Quantcast
Channel: Software Communities : Popular Discussions - All Things Unix
Viewing all 1046 articles
Browse latest View live

vasd won't stop

May 18, 2011, 4:06 pm
$
0
0

On a couple AIX 5.3 servers (running DB2), the vasd daemons cannot be stopped by using "/etc/rc.d/init.d/vasd stop".  Instead, I have to "kill" the processes in order for them to stop.

vasd reports "disconnected".  Users are unable to login when vasd is in this state.  The logs show login attempts such as:

May 18 16:49:31 server05 auth|security:info sshd2[254108]: pam_vas: Authentication <succeeded disconnected> for <Mapped> user: <user1> account: <user1@mydomain.com> service: <ssh> reason: <N/A> Access Control Identifier(UPN):<user1@mydomain.com>
May 18 16:49:31 server05 auth|security:info sshd2[254108]: pam_vas: Authentication <succeeded disconnected> for <Mapped> user: <user1> account: <user1@mydomain.com> service: <ssh> reason: <N/A> Access Control Identifier(UPN):<user1@mydomain.com>
May 18 16:49:31 server05 auth|security:info sshd2[254108]: pam_vas: Authentication <failed passwordless> for <Mapped> user: <user1> account: <user1@mydomain.com> service: <ssh> reason: <Password is expired.> Access Control Identifier(UPN):<user1@mydomain.com>
May 18 16:49:31 server05 auth|security:info sshd2[254108]: pam_vas: Authentication <failed passwordless> for <Mapped> user: <user1> account: <user1@mydomain.com> service: <ssh> reason: <Password is expired.> Access Control Identifier(UPN):<user1@mydomain.com>

However, i know user1's password is not expired since the user can successfully login to server04 (also AIX and configured identically).  Here is some more info from an affected server:

1) Prompt:
$ ssh server05

DISCONNECTED MODE: enter password:
Current password foruser1@mydomain.com:
New password:

2) vastool status
# vastool status

VAS is currently joined to:                      mydomain.com
Join command found in:                           /etc/opt/quest/vas/lastjoin
Verifying timesync with domain controller:       YES
  Time delta: 0 seconds
Are valid VAS licenses installed?                YES
Checking to see if VAS daemon is running:        YES
Checking for valid computer account (SAMNAME)
 SERVER05$@MYDOMAIN.COM                    YES
Checking for valid computer account (SPN)
 host/server05.mydomain.com@MYDOMAIN.COYES
Checking to see if VAS is in connected state:    NO
Verifying VAS is configured for name service:    NO
Verifying VAS is configured for auth service:    YES
Verifying VAS configuration file is correct:     YES
Verifying sanity of users allow file:            YES
Verifying sanity of users deny file:             YES
Verifying sanity of group-override file:         YES
Verifying sanity of user-override file:          YES

3) ipc file exists
# ls /var/opt/quest/vas/vasd/.vasd_ipc_sock
/var/opt/quest/vas/vasd/.vasd_ipc_sock

4) host auth works
# /opt/quest/bin/vastool -u host/ auth -S host/
SERVER05$@MYDOMAIN.COMwas successfully authenticated toSERVER05$@MYDOMAIN.COM.

Anyone seen this before or have any ideas what might be triggering this condition?

Thanks.

Search

Error when loggin in - "cannot set your user group"

May 7, 2008, 7:57 am
$
0
0
Got this error message now for all users logging in on UNIX boxes:
Authentication failed - "cannot set your user group"

I can su to a user from root and do "id" and see the UID & GID are good and valid. users.allow is valid.
I can telnet/ssh over but not via GDM.
So what could cause this?

Thanks

Samba errors with Win2008 R2

December 11, 2009, 2:00 pm
$
0
0
Hi,

Using RHEL 5.2 64-bit, VAS 3.3.2-142+Samba 3.0.33-3.7.el5; Win 2008 R2. Can you help me?

# vastool status

VAS is currently joined to:                      localdom.com
Join command found in:                           /etc/opt/quest/vas/lastjoin
Verifying timesync with domain controller:       YES
  Time delta: 0 seconds
Are valid VAS licenses installed?                YES
Checking to see if VAS daemon is running:        YES
Checking for valid computer account (SAMNAME)
  PODCAST1$@LOCALDOM.COM                     YES
Checking for valid computer account (SPN)
  host/podcast1.localdom.com@LOCALDOM.COM       YES
Checking to see if VAS is in connected state:    YES
Verifying VAS is configured for name service:    YES
Verifying VAS is configured for auth service:    YES
Verifying VAS configuration file is correct:     YES
Verifying sanity of users allow file:            YES
Verifying sanity of users deny file:             YES
Verifying sanity of group-override file:         YES
Verifying sanity of user-override file:          YES

Samba log:

[2009/12/08 11:33:53, 1] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
  cli_pipe_validate_current_pdu: RPC fault code DCERPC fault 0x00000721 received from remote machine DC03.localdom.com pipe \NETLOGON fnum 0x4001!
[2009/12/08 11:37:57, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0x4001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/08 11:42:57, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0x4001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/08 11:52:57, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0x4001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[...]
[2009/12/11 14:09:54, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 14:19:54, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 14:29:54, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 14:40:23, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 14:50:23, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 15:00:23, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 15:10:23, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 15:20:23, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 15:25:26, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 15:28:41, 0] rpc_client/cli_pipe.c:cli_pipe_verify_schannel(354)
  cli_pipe_verify_schannel: auth_len 56.
[2009/12/11 15:38:42, 1] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
  cli_pipe_validate_current_pdu: RPC fault code DCERPC fault 0x00000721 received from remote machine DC03.localdom.com pipe \NETLOGON fnum 0xc001!
[2009/12/11 15:48:42, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0xc001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 15:58:42, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0xc001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 16:08:42, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0xc001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 16:18:42, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0xc001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 16:28:42, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
  rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0xc001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED


Thank you.

S4U2Self/S4U2Proxy WebService call with MIT Kerberos

December 13, 2011, 6:13 am

Using VAS Apache Module on Multiple Apache instances

May 31, 2013, 8:10 am
$
0
0

Hi all,

 

- I have  a Web Server configured with 2 Apache Instances, each instance running as different user and port.

- I configured the VAS module for Active Directory Authentication on both instances

 

- So, now, the problem, is that in one instance the VAS authentication is working really good, and in the otherone,

we're having problems. It's always requesting Credentials when you try to access any websites hosted on this second instances.

 

The strange thing is that in the first instance, every website is working correctly and it's taking credentials automatically from browser.

 

Have anyone seen this kind of behavior?

 

 

Thanks in advance,

Obed N Munoz

failed: error reading the headers

October 11, 2007, 1:03 am
$
0
0

I have an error that occurs for some people (sometimes).


Errormessage in the client (IE)
Bad Request
 Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.
Authorization: Negotiate YIIvagYGw………..


Server log (/usr/local/apache2/logs/error_log)

[Thu Oct 11 09:24:29 2007] [error] [client 10.68.4.46] request failed: error reading the headers


Any ideas?
/Lars



Message was edited by: Lars Lundegard

Access file with Subversion and VAS

December 15, 2009, 11:48 am
$
0
0
We have setup our Apache server to authenticate Subversion.  We are using the VAS module for authentication and a svn file to control access to the Subversion repositories.  Initially we used a flat file you do the Apache authentication and the Subversion access file.  This worked fine and we setup the rules with this setup.

However, we've been asked to change the server to use AD for authentication.  This seems to work with the VAS modules, but the rules in the access file don't seem to work now.

The rules file seems to work strangely, without and rules the repositories are locked out, but as soon as we setup the access file like below, anyone can write to any repository.  The following works when we use "hancockd" with the "AuthUserFile apache_passwd" option.  "hancockd" is a user in that file.
in Apache.

VAS subversion.conf snippet:
===================================
<LimitExcept GET PROPFIND OPTIONS REPORT>

Satisfy Any

Require valid-user

AuthType VAS

AuthVasUseBasic On

AuthName "Subversion Repository"

</LimitExcept>

AuthzSVNAccessFile etc/httpd/svn-access-file

====================================


Flat file subversion.conf snippet:
====================================

<LimitExcept GET PROPFIND OPTIONS REPORT>

Satisfy Any

Require valid-user

AuthType Basic

AuthName "Subversion Repository"

AuthUserFile apache_passwd

</LimitExcept>


AuthzSVNAccessFile svn-access-file


====================================


svn-access-file:
====================================

[groups]

dev = hancockd, dchrms


[/]

* = r

@dev = r
======================================

When we use "AuthType VAS", this file allows anyone to write to any repository.

Some things about our AD setup.  "hancockd" is a peronsality of dchrms@ops.mcps. When I log in with the flat file "hancockd" shows up in the access_log file.  However, when I use the same user name and password with VAS, dchrms@ops.mcps shows up.
Any ideas?  Is this a Subversion issue?
Thanks,

Allow/Deny log on Locally or users.allow/deny

May 14, 2010, 6:05 am
$
0
0
In reading the documentation and watching some demos, I have seen that I can use the Allow log on locally or users.allow. Both of these achieve the same result, but I am not sure of which one would be the better one to use. Which method is the "better" of the two and why would you use one or the other?

Thanks
Search

Kerberos Error: Message Stream modified

June 22, 2010, 9:43 pm
$
0
0
Hi,
I'm using SSO with BOXIR2 that use VSJ,
the SSO is working fine until someday SSO is stop with below error messages:
So how to fix this kinda error?



5609 http-8080-Processor25 ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
5609 http-8080-Processor25 ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication - GSSException Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
5609 http-8080-Processor25 WARN com.crystaldecisions.sdk.occa.security.internal.LogonService - doUserLogon(): failed to logon, logoninfo=user:xxx%xxx,method:GSSCredential,auth=secWinAD,aps=xxx.xx.com
com.crystaldecisions.sdk.exception.SDKException$SecurityError: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department.
cause:GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
detail:The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department.
The exception originally thrown was GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.b.a(Unknown Source)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.d.a(Unknown Source)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.d.continueLogin(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.a(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.a(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.userLogon(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.l.userLogon(Unknown Source)
at com.crystaldecisions.sdk.framework.internal.d.logon(Unknown Source)
at com.crystaldecisions.ePortfolio.framework.logon.LogonAction.singleSignOn(LogonAction.java:406)
at com.crystaldecisions.ePortfolio.framework.logon.LogonAction.autoWrapExceptionPerform(LogonAction.java:525)
at com.crystaldecisions.ePortfolio.framework.common.AutoWrapExceptionAction.process(AutoWrapExceptionAction.java:62)
at com.crystaldecisions.webapp.struts.framework.AbstractEnterpriseAction.perform(AbstractEnterpriseAction.java:38)
at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586)

Could not resolve KDC from DNS SRV record

September 28, 2010, 1:35 pm
$
0
0

Using BusinessObjects with Tomcat 5.5 on Windows.  We have it configured for Java AD SSO. The BusinessObjects product is using vsj 3.3.   We are using a keytab file and when Tomcat starts we get the following error in Tomcat's stdout.log:

com.wedgetail.idm.sso.ConfigException: Could not validate keytab
[caused by: GSSException: Failure unspecified at GSS-API level
(Mechanism level: com.dstc.security.kerberos.KerberosConfigException:
Could not resolve KDC from DNS SRV record: 
java.net.UnknownHostException:
au-elitepdc.domain.com)]

Quest Putty 0.60 - GSSKEX disabled: Not enough memory?

June 28, 2007, 6:48 am
$
0
0

I'm trying to set up Quest Putty for GSSAPI authenticated logins but I'm having some problems...

The environment:
1. Unix (Sun Solaris) server running Sun SSHD, authenticated in a normal
    Kerberos realm (IFM.LIU.SE).
2. Windows XP PC (2GB RAM) authenticated in a Window AD domain (AD.IFM.LIU.SE).

We have set up trust between the realms (IFM.LIU.SE <-> AD.IFM.LIU.SE).

Now, when I try to login using Quest Putty all I get is the following in the log file
(see below). Any ideas on where I should start investigating this problem (the
"Not enough memory")?


=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2007.06.28 15:29:46 =~=~=~=~=~=~=~=~=~=~=~=
Event Log: Writing new session log (SSH raw data mode) to file: putty.log
Event Log: Looking up host "draco.ifm.liu.se"
Event Log: Connecting to 130.236.160.167 port 22
Incoming raw data
  00000000  53 53 48 2d 32 2e 30 2d 53 75 6e 5f 53 53 48 5f  SSH-2.0-Sun_SSH_
  00000010  31 2e 31 0a                                      1.1.
Event Log: Server version: SSH-2.0-Sun_SSH_1.1
Event Log: We claim version: SSH-2.0-PuTTY_Release_0.60_q1.129
Outgoing raw data
  00000000  53 53 48 2d 32 2e 30 2d 50 75 54 54 59 5f 52 65  SSH-2.0-PuTTY_Re
  00000010  6c 65 61 73 65 5f 30 2e 36 30 5f 71 31 2e 31 32  lease_0.60_q1.12
  00000020  39 0d 0a                                         9..
Event Log: SSPI: acquired credentials for: peter@AD.IFM.LIU.SE
Event Log: Constructed service principal name 'host/draco.ifm.liu.se@IFM.LIU.SE'
Event Log: GSSKEX disabled: Not enough memory is available to complete this request

Outgoing packet type 20 / 0x14 (SSH2_MSG_KEXINIT)
<cut>

Putty registry options

August 12, 2008, 12:07 am
$
0
0
Hi Friends,

Could anyone please give me the purpose of following PuTTy registrykeys or point me the link where documentation is given about theseoptions. On this site, I didn't find any details related with thesekeys.

    AuthKI
    AuthSSPI
    AuthTIS
    Answerback
    ChangeUsername
    GSSAPIServerChoosesUserName
    LoginShell
    ProxyDNS
    SSHLogOmitData
    SSHLogOmitPasswords
    SshNoAuth
    Sshprot
    X11AuthType
    X11Forward

Thanks,
Megha

Regd: Constrained delegation not working with a standalon JAVA code.

November 3, 2011, 9:25 pm
$
0
0
Hi,

I'm trying to use VSJ and written a standalone application to implement constrained delegation.Can any one of you please find the below mentioned active directory configurations and standalone Java Program which performs the Kerberos operations for constrained delegation and let me know what exactly went wrong.

Active Directory Configuration:
=====================
I have created two user accounts user1 and user2 and mapped these users with services in active directory 1.CS/service1@dev2008.COM 2.CS/service2@dev2008.COM. The first service (CS/service1@dev2008.COM) is configured such that it is only allowed to delegate to second service (CS/service2@dev2008.COM) i.e a constrained delegation is enforced on the first service.

Satndalone Java Program And Problem Noticed:
=================================
Generated TGT (ex: kinit -f user1@dev2008.COM password) for user1 on my dev machine and written standalone Java app which performs the below kerbersoe operations.
1. Fetches the user1 TGT from the cache.
2.Using user1 TGT,  the Java app tries to get a service ticket through delegation to the service mapped to user1 (i.e 1.CS/service1@dev2008.COM).
3.Get the delegated credentials using service ticket (by accepting the service ticket on service1 (CS/service1@dev2008.COM) I get the delegated credentials).
4.Use the delegated credentials and try to fetch a service ticket to service2(2.CS/service2@dev2008.COM).This works fine.

However when I try to fetch a service ticket for some other service on the AD (the service not part of the spns mentioned under the constrained delegation of service1), I can still be able to get a service ticket.

Is there a specific API or configuration in VSJ which need to be  called or enabled, to make  constrained delegation work. i.e the st can be generated only for service2. or Am I done anything wrong?

I have tried using idm.allowS4U to true in vsj.properties file, but I'm not sure whether this file getting picked-up, even though the properties file is put in the classpath and also tried to point the file location through -Didm.propertyFileURL="C:\common\vsj.properties". (not sure how much for it is helpful).

Thanks,
Naga



Message was edited by: Naga

QAS and FileVault on OS X

January 8, 2013, 9:14 am
$
0
0
Is there a way to use FileVault on OS X Mountain Lion with QAS? I mean so that the AD user can be selected during boot for the FileVault authentication.

Thanks,

Nils

Alternate way to supply vsj properties

March 4, 2013, 7:48 pm
$
0
0

 

We are trying to use the vsj servlet filter in one of the vendor supplied web application, where we can not include vsj-federation.properties file as part of the deployments.
Is there alternate way of providing "fsProxy", "applicationUrl" and "fsCertificate" properties to the filter?

 


Search

QAS 4.1 Pre-release testing

March 11, 2013, 8:52 am
$
0
0

If there are any other customers that would like to test out the 4.1 pre-release, please email glen.davis@quest.com for more information.  You can

test by putting the new agents on some Servers, or using the updated management tools, or both. 

 

Thanks,

Glen Davis

Product Manager

VSJ and JBoss 7.1

March 27, 2013, 8:51 am
$
0
0

Our company has recently purchased the Standard edition of vsj and we have this running fine on WAS 8.  I am trying to get this to run on JBoss 7.1 so we can run our application easily on our local development servers.  Has anyone gotten this working with JBoss 7.1?  I think I am very close, but an example standalone.xml file would be immensely helpful to know that I have set up my SSL correctly to be used with vsj.

 

Thanks,

Rob

Quest Equivalent Product

April 18, 2013, 9:01 am
$
0
0

Is there a Quest product that is equivalent to CF engine?

 

Thanks

 

Steve

FATAL ERROR: Server unexpectedly closed network connection in using Plink

November 14, 2008, 4:41 am
$
0
0
Hi,

Could any one please let me know why this error is occuring randomly while using Plink? Some days it works fine and suddenly it stops to work with this error message.

FATAL ERROR: Server unexpectedly closed network connection

I am using below command

"C:\Program Files\PuTTY\plink.exe" -load MyProfile -ssh -x -a -t -l userID HostName Command

Thanks,
Megha





S4U2Self/S4U2Proxy WebService call with MIT Kerberos

December 13, 2011, 6:13 am
Viewing all 1046 articles
Browse latest View live
Search