Quantcast
Channel: Software Communities : Popular Discussions - All Things Unix
Viewing all 1046 articles
Browse latest View live

Using Cached Kerberos Ticket to Authenticate SMB Share

$
0
0

I am using Quest Authentication Services to integrate my Linux systems with our lab domain. I want to use the cached kerberos tickets to authenticate without providing a password when mounting an exported SMB share using the command 'mount -t cifs <device> <dir> -o sec=krb5'. My understanding is that when request-key is called by the kernel cifs.upcall is used to locate the cached kerberos ticket. The problem I am having is that when I directly call cifs.upcall with the uid of the user it does not return anything and it has an exit code of 1. If I look at /var/log/messages I see the following log message related to the call.

 

Jun 19 09:55:03 merlin cifs.upcall: keyctl_describe_alloc failed: Required key not available

 

Per the cifs.upcall man page I added the following two lines to request-key.conf

 

create cifs.spnego * * /usr/local/sbin/cifs.upcall %k

create dns_resolver * * /usr/local/sbin/cifs.upcall %k

 

BK


Login using VAS only possible with userid in capital letters

$
0
0

Hi,

 

I have pretty new to VAS and we have an issue on one system where we are only able to log in using our userid in capital letters. On other systems we are perfectly able to login in using small cap.

 

Is this a config I can change or is this a known issue?

 

Thanks,

Federated Users Through an IAG Appliance

$
0
0
We have a customer trying to implement NetWeaver with an IAG appliance that is used for authenticating external users into the SAP instance.
In the test an external user goes to the appliance, authenticates using domain\username and is valid - the user has a valid SPN from their AD account.
The next step would be to go to the SAP portal from the IAG appliance, however it fails to authenticate or is not authorized (HTTP 401).
Logs show that it fails just after the user principle gets put into VSJ shared state and a message “Kerberos Constrained Delegation Protocol Transition Succeeded” (S4U2Proxy & S4U2Self). The first sign of problems is a message "login() failed to refresh user name <upn>"
Internally SSO works fine (XP browser to SAP portal).

I am new to VSJ & NetWeaver but I assume the IAG appliance is using S4U2Proxy and that part is working. Is it failing with the S4U2Self portion? What are the rules when both are used? Am I missing some obvious problem?

Thanks
And I feel honored for making the first NetWeaver post...
Steve

SSO with Quest Putty to Solaris 10 (sparc) sshd

$
0
0
Hi,

Just testing Quest SSH logging on to a Solaris 10 host, running the native Sun SSHd. For some reason, that I can't fathom, it constantly falls back to keyboard interactive rather than logging straight on. Here's the output from the Putty event log...

2008-05-29 12:12:13    Looking up host "engsun26"
2008-05-29 12:12:13    Connecting to 30.96.2.58 port 22
2008-05-29 12:12:13    Server version: SSH-2.0-Sun_SSH_1.1
2008-05-29 12:12:13    We claim version: SSH-2.0-PuTTY_Release_0.60_q1.129
2008-05-29 12:12:13    SSPI: acquired credentials for: markp@MPDOM1.COM
2008-05-29 12:12:13    Constructed service principal name 'host/engsun26.mpdom1.com'
2008-05-29 12:12:13    Enabling GSSKEX for this target
2008-05-29 12:12:13    Using SSH protocol version 2
2008-05-29 12:12:13    Doing Diffie-Hellman group exchange
2008-05-29 12:12:13    Doing Diffie-Hellman key exchange with hash SHA-1
2008-05-29 12:12:13    Host key fingerprint is:
2008-05-29 12:12:13    ssh-rsa 1024 c4:c3:6e:43:96:e1:7a:b0:f7:09:b8:16:99:8e:1e:37
2008-05-29 12:12:13    Initialised AES-128 SDCTR client->server encryption
2008-05-29 12:12:13    Initialised HMAC-SHA1 client->server MAC algorithm
2008-05-29 12:12:13    Initialised AES-128 SDCTR server->client encryption
2008-05-29 12:12:13    Initialised HMAC-SHA1 server->client MAC algorithm
2008-05-29 12:12:13    SSPI: trying user_name='markp' service=''
2008-05-29 12:12:13    SSPI: acquired credentials for: markp@MPDOM1.COM
2008-05-29 12:12:13    Constructed service principal name 'host/engsun26.mpdom1.com'
2008-05-29 12:12:13    GSSAPI authentication aborted
2008-05-29 12:12:17    Access granted
2008-05-29 12:12:17    Opened channel for session
2008-05-29 12:12:17    Allocated pty (ospeed 38400bps, ispeed 38400bps)
2008-05-29 12:12:17    Started a shell/command


..there is the 'GSSAPI authentication aborted' line there, is that significant? The ssh log on the test host has this line...

May 29 13:14:19 engsun26 sshd[12675]: [ID 800047 auth.notice] Failed none for markp from
30.96.2.204 port 4723 ssh2

Anyone have any ideas or pointers please?

Thanks,

--Mark

FATAL ERROR: Server unexpectedly closed network connection in using Plink

$
0
0
Hi,

Could any one please let me know why this error is occuring randomly while using Plink? Some days it works fine and suddenly it stops to work with this error message.

FATAL ERROR: Server unexpectedly closed network connection

I am using below command

"C:\Program Files\PuTTY\plink.exe" -load MyProfile -ssh -x -a -t -l userID HostName Command

Thanks,
Megha





Stuck with kerberos authentication to Sharepoint

$
0
0
I have to connect to MS IIS server using SPNEGO token with Kerberos ticket inside, exactly as Internet Explorer does it.

If I use java GSSManager.initiateContext() it does request tickets with incorrect KDCOptions, dates and some other params I cannot control.

I tried com.dstc.security lib, and was able to get tickets axactly as Internet Explorer with couple of lines:

prepare required KDCOptions;
Credential tgt = kerberos.requestTicketGrantingTicket(new KerberosPassword(password.getBytes()), kdo, new Date(), d, new InetAddress[] {InetAddress.getByName("somename")}, null);
Credential srvt = kerberos.requestServiceTicket(TGT, new PrincipalName(2, "HTTP/server.domain.net"), REALM, kdo);

But how can I use these credentials or tickets inside to create SPNEGO token same as I can get with GSSManager.initiateContext()?

Problems Compiling MAV on AIX 6.1/XLC/IBMIHS 7.0.0.23

$
0
0
Greetings all.

I am trying to compile MAV 3.6.7 on AIX 6.1/XLC/IBMIHS 7.0.0.23.  I tried using the precompiled 3.6.4 module, but Apache doesn't like that.  Here is the output from the configure script:

checking vas_gss.h usability... no
checking vas_gss.h presence... yes
configure: WARNING: vas_gss.h: present but cannot be compiled
configure: WARNING: vas_gss.h:     check for missing prerequisite headers?
configure: WARNING: vas_gss.h: see the Autoconf documentation
configure: WARNING: vas_gss.h:     section "Present But Cannot Be Compiled"
configure: WARNING: vas_gss.h: proceeding with the compiler's result
configure: WARNING:     ## -------------------------------------- ##
configure: WARNING:     ## Report this to David.Leonard@xxxyy.abc ##
configure: WARNING:     ## -------------------------------------- ##
checking for vas_gss.h... no
checking gssapi.h usability... no
checking gssapi.h presence... yes
configure: WARNING: gssapi.h: present but cannot be compiled
configure: WARNING: gssapi.h:     check for missing prerequisite headers?
configure: WARNING: gssapi.h: see the Autoconf documentation
configure: WARNING: gssapi.h:     section "Present But Cannot Be Compiled"
configure: WARNING: gssapi.h: proceeding with the compiler's result
configure: WARNING:     ## -------------------------------------- ##
configure: WARNING:     ## Report this to David.Leonard@xxxyy.abc ##
configure: WARNING:     ## -------------------------------------- ##
checking for gssapi.h... no
checking gssapi_krb5.h usability... no
checking gssapi_krb5.h presence... yes
configure: WARNING: gssapi_krb5.h: present but cannot be compiled
configure: WARNING: gssapi_krb5.h:     check for missing prerequisite headers?
configure: WARNING: gssapi_krb5.h: see the Autoconf documentation
configure: WARNING: gssapi_krb5.h:     section "Present But Cannot Be Compiled"
configure: WARNING: gssapi_krb5.h: proceeding with the compiler's result
configure: WARNING:     ## -------------------------------------- ##
configure: WARNING:     ## Report this to David.Leonard@xxxyy.abc ##
configure: WARNING:     ## -------------------------------------- ##
checking for gssapi_krb5.h... no

The configure script finishes, without error, but the compile fails with this:

/usr/include/unistd.h:924: error: expected ')' before '[' token
/usr/include/unistd.h:925: error: expected declaration specifiers or '...' before 'rid_t'
get.c: In function 'err_gss':
get.c:626: error: expected declaration specifiers before 'OM_uint32'
get.c:629: error: 'OM_uint32' undeclared (first use in this function)
get.c:629: error: (Each undeclared identifier is reported only once
get.c:629: error: for each function it appears in.)
get.c:629: error: expected ';' before 'ctx'
get.c:630: error: 'gss_buffer_desc' undeclared (first use in this function)
get.c:630: error: expected ';' before 'buf'
get.c:631: error: expected ';' before 'emajor'
get.c:635: error: 'emajor' undeclared (first use in this function)
get.c:635: error: 'eminor' undeclared (first use in this function)
get.c:635: error: 'GSS_C_GSS_CODE' undeclared (first use in this function)
get.c:636: error: 'GSS_C_NO_OID' undeclared (first use in this function)
get.c:636: error: 'ctx' undeclared (first use in this function)
get.c:636: error: 'buf' undeclared (first use in this function)
get.c:643: error: 'GSS_C_MECH_CODE' undeclared (first use in this function)
get.c: In function 'get_nego':
get.c:670: error: 'gss_name_t' undeclared (first use in this function)
get.c:670: error: expected ';' before 'target_name'
get.c:671: error: 'OM_uint32' undeclared (first use in this function)
get.c:671: error: expected ';' before 'major'
get.c:672: error: 'gss_ctx_id_t' undeclared (first use in this function)
get.c:672: error: expected ';' before 'gssctx'
get.c:716: error: 'gssctx' undeclared (first use in this function)
get.c:716: error: 'GSS_C_NO_CONTEXT' undeclared (first use in this function)
get.c:745: error: expected ';' before 'ret'
get.c:764: error: 'gss_buffer_desc' undeclared (first use in this function)
get.c:764: error: expected ';' before 'inbuf'
get.c:767: error: 'namebuf' undeclared (first use in this function)
get.c:769: error: 'major' undeclared (first use in this function)
get.c:769: error: 'minor' undeclared (first use in this function)
get.c:770: error: 'GSS_KRB5_NT_PRINCIPAL_NAME' undeclared (first use in this function)
get.c:770: error: 'target_name' undeclared (first use in this function)
get.c:779: error: 'inbuf' undeclared (first use in this function)
get.c:783: error: 'outbuf' undeclared (first use in this function)
get.c:786: error: 'GSS_C_NO_CREDENTIAL' undeclared (first use in this function)
get.c:789: error: 'GSS_C_NO_OID' undeclared (first use in this function)
get.c:791: error: 'GSS_C_INDEFINITE' undeclared (first use in this function)
get.c:792: error: 'GSS_C_NO_CHANNEL_BINDINGS' undeclared (first use in this function)
get.c:813: error: expected ';' before 'inbuf'
get.c:819: error: 'ret' undeclared (first use in this function)
get.c:823: error: 'VAS_GSS_SPNEGO_ENCODING_BASE64' undeclared (first use in this function)
get.c:824: error: 'GSS_C_NO_BUFFER' undeclared (first use in this function)
make[4]: *** [get.o] Error 1
make[4]: Leaving directory `/mnt/mod_auth_vas-3.6.7/test/http-get'
make[3]: *** [all] Error 2
make[3]: Leaving directory `/mnt/mod_auth_vas-3.6.7/test/http-get'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/mnt/mod_auth_vas-3.6.7/test'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/mnt/mod_auth_vas-3.6.7'
make: *** [all] Error 2

I am using QAS 3.5.2.89.

My last round of compiling MAV was on AIX 5.3/XLC/IBMIHS 6.x, when I had to put a patch in for timeout problems.

Message was edited by: phscott

Kerberos SSO with 1 way Trust

$
0
0
I had configured a Kerberos SSO with 1way trust between two domain... But on logging in i am getting the following exception...

[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: resetting state...
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: principal = 'HTTP/mdk1waytrustd3.wtmdk1waydom3.com'
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: realm = 'WTMDK1WAYDOM3.COM'
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: Found name servers using JNDI
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: mdk1waytrustd2.wtmdk1waydom2.com (10.31.70.183)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: mdk1waytrustd1.wtmdk1waydom1.com (10.31.69.52)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: MDK1WAYTRUSTD3.WTMDK1WAYDOM3.COM (10.31.70.184)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: mdk1waytrustd4.wtmdk1waydom4.com (10.31.71.34)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: corpinba8.corp.emc.com (10.30.48.37)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: corpgefr3.corp.emc.com (152.62.196.10)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: The old JCSI Kerberos code for the Windows LSA is now disabled by default;
if you really want it (rather than the new WinSSPI code) you must set
-Djcsi.kerberos.lsa.enable=true
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: Creating LSA credential cache
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: Could not locate default cache: com.dstc.security.kerberos.KerberosException: Could not create credential store com.dstc.security.kerberos.KerberosException: Native in-memory credential cache not supported on this platform (Windows Server 2008 R2)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: login succeeded
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: loaded InputStream based keytab at time 1351158964992 m/secs, 5 entries
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: binding principal to subject
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: binding credentials to subject


Can some one can help me in resolving this???

Regards,
Sumith

QAS 4.1 Pre-release testing

$
0
0

If there are any other customers that would like to test out the 4.1 pre-release, please email glen.davis@quest.com for more information.  You can

test by putting the new agents on some Servers, or using the updated management tools, or both. 

 

Thanks,

Glen Davis

Product Manager

Quest Equivalent Product

$
0
0

Is there a Quest product that is equivalent to CF engine?

 

Thanks

 

Steve

Single Sign-On for Java 7 Not working

$
0
0

Hi,

 

We have been using winSSPI.dll on client side from 3.2 package. This dll is not working anymore in JDK 7.

 

The exception trace as follows :

 

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: [init]: OS name = 'Windows 7', version = '6.1'

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: [init]: isKerberosOS = true, isSessionKeySupported = true

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: initialize: calling native method ...

[winSSPI.dll] initialize

[winSSPI.dll] initialize: done

[INFO] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: initialize: Successfully initialized Windows SSPI

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: acquireCredentialsHandle: calling native method ...

[winSSPI.dll] acquireCredentialsHandle

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: loadCredential: result = 0

Attempting initContext with principal: HTTP/appsec001.gaia.net.intra

initContext failed with principal: HTTP/appsec001.gaia.net.intra error: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

Attempting initContext with principal: HOST/appsec001.gaia.net.intra

initContext failed with principal: HOST/appsec001.gaia.net.intra error: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

initContext failed with all attempted principals

java.security.PrivilegedActionException: javax.security.auth.login.LoginException: LoginException: java.security.PrivilegedActionException: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

          at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:373)

          at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)

          at weblogic.security.Security.runAs(Security.java:61)

          at security.role.TestKerberosEJBCall.main(TestKerberosEJBCall.java:32)

Caused by: javax.security.auth.login.LoginException: LoginException: java.security.PrivilegedActionException: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

          at com.quest.vsj.weblogic.login.EjbClientKerberosLoginModule.login(EjbClientKerberosLoginModule.java:107)

          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

          at java.lang.reflect.Method.invoke(Method.java:606)

          at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)

          at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)

          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)

          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)

          at java.security.AccessController.doPrivileged(Native Method)

          at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)

          at javax.security.auth.login.LoginContext.login(LoginContext.java:594)

          at security.role.TestKerberosEJBCall$1.run(TestKerberosEJBCall.java:35)

          at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)

          ... 3 more

 

Any ideas if any newer version or patch is supporting both JDK 7 64 & 32 bit ?

 

Thanks in advance.

How to enable logging with log4j

$
0
0
Maybe I'm too stupid for "easy" things like this but I'm not able to configure log4j for VSJ WebLogic Edition. I've read the documentation(weblogic and standard version) and followed the instructions for configuring log4j but nothing happend.
I've added to my log4j.properties the following lines:
log4j.logger.com.dstc=DEBUG, logfile
log4j.logger.com.wedgetail=DEBUG, logfile

My own logs in the implemented code is logged in logfile too.
I would like to see some log-entries of the AuthFilter and other vsj-stuff.

Has anyone a idea??

Not seeing correct AD group membership using vastool

$
0
0

We have an AD group 'foo'.  User Abe is added to it using AD tools.

 

I cannot see this user in the group using vastool on Solaris.  And of course the user cannot login.

 

$ vastool list groups | grep foo

foo:VAS:2010:john.doe@na.company.com,harry.who@na.company.com

$

 

I've executed vastool flush to no affect.

 

What am I doing wrong?

Create pre-auth computer object with vastool

$
0
0
Hi,

I need to be able to create computer objects with vastool instead of being forced to log in to a windows server, run a vbs, and then drag'n'drop the object to the correct OU (OU varies alot).

It seems like vastool create should be able to help me out, but I can't get it to produce objects that can be joined to without password.

I've created a AD user (unixbuild) that has permissions to create computer objects, and to create the object I run this command:

#> vastool -u unixbuild create -o -c "OU=JavaServerPlatform,OU=SolarisServer,OU=Production,DC=deploylab,DC=bj" computer testzone
Password for unixbuild@DEPLOYLAB.BJ:
Computer testzone created
#>

If I check in AD I can see the new object in the correct OU, but when I then try to join it using:

root@testzone:~# vastool -u host/ -w testzone join -f -n testzone.deploylab.bj deploylab.bj

I get:

Checking whether computer is already joined to a domain ... no
ERROR: Could not authenticate as host/. Invalid username or password.
VAS_ERR_KRB5: Failed to obtain credentials. Client: TESTZONE$@DEPLOYLAB.BJ, Service: krbtgt/DEPLOYLAB.BJ@DEPLOYLAB.BJ, Server: bj-labdc-01.deploylab.bj
   Caused by:
   KRB5KDC_ERR_PREAUTH_FAILED (-1765328360): Preauthentication failed
ERROR: Could not join to the domain

So this seems like the "default" computer object password has not been set correctly, is there an option to the vastool create command I need to use, or do I need to specify my own "default" password (also needed to be put in the join script)?

Please help me in my quest for not needing to "use" a windows server when deploying and using my Solaris servers!

BR // Andreas Bjorshammar


Message was edited by: anbj_562

HTTP Status 500 - com.wedgetail.idm.sso.ntlm.NtlmException: NTLM token is T

$
0
0

removed


Message was edited by: MarkBarc

Quest Identity For Unix Error

$
0
0
I'm a question on Quest Identity for Unix, when I add a Unix host to the Identity for Unix UI ,there is error "SSH2 Transport was closed"

After that I update the Identity for Unix to version 2 called quest one management console , the question is also exist,the host I add is a IBM AIX 5.3 OS. and when I use the SSH client to connect to the Host it was successfully.


why I can't add host to the console?

Using VAS Apache Module on Multiple Apache instances

$
0
0

Hi all,

 

- I have  a Web Server configured with 2 Apache Instances, each instance running as different user and port.

- I configured the VAS module for Active Directory Authentication on both instances

 

- So, now, the problem, is that in one instance the VAS authentication is working really good, and in the otherone,

we're having problems. It's always requesting Credentials when you try to access any websites hosted on this second instances.

 

The strange thing is that in the first instance, every website is working correctly and it's taking credentials automatically from browser.

 

Have anyone seen this kind of behavior?

 

 

Thanks in advance,

Obed N Munoz

I am getting page moved 302 error from Ajax call

$
0
0

By enabling logging, I see that authentication info is not found in the cache, when AJAX call is made, so vsj java filter is redirecting for authentication token. User is already authenticated and established a user session.

Any help is appreciated.

 

Thanks

-Apparao

Wrong ticket encryption for W2K clients only causes VSJ to fail

$
0
0

Hi,

I am facing the following problem.

The Windows service account used for Vintela SSO is set up using "Use DES encryption for this account". The keytab is created with ktpass ... -crypto DES-CBC-MD5 encryption.

Everything is working when I login to the web application from a Windows 2003 server machine. On the Windows 2003 server machine part of the klist tickets command is as follows (Kerberos ticket encryption of type DES-CBC-MD5 as expected):

   Server: HTTP/server.eu.xxx.com@EU.XXX.COM
      KerbTicket Encryption Type: Kerberos DES-CBC-MD5
      End Time: 8/3/2007 21:38:37
      Renew Time: 8/10/2007 11:38:37

But on the Windows 2000 clients the ticket is encrypted with RC4-HMAC-NT:

   Server: HTTP/server@EU.XXX.COM
      KerbTicket Encryption Type: Kerberos RSADSI RC4-HMAC(NT)
      End Time: 8/3/2007 21:42:55
      Renew Time: 8/10/2007 11:42:55

The wrong obtained ticket causes SSO to fail.

Tomcat output is:

HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Successfully matched service principal "HTTP/SERVER.EU.XXX.COM@EU.XXX.COM but not key type (23) + KVNO (2) in this entry: Principal: HTTP/SERVER.EU.XXX.COM@EU.XXX.COM Type: 1 TimeStamp: Wed Dec 31 19:00:00 EST 1969 KVNO: -1 Key: [3, 67 ec a8 a8 75 e0 ab 3e ] )

So the encryption type of the client ticket (which is of type 23=RC4-HMAC-NT) does not match the entry in the keytab (type 3=DES-CBC-MD5).

Why does the Windows 2000 machine get a different encrypted ticket? Also, there is a difference in the SPN returned in the output of the klist tickets above.

Any help would be greatly appreciated.

Thanks,

Ron

vas_ipc_connect: Error 13 calling connect (Permission denied)

$
0
0
Hi all,
I'm having a strange issue with Authentication Services.
The installation was apparently fine but where I enable an AD user to login on a joined Linux sistem, I log this stuff

ay  8 11:50:46 francio vasd[1224]: RunChild: Closing LDAP handles that have been inactive for at least 120 seconds.
May  8 11:50:54 francio sshd[6939]: Invalid user s.pisani@quest.local from 192.168.3.18
May  8 11:50:54 francio sshd[6940]: input_userauth_request: invalid user s.pisani@quest.local
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_sm_authenticate begin
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: asd_services_available: ping failed with error "Transport endpoint is not connected" (107)
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_sm_authenticate: Called for service sshd
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_is_vas_user begin
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_is_vas_user: no PAM stack account info for user s.pisani@quest.local, looking up
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_ident_db_init: Failed to initialize ident cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_is_vas_user: User is not a VAS user or a mapped user
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_is_vas_user end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas*: user: s.pisani@quest.local is not a vas account
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_am_handle_non_vas_user begin
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_am_prompt_for_cred begin
May  8 11:50:58 francio sshd[6939]: pam_vas**: getting password from PAM_AUTHTOK item
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_authtok begin
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_authtok: could not get PAM_AUTHTOK item: Unknown cause
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_authtok end
May  8 11:50:58 francio sshd[6939]: pam_vas**: could not get PAM_AUTHTOK item, will prompt for the password
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_prompt begin
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_prompt end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_do_conversation begin
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_do_conversation: done with conversation function
May  8 11:50:58 francio sshd[6939]: pam_vas****: pam_vas_get_authtok begin
May  8 11:50:58 francio sshd[6939]: pam_vas****: pam_vas_get_authtok: PAM_AUTHTOK contained an non-empty credential
May  8 11:50:58 francio sshd[6939]: pam_vas****: pam_vas_get_authtok end
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_do_conversation: Got a non-empty response from the conversation function
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_do_conversation end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_am_prompt_for_cred end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_am_handle_non_vas_user end, returning 25
May  8 11:50:58 francio sshd[6939]: pam_vas: pam_sm_authenticate: handle_non_vas_user() returned with PAM_IGNORE 25
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_set_previous_return begin
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_set_previous_return end
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_am_deinit_auth_mechanism begin
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_am_deinit_auth_mechanism end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas: pam_sm_authenticate end, returning 25
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_sm_authenticate begin
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_echo_return begin
May 8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_echo_return: Found aprevious return value, exiting with previous return value of "25".
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_echo_return end, returning 25
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: asd_services_available: ping failed with error "Transport endpoint is not connected" (107)
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_ident_db_init: Failed to initialize ident cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_unix(sshd:auth): check pass; user unknown
May 8 11:50:58 francio sshd[6939]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.3.18
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: asd_services_available: ping failed with error "Transport endpoint is not connected" (107)
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_ident_db_init: Failed to initialize ident cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_succeed_if(sshd:auth): error retrieving information about user s.pisani@quest.local
May  8 11:51:00 francio sshd[6939]: Failed password for invalid user s.pisani@quest.local from 192.168.3.18 port 50113 ssh2

Where is my mistake? Any advice?
Thanks a lot. I'm new.

Viewing all 1046 articles
Browse latest View live