source)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.d.continueLogin(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.a(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.a(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.userLogon(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.l.userLogon(Unknown Source)
at com.crystaldecisions.sdk.framework.internal.d.logon(Unknown Source)
at com.crystaldecisions.ePortfolio.framework.logon.LogonAction.singleSignOn(LogonAction.java:406)
at com.crystaldecisions.ePortfolio.framework.logon.LogonAction.autoWrapExceptionPerform(LogonAction.java:525)
at com.crystaldecisions.ePortfolio.framework.common.AutoWrapExceptionAction.process(AutoWrapExceptionAction.java:62)
at com.crystaldecisions.webapp.struts.framework.AbstractEnterpriseAction.perform(AbstractEnterpriseAction.java:38)
at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586)
I'm using SSO with BOXIR2 that use VSJ,
the SSO is working fine until someday SSO is stop with below error messages:
So how to fix this kinda error?
5609 http-8080-Processor25 ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
5609 http-8080-Processor25 ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication - GSSException Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
5609 http-8080-Processor25 WARN com.crystaldecisions.sdk.occa.security.internal.LogonService - doUserLogon(): failed to logon, logoninfo=user:xxx%xxx,method:GSSCredential,auth=secWinAD,aps=xxx.xx.com
com.crystaldecisions.sdk.exception.SDKException$SecurityError: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department.
cause:GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
detail:The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department.
The exception originally thrown was GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.b.a(Unknown Source)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.d.a(Unknown Source)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.d.continueLogin(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.a(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.a(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.userLogon(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.l.userLogon(Unknown Source)
at com.crystaldecisions.sdk.framework.internal.d.logon(Unknown Source)
at com.crystaldecisions.ePortfolio.framework.logon.LogonAction.singleSignOn(LogonAction.java:406)
at com.crystaldecisions.ePortfolio.framework.logon.LogonAction.autoWrapExceptionPerform(LogonAction.java:525)
at com.crystaldecisions.ePortfolio.framework.common.AutoWrapExceptionAction.process(AutoWrapExceptionAction.java:62)
at com.crystaldecisions.webapp.struts.framework.AbstractEnterpriseAction.perform(AbstractEnterpriseAction.java:38)
at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586)
↧
↧
Clock skew error
[on behalf fo Rodney]
Hi Team,
We're using VSJ 3.3 in a web application (on Tomcat). During SSO with AD, users sometimes are not able to login and the error found in Tomcat STDOUT is :
{ERROR} av.AuthenticatorValidatorBase Thread [http-8080-Processor24]; Rejected AP-REQ because timestamp (1314873940000) is 324056 ms old (max skew = 300000)
++++ KRB-AP-REQ Message ++++
encryption type: 23 (DECRYPTED OK)
ap options: mutual-required
Ticket:
encryption type: 23
service principal:HTTP/service-account@domain.com
client:username@domain.com
subkey: [23, 4 be cc e0 b9 ef b0 a8 68 9f 2e 93 c8 31 3a 9 ]
client time: Thu Sep 01 03:45:40 PDT 2011
cusec: 394
sequence number: 1253074037
++++++++++++++++++++++++++++
We have confirmed that the DC and the app server time is in sync when the issue occurs.
Any ideas?
Thanks in advance!
Rodney
↧
Segmentation fault when mod_auth_vas finds no matches
Hello,
We are using mod_auth_vas.so 3.6.7 with Oracle HTTP Server which is effectively Apache 2.0. Recently, we have noticed that an Apache process is terminated with a segmentation fault in case of mod_auth_vas trying to match the requestor's name to the list of allowed user names and but not finding it there. The client's browser receives 401 in this case. Could you please help with it?
Please find an excerpt from the error log
[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1581: [mod_auth_vas] authenticated user: 'Dmitry_Donetskov@EMEA.DELL.COM'
[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1037: [mod_auth_vas] auth_vas_auth_checker: user=Dmitry_Donetskov@EMEA.DELL.COM authtype=VAS
[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1055: [mod_auth_vas] requires->nelts = 3
[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:541: [mod_auth_vas] match_user: name=ServiceSFDCWPSIT@emea.dell.com RUSER=Dmitry_Donetskov@EMEA.DELL.COM
[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1422: [mod_auth_vas] rnote_get: reusing existing rnote
[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:490: [mod_auth_vas] set_user_obj
[2012-06-01T14:14:38.8708+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:574: [mod_auth_vas] match_user: user does not match
[2012-06-01T14:14:38.8708+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:584: [mod_auth_vas] match_user: <CN=ServiceSFDCWPSIT,OU=Service Accounts,DC=emea,DC=dell,DC=com> <CN=dmitry_donetskov,OU=Users,OU=Moscow,DC=emea,DC=dell,DC=com> no-match
[2012-06-01T14:14:38.8709+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1100: [mod_auth_vas] require user "ServiceSFDCWPSIT@emea.dell.com" -> FAIL
...........
[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:584: [mod_auth_vas] match_user: <CN=Alexey_Lysak,OU=Users,OU=Non Dell,DC=emea,DC=dell,DC=com> <CN=dmitry_donetskov,OU=Users,OU=Moscow,DC=emea,DC=dell,DC=com> no-match
[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1100: [mod_auth_vas] require user "Alexey_Lysak@emea.dell.com" -> FAIL
[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1422: [mod_auth_vas] rnote_get: reusing existing rnote
[2012-06-01T14:14:39.4014+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_ssl.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_ssl.c:633: Connection to child 0 established (server ausvmqtcdevap19.us.dell.com:8044)
[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:720: inside shmcb_retrieve_session
[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:732: id[0]=4, masked index=4
[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1197: entering shmcb_lookup_session_id
[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:983: entering shmcb_expire_division
[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1207: loop=0, count=1, curr_pos=0
[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1211: idx->s_id2=47, id[1]=47, offset=0
[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1228: at index 0, found possible session match
[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1247: a match!
[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:748: leaving shmcb_retrieve_session
[2012-06-01T14:14:39.4017+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:435: shmcb_retrieve had a hit
[2012-06-01T14:14:39.4017+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_engine_kernel.c:2304: Inter-Process Session Cache: request=GET status=FOUND id=042F8428065947E3DA8D7A7B77690889 (session reuse)
[2012-06-01T14:14:39.6975+01:00] [OHS] [NOTIFICATION:16] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 14727] [tid: 47292192636960] [user: oracle] [VirtualHost: main] mpm_common.c:475: child pid 27200 exit signal Segmentation fault (11), possible coredump in /u01/app/oracle/fusion/mw_1/Oracle_WT1/instances/instance1/config/OHS/ohs1
Message was edited by: dmitry_donetskov_265
We are using mod_auth_vas.so 3.6.7 with Oracle HTTP Server which is effectively Apache 2.0. Recently, we have noticed that an Apache process is terminated with a segmentation fault in case of mod_auth_vas trying to match the requestor's name to the list of allowed user names and but not finding it there. The client's browser receives 401 in this case. Could you please help with it?
Please find an excerpt from the error log
[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1581: [mod_auth_vas] authenticated user: 'Dmitry_Donetskov@EMEA.DELL.COM'
[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1037: [mod_auth_vas] auth_vas_auth_checker: user=Dmitry_Donetskov@EMEA.DELL.COM authtype=VAS
[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1055: [mod_auth_vas] requires->nelts = 3
[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:541: [mod_auth_vas] match_user: name=ServiceSFDCWPSIT@emea.dell.com RUSER=Dmitry_Donetskov@EMEA.DELL.COM
[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1422: [mod_auth_vas] rnote_get: reusing existing rnote
[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:490: [mod_auth_vas] set_user_obj
[2012-06-01T14:14:38.8708+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:574: [mod_auth_vas] match_user: user does not match
[2012-06-01T14:14:38.8708+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:584: [mod_auth_vas] match_user: <CN=ServiceSFDCWPSIT,OU=Service Accounts,DC=emea,DC=dell,DC=com> <CN=dmitry_donetskov,OU=Users,OU=Moscow,DC=emea,DC=dell,DC=com> no-match
[2012-06-01T14:14:38.8709+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1100: [mod_auth_vas] require user "ServiceSFDCWPSIT@emea.dell.com" -> FAIL
...........
[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:584: [mod_auth_vas] match_user: <CN=Alexey_Lysak,OU=Users,OU=Non Dell,DC=emea,DC=dell,DC=com> <CN=dmitry_donetskov,OU=Users,OU=Moscow,DC=emea,DC=dell,DC=com> no-match
[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1100: [mod_auth_vas] require user "Alexey_Lysak@emea.dell.com" -> FAIL
[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1422: [mod_auth_vas] rnote_get: reusing existing rnote
[2012-06-01T14:14:39.4014+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_ssl.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_ssl.c:633: Connection to child 0 established (server ausvmqtcdevap19.us.dell.com:8044)
[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:720: inside shmcb_retrieve_session
[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:732: id[0]=4, masked index=4
[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1197: entering shmcb_lookup_session_id
[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:983: entering shmcb_expire_division
[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1207: loop=0, count=1, curr_pos=0
[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1211: idx->s_id2=47, id[1]=47, offset=0
[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1228: at index 0, found possible session match
[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1247: a match!
[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:748: leaving shmcb_retrieve_session
[2012-06-01T14:14:39.4017+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:435: shmcb_retrieve had a hit
[2012-06-01T14:14:39.4017+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_engine_kernel.c:2304: Inter-Process Session Cache: request=GET status=FOUND id=042F8428065947E3DA8D7A7B77690889 (session reuse)
[2012-06-01T14:14:39.6975+01:00] [OHS] [NOTIFICATION:16] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 14727] [tid: 47292192636960] [user: oracle] [VirtualHost: main] mpm_common.c:475: child pid 27200 exit signal Segmentation fault (11), possible coredump in /u01/app/oracle/fusion/mw_1/Oracle_WT1/instances/instance1/config/OHS/ohs1
Message was edited by: dmitry_donetskov_265
↧
mod_vas_auth, Apache2, svn and AD groups
Hi,
I've setup mod_vas_auth to authenticate users and control access to Subversion repositories.
It succeeds when the AuthzSVNAccessFile file contains username (from the AD).
Does anyone knows if I can use the groups defined in the AD for control access?
(without duplicating them in the [groups] section of the AuthzSVNAccessFile )
Direct association of a AD group as a "SVN" group would be OK.
I mean:
In case of: Apache 2.2.17, mod_auth_vas 3.6.7, subversion 1.7.5
Thanks in advance.
Laurent
I've setup mod_vas_auth to authenticate users and control access to Subversion repositories.
It succeeds when the AuthzSVNAccessFile file contains username (from the AD).
Does anyone knows if I can use the groups defined in the AD for control access?
(without duplicating them in the [groups] section of the AuthzSVNAccessFile )
Direct association of a AD group as a "SVN" group would be OK.
I mean:
[groups]is OK.
admin = userAD1 userAD2
one_group = this_group_comes_from_AD
another_group = that_group_comes_from_AD_too
[/]
* = r
@admin = rw
[/component1]
@one_group = rw
@another_group = r
* =
In case of: Apache 2.2.17, mod_auth_vas 3.6.7, subversion 1.7.5
Thanks in advance.
Laurent
↧