Quantcast
Channel: Software Communities : Popular Discussions - All Things Unix
Viewing all 1046 articles
Browse latest View live

Error caused by forcing DES encryption on the vintela service account

January 8, 2008, 8:22 am
$
0
0
I've resolved this issue but hae run into it serveral times so wanted to understand what causes it.

typically our company sells our product with VSJ 3.2 packaged inside as well as Tomcat 5.0 and JDK 1.4.2.08. Now from what I understand VSJ uses it's own JDK but when using it for tomcat 5.0 I have run into this error with 4 different customers.

In the tomcat localhost file we see.

"starting filter authFilter
com.wedgetail.idm.sso.ConfigException: Could not validate com.wedgetail.idm.sso.password: DES key type was used with an incorrect service principal name, service principal name was recently changed and a password reset is required, or password was invalid [caused by: com.dstc.security.kerberos.CryptoException: Integrity check failure]
 at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.java:126)
 at com.wedgetail.idm.sso.util.Util.getKeyTab(Util.java:137)
 at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:440)
 at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)
 at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.init(WrappedResponseAuthFilter.java:56)
 at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:225)
 at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:308)"

Now I can reset the password for the service account until I'm blue in the face but it will not resolve this error. Instead I need to go to the mmc, pull up the account properties for the vintela service account, and make sure DES is unchecked.

Our docs specify that DES should be selected yet it causes VSJ to fail in some environments (so far the only thing I think we have in common is windows 2003 native mode).

Can someone tell me any of the following...

1) Is DES required for VSJ or can we use RC4?
2) Should DES be the preferred method of encryption on the VSJ service account? Or can we recommend RC4 and only use DES in if it is needed.
3) Does anyone know what the above error means?

Thanks in advance.

Regards,

Tim
Search

Account Validation Failed - Rejecting User

August 14, 2007, 7:55 am
$
0
0
I have installed the quest-samba-3.0.25a_q213 rpm's under fedora core 7, followed the installation instructions running and ran the /opt/quest/bin/vas-samba-config , all worked fine.

# /opt/quest/bin/vas-samba-config
Checking for VAS...
Stopping Samba services...
Checking /etc/opt/quest/samba/smb.conf...
/etc/opt/quest/samba/smb.conf: No changes required
Checking /etc/opt/quest/vas/vas.conf...
/etc/opt/quest/vas/vas.conf: No changes required

  Samba can support NTLM (non-Kerberos) authentication for users,
  but this requires that the local host password be renewed (set to
  a new random string) during installation. Renewing the host
  password is a normal operation that is performed periodically
  by vasd.

Reset the local host key now for NTLM support? [yes]:

Detecting domain SID...
Renewing the computer account password...
Modified trust account password in secrets database
Join is OK
Starting Samba services...
Starting vasidmapd service:                                [  OK  ]
Starting nmbd-quest service:                               [  OK  ]
Starting smbd-quest service:                               [  OK  ]
Starting winbindd-quest service:                           [  OK  ]


Then tried a few things from the 'testing the samba server is properly confgured'

/opt/quest/bin/net rpc testjoin
Join to '###' is OK

/opt/quest/bin/net/ads testjoin
Join is OK

now, all going fine you might say, however ....

when I try and do the smbclient, all I get is smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User mikec!

I have tried the following

su - mikec
kinit mikec@MY.REALM
/opt/quest/bin/smbclient //leaf.mydomain/mikec -UMYDOMAIN/mikec

cli_session_setup_blob: recieve failed (NT_STATUS_LOGON_FAILURE)
session setup failed: NT_STATUS_LOGON_FAILURE

The error that keeps cropping up in /var/log/messages is

smbd[5910]:   smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User mikec!

can anyone shed any light?

regards
Mike

Using VAS Apache Module on Multiple Apache instances

May 31, 2013, 8:10 am
$
0
0

Hi all,

 

- I have  a Web Server configured with 2 Apache Instances, each instance running as different user and port.

- I configured the VAS module for Active Directory Authentication on both instances

 

- So, now, the problem, is that in one instance the VAS authentication is working really good, and in the otherone,

we're having problems. It's always requesting Credentials when you try to access any websites hosted on this second instances.

 

The strange thing is that in the first instance, every website is working correctly and it's taking credentials automatically from browser.

 

Have anyone seen this kind of behavior?

 

 

Thanks in advance,

Obed N Munoz

Using Active Directory aliases - CNAME

March 27, 2007, 11:44 am
$
0
0
I have a machine with a NetBIOS name of devmgr02.  It has a name resolvable to devmgr02.example.com.  I also have a host alias for this machine called dev.example.com.  This is being handled by Active Directory.  I don't have any issues with access to dev.example.com for anything we related, except with VSJ.  It seems that VSJ (maybe it's WebSphere's fault) wants to use the physical host name devmgr02 for the Principal instead of dev.  It appears as if VSJ asks for the host name or the IP address is used to reverse resolve the hostname which has 2 entries and devmgr02 is the first entry to be returned.  Now, it doesn't seem that this happens in all cases, but often enough that it causes a problem.
I would like to avoid having to create new SPNs and keytabs every time we upgrade our servers from one machine to another ( while keeping the first machine running setup and configuration of the new machine ), but don't see a way to do this.  Creating new SPNs and keytabs is painful from the perspective that the Windows server admins have to do the work and their priorities aren't always my priorities, not to mention the additional work required each time. 

I did see an entry in the forums here that talked about using setspn -A when behind a load balancer, does this somehow apply?
Any ideas?
[3/22/07 11:28:33:800 CDT] 0000009e CommonsSsoLog E com.wedgetail.idm.sso.util.CommonsSsoLogger error Session ID: faw34234awf3f4w34afwe4
 Request: /somecontextroot
 Remote: 172.1.1.1
 Principal: HTTP/dev.example.com@EXAMPLE.COM
 Message: Could not authorize request: com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: org.ietf.jgss.GSSException, major code: 11, minor code: -1
 major string: General failure, unspecified at GSSAPI level
 minor string: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type 23, KVNO 4, Principal "HTTP/devmgr02.example.com@EXAMPLE.COM" using key:
  Principal: HTTP/dev.example.com@EXAMPLE.COM
  Type: 1
  TimeStamp: Thu Nov 17 15:57:32 CST 2005
  KVNO: -1
  Key: [23,  aa aa aa aa aa aa aa a aa aa aa aa aa aa aa aa ]
Exception for this key was:  com.dstc.security.kerberos.CryptoException: Integrity check failure[Note:  principal names are different;  this may or may not be a problem]
[Note:  KVNO used wildcard match, not exact match;  perhaps the password used to generate this key is not the most recent password?]
When it performs a basic fallback authentication, it responds with:connecting to devmgr02.example.com not connecting to dev.example.com.

My next post will includes the commands we use for ktpass and jkutil.

vas_ipc_connect: Error 13 calling connect (Permission denied)

May 9, 2012, 4:33 am
$
0
0
Hi all,
I'm having a strange issue with Authentication Services.
The installation was apparently fine but where I enable an AD user to login on a joined Linux sistem, I log this stuff

ay  8 11:50:46 francio vasd[1224]: RunChild: Closing LDAP handles that have been inactive for at least 120 seconds.
May  8 11:50:54 francio sshd[6939]: Invalid user s.pisani@quest.local from 192.168.3.18
May  8 11:50:54 francio sshd[6940]: input_userauth_request: invalid user s.pisani@quest.local
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_sm_authenticate begin
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: asd_services_available: ping failed with error "Transport endpoint is not connected" (107)
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_sm_authenticate: Called for service sshd
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_is_vas_user begin
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_is_vas_user: no PAM stack account info for user s.pisani@quest.local, looking up
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_ident_db_init: Failed to initialize ident cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_is_vas_user: User is not a VAS user or a mapped user
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_is_vas_user end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas*: user: s.pisani@quest.local is not a vas account
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_am_handle_non_vas_user begin
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_am_prompt_for_cred begin
May  8 11:50:58 francio sshd[6939]: pam_vas**: getting password from PAM_AUTHTOK item
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_authtok begin
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_authtok: could not get PAM_AUTHTOK item: Unknown cause
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_authtok end
May  8 11:50:58 francio sshd[6939]: pam_vas**: could not get PAM_AUTHTOK item, will prompt for the password
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_prompt begin
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_prompt end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_do_conversation begin
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_do_conversation: done with conversation function
May  8 11:50:58 francio sshd[6939]: pam_vas****: pam_vas_get_authtok begin
May  8 11:50:58 francio sshd[6939]: pam_vas****: pam_vas_get_authtok: PAM_AUTHTOK contained an non-empty credential
May  8 11:50:58 francio sshd[6939]: pam_vas****: pam_vas_get_authtok end
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_do_conversation: Got a non-empty response from the conversation function
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_do_conversation end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_am_prompt_for_cred end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_am_handle_non_vas_user end, returning 25
May  8 11:50:58 francio sshd[6939]: pam_vas: pam_sm_authenticate: handle_non_vas_user() returned with PAM_IGNORE 25
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_set_previous_return begin
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_set_previous_return end
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_am_deinit_auth_mechanism begin
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_am_deinit_auth_mechanism end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas: pam_sm_authenticate end, returning 25
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_sm_authenticate begin
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_echo_return begin
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_echo_return: Found a previous return value, exiting with previous return value of "25".
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_echo_return end, returning 25
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: asd_services_available: ping failed with error "Transport endpoint is not connected" (107)
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_ident_db_init: Failed to initialize ident cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_unix(sshd:auth): check pass; user unknown
May  8 11:50:58 francio sshd[6939]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.3.18
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: asd_services_available: ping failed with error "Transport endpoint is not connected" (107)
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_ident_db_init: Failed to initialize ident cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_succeed_if(sshd:auth): error retrieving information about user s.pisani@quest.local
May  8 11:51:00 francio sshd[6939]: Failed password for invalid user s.pisani@quest.local from 192.168.3.18 port 50113 ssh2

Where is my mistake? Any advice?
Thanks a lot. I'm new.


Client-LDAP-Authentification onto AD via VASPROXYD

March 29, 2010, 4:46 am
$
0
0
Hello I´m new here.

I have serveral problems to configure the vasproxyd.

It should be used to authenticate Ubuntu-Clients via this proxy onto Windows AD.

And there are a few questions:

DoI have to install an ldap-server (cause the clients speaking ldap)?

Howdoes the Client-Config(Ubuntu) look like?


I have configured the vasproxyd (in vas.conf):

[vasproxyd]

ldap = {

listen-addrs                   =   127.0.0.1:389
enable-anonymnous        =   false
service-principal             =   host/MyServer.domain.com@DOMAIN.COM
proxy-to-gc                   =   true
allow-deny-name            =
daemon-user                = root (could I use another user?)
connection-timeout         = 120

}


SoI changed the names but my config look like this. How do I have to configure the Clients? The should be authenticate via this proxy onto windows AD.

I hope you can help me.

Clock skew error

September 15, 2011, 10:18 am
$
0
0

[on behalf fo Rodney]
  Hi Team,

 

  We're using VSJ 3.3 in a web application (on Tomcat). During SSO with AD, users sometimes are not able to login and the error found in Tomcat STDOUT is :

 

  {ERROR} av.AuthenticatorValidatorBase Thread [http-8080-Processor24];  Rejected AP-REQ because timestamp (1314873940000) is 324056 ms old (max skew = 300000)

  ++++ KRB-AP-REQ Message ++++

  encryption type: 23 (DECRYPTED OK)

  ap options: mutual-required

  Ticket:

    encryption type: 23

    service principal:HTTP/service-account@domain.com

  client:username@domain.com

  subkey: [23,  4 be cc e0 b9 ef b0 a8 68 9f 2e 93 c8 31 3a 9 ]

  client time: Thu Sep 01 03:45:40 PDT 2011

  cusec: 394

  sequence number: 1253074037

  ++++++++++++++++++++++++++++

 

  We have confirmed that the DC and the app server time is in sync when the issue occurs.

 

  Any ideas?

 

  Thanks in advance!

  Rodney

vas_ipc_connect: Error 13 calling connect (Permission denied)

May 9, 2012, 12:58 pm
$
0
0
Hi all,
I'm having a strange issue with Authentication Services.
The installation was apparently fine but where I enable an AD user to login on a joined Linux sistem, I log this stuff

ay  8 11:50:46 francio vasd[1224]: RunChild: Closing LDAP handles that have been inactive for at least 120 seconds.
May  8 11:50:54 francio sshd[6939]: Invalid user s.pisani@quest.local from 192.168.3.18
May  8 11:50:54 francio sshd[6940]: input_userauth_request: invalid user s.pisani@quest.local
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_sm_authenticate begin
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: asd_services_available: ping failed with error "Transport endpoint is not connected" (107)
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_sm_authenticate: Called for service sshd
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_is_vas_user begin
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_is_vas_user: no PAM stack account info for user s.pisani@quest.local, looking up
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_ident_db_init: Failed to initialize ident cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_is_vas_user: User is not a VAS user or a mapped user
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_is_vas_user end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas*: user: s.pisani@quest.local is not a vas account
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_am_handle_non_vas_user begin
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_am_prompt_for_cred begin
May  8 11:50:58 francio sshd[6939]: pam_vas**: getting password from PAM_AUTHTOK item
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_authtok begin
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_authtok: could not get PAM_AUTHTOK item: Unknown cause
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_authtok end
May  8 11:50:58 francio sshd[6939]: pam_vas**: could not get PAM_AUTHTOK item, will prompt for the password
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_prompt begin
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_get_prompt end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_do_conversation begin
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_do_conversation: done with conversation function
May  8 11:50:58 francio sshd[6939]: pam_vas****: pam_vas_get_authtok begin
May  8 11:50:58 francio sshd[6939]: pam_vas****: pam_vas_get_authtok: PAM_AUTHTOK contained an non-empty credential
May  8 11:50:58 francio sshd[6939]: pam_vas****: pam_vas_get_authtok end
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_do_conversation: Got a non-empty response from the conversation function
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_do_conversation end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_vas_am_prompt_for_cred end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_am_handle_non_vas_user end, returning 25
May  8 11:50:58 francio sshd[6939]: pam_vas: pam_sm_authenticate: handle_non_vas_user() returned with PAM_IGNORE 25
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_set_previous_return begin
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_set_previous_return end
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_am_deinit_auth_mechanism begin
May  8 11:50:58 francio sshd[6939]: pam_vas*: pam_vas_am_deinit_auth_mechanism end, returning 0
May  8 11:50:58 francio sshd[6939]: pam_vas: pam_sm_authenticate end, returning 25
May  8 11:50:58 francio sshd[6939]: pam_vas**: pam_sm_authenticate begin
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_echo_return begin
May 8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_echo_return: Found aprevious return value, exiting with previous return value of "25".
May  8 11:50:58 francio sshd[6939]: pam_vas***: pam_vas_echo_return end, returning 25
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: asd_services_available: ping failed with error "Transport endpoint is not connected" (107)
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_ident_db_init: Failed to initialize ident cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_unix(sshd:auth): check pass; user unknown
May 8 11:50:58 francio sshd[6939]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.3.18
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: vas_ipc_connect: Error 13 calling connect (Permission denied)
May  8 11:50:58 francio sshd[6939]: asd_services_available: ping failed with error "Transport endpoint is not connected" (107)
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_misc_db_init: Failed to initialize misc cache, err=13
May  8 11:50:58 francio sshd[6939]: libvascache_ident_db_init: Failed to initialize ident cache, err=13
May  8 11:50:58 francio sshd[6939]: pam_succeed_if(sshd:auth): error retrieving information about user s.pisani@quest.local
May  8 11:51:00 francio sshd[6939]: Failed password for invalid user s.pisani@quest.local from 192.168.3.18 port 50113 ssh2

Where is my mistake? Any advice?
Thanks a lot. I'm new.

Search

NTLM SMB issue - Could not get valid NTLM challenge from ........

July 27, 2012, 10:36 am
$
0
0
I'm trying to debug an issue with NTLM failback, I have the filter configured correctly as per any other deployments.

I'm able to authenticate users correctly using Kerberos, but I have noticed in the logs an issue with NTLM.

This was discovered because of a Java Applet which is posting back to the server, the applet is not using kerberos but NTLM to authenticate the user.

The application server is Tomcat 5, using Quest VSJ "VSJ Standard Edition 3_3 Patch 3548"

From what can be seen within the server logs is that QuestSSO performs a DNS lookup and attempts to connect to all of the GCs which are returned.

Example:
- Starting Coyote HTTP/1.1 on http-80
- JK: ajp13 listening on /0.0.0.0:8009
- Jk running ID=0 time=0/47  config=null
- Host server1.domain.ltd/1.1.1.1:389 appears to be down
- Could not get valid NTLM challenge from server1.domain.ltd/1.1.1.1
Exception: com.wedgetail.idm.sso.ntlm.NtlmException: NTLM challenge was null
- Host server2.domain.ltd/1.1.1.2:389 appears to be down
- Could not get valid NTLM challenge from server2.domain.ltd/1.1.1.2
Exception: com.wedgetail.idm.sso.ntlm.NtlmException: NTLM challenge was null
- Host server3.domain.ltd/1.1.1.3:389 appears to be down
...
... etc


I have enabled the debug level and log4j configuration, but this is not showing any errors.

I have used PortQry.exe to scan the AD servers and they are accessible.


What can I do to move forward? Any ideas ?

Quest Authentication Services 4.1 pre-release

December 11, 2012, 3:20 pm
$
0
0
All,

We are looking for a few customers to test our pre-release of QAS 4.1 in early January. Here is your chance to try out the new feature set, and get direct support from our development team on the new release, before we ship it live. Please send me an email (glen.davis@quest.com) if you have interest and would like to hear more about it.

Thanks,
Glen Davis
Product Manager

wyse T50 problem with key "." layout pt-BR keyboard ABNT2

February 18, 2013, 7:29 am
$
0
0

I'm using Wyse T50 with brazilian ABNT2 keyboard(pt-BR) and the key "."(point) in numeric keyboard does work inside rdpclient. It works fine with console and other apps outside rdpclient but not inside. Using rdpclient with parameter --lx-debug helped to get the keycode 0x79 but I do not how to fix it. I installed Remmina/Rdesktop and all the keys works fine, so I guess the problem is with Wyse-rdpclient/RDP.

 

Any idea?

 

Thanks in advance

HTTP Status 500 - com.wedgetail.idm.sso.ntlm.NtlmException: NTLM token is T

April 12, 2010, 9:37 am
$
0
0

removed


Message was edited by: MarkBarc

VAS-Authentication without HTTP/ -Service-Account?

January 17, 2011, 12:46 am
$
0
0

Hi everybody!


I am trying to bring up VAS authentication for one of our webservers. The machine has been joined to our AD previously and unix user authentication is working fine.


Unfortunately our rights in AD are pretty restricted, I am not able to create anything else but machine-accounts in AD, so the setup-script fails to create the HTTP/-thing.


Is there any way to use the machine account to authenticate users without having to create a HTTP/-service-account?

Wrong ticket encryption for W2K clients only causes VSJ to fail

August 5, 2007, 10:54 am
$
0
0

Hi,

I am facing the following problem.

The Windows service account used for Vintela SSO is set up using "Use DES encryption for this account". The keytab is created with ktpass ... -crypto DES-CBC-MD5 encryption.

Everything is working when I login to the web application from a Windows 2003 server machine. On the Windows 2003 server machine part of the klist tickets command is as follows (Kerberos ticket encryption of type DES-CBC-MD5 as expected):

   Server: HTTP/server.eu.xxx.com@EU.XXX.COM
      KerbTicket Encryption Type: Kerberos DES-CBC-MD5
      End Time: 8/3/2007 21:38:37
      Renew Time: 8/10/2007 11:38:37

But on the Windows 2000 clients the ticket is encrypted with RC4-HMAC-NT:

   Server: HTTP/server@EU.XXX.COM
      KerbTicket Encryption Type: Kerberos RSADSI RC4-HMAC(NT)
      End Time: 8/3/2007 21:42:55
      Renew Time: 8/10/2007 11:42:55

The wrong obtained ticket causes SSO to fail.

Tomcat output is:

HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Successfully matched service principal "HTTP/SERVER.EU.XXX.COM@EU.XXX.COM but not key type (23) + KVNO (2) in this entry: Principal: HTTP/SERVER.EU.XXX.COM@EU.XXX.COM Type: 1 TimeStamp: Wed Dec 31 19:00:00 EST 1969 KVNO: -1 Key: [3, 67 ec a8 a8 75 e0 ab 3e ] )

So the encryption type of the client ticket (which is of type 23=RC4-HMAC-NT) does not match the entry in the keytab (type 3=DES-CBC-MD5).

Why does the Windows 2000 machine get a different encrypted ticket? Also, there is a difference in the SPN returned in the output of the klist tickets above.

Any help would be greatly appreciated.

Thanks,

Ron

Putty 0.62 session menu with Windows 7

June 17, 2013, 8:18 am
$
0
0

I've recently upgraded to Windows 7, and am enjoying the menu of open putty sessions displayed when I hover my mouse over the putty icon in my toolbar.  HOWEVER, one aspect which bothers me is how the menu displays.  Initially it displays a horizontal list of icons for each session, expanding the list up to 10 sessions, after which it tranforms that list to a vertical list of lines in a single window, one line for each session.  My issue is that once the horizontal list exceeds 6 sessions, the session names contained in the icons get truncated from the right to the point that they are no longer unique, rendering them useless.  Consequently, once I open a 7th session, I proceed to open another 4 simply to maintain the usability of my session menu.  Does anyone know a way to customize either the point at which the menu transfers to a horizontal list, or the session name truncation so that it truncates from the left instead of the right?

Search

Support for apache httpd 2.4?

March 1, 2012, 4:18 am
$
0
0
Do you know if mod_auth_vas will work with Apache httpd 2.4? Or if there is any intention to support this, and if so what time frame this version is likely to be supported in?

Thanks,
Paul

connect Linux laptop to corporate wifi network

July 19, 2012, 4:31 am
$
0
0
I am trying to connect a RHEL6 Linux laptop to our corporate wifi network. The laptop has been joined to the domain through Quest (VAS). I believe the wifi network uses both Machine authentication and User authentication but I am not certain about this as the wifi network is designed for Windows laptops and details are scatty and difficult to find.

The windows laptops are able to connect to the wifi network and they seem to have the following settings for their wifi adapter to connect to the corporate wifi network:
Security type: WPA2-Enterprise
Encryption Type: AES
Microsoft Protected EAP(PEAP)
Authentication Method: EAP-MSCHAP v2
When connecting automaticly use my Windows Logon name and password (and domain if any).
802.1X settings: specify user or computer authentication
802.11 settings: Enable Pairwise Master Key (PMK)
RADIUS Server: citrix.SomeStringxxx
RootCA: Some Certification Authority xxxx

If the Windows laptops joined to the domain can connect automatically to the wifi then I would like the Linux laptops joined to the domain via Quest(VAS) also to be able to connect (authenticate against the RADIUS server and connect to the wifi) either automatically or manually if needs be. I am uncertain as to what to do on the Linux laptop to be able to connect to the wifi. Is there some Quest program that enables the same type of connection/authentication that the Windows laptops have i.e. Windows laptops seem to be able to connect (as in the Users credentials and the Machine credentials pass to the WAP) to the wifi network auto-magically without the user having to do anything. I think this is being done through Group Policy in some way on the Windows laptops when they are first joined up to the Domain and Group Policies are applied - the auto joining to the wifi is set-up then I believe.

If there is no Quest wifi program then is their some way to replicate all the Windows PEAP settings on the RHEL6 Linux laptop manually? I am not sure how PEAP works but I think it should be possible to connect the Linux laptop to the wifi - I suspect that there is only a limited range of parameters that can be passed to the WAP (then eventually the RADIUS server) such as hostname, a certifcate, some sort of public/private key pair, username, password for authentication to take place.

Any advice much appreciated on a Quest program or even on entering the right settings on NetworkManager on RHEL6 and importing/exporting a key, importing/exporting a certifcate from the windows laptops to the Linux laptops etc

Thank you and kind regards,
Tahir



Kerberos SSO with 1 way Trust

October 25, 2012, 4:17 am
$
0
0
I had configured a Kerberos SSO with 1way trust between two domain... But on logging in i am getting the following exception...

[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: resetting state...
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: principal = 'HTTP/mdk1waytrustd3.wtmdk1waydom3.com'
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: realm = 'WTMDK1WAYDOM3.COM'
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: Found name servers using JNDI
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: mdk1waytrustd2.wtmdk1waydom2.com (10.31.70.183)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: mdk1waytrustd1.wtmdk1waydom1.com (10.31.69.52)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: MDK1WAYTRUSTD3.WTMDK1WAYDOM3.COM (10.31.70.184)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: mdk1waytrustd4.wtmdk1waydom4.com (10.31.71.34)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: corpinba8.corp.emc.com (10.30.48.37)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: corpgefr3.corp.emc.com (152.62.196.10)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: The old JCSI Kerberos code for the Windows LSA is now disabled by default;
if you really want it (rather than the new WinSSPI code) you must set
-Djcsi.kerberos.lsa.enable=true
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: Creating LSA credential cache
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: Could not locate default cache: com.dstc.security.kerberos.KerberosException: Could not create credential store com.dstc.security.kerberos.KerberosException: Native in-memory credential cache not supported on this platform (Windows Server 2008 R2)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: login succeeded
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: loaded InputStream based keytab at time 1351158964992 m/secs, 5 entries
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: binding principal to subject
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: binding credentials to subject


Can some one can help me in resolving this???

Regards,
Sumith

Crash when authenticating

November 15, 2012, 1:37 pm
$
0
0
I'm seeing the following crash during authentication:

glibc detected *** /usr/java/jdk1.6.0_25/bin/java: free(): invalid pointer: 0x0000000041e33450 ***
======= Backtrace: =========
/lib64/libc.so.60x3b66275916
/opt/quest/lib64/libvas.so.4(vas_string_zerofree+0x4b)0x7ffd9cc615f0
/lib64/security/pam_vas3.so(pam_vas_do_conversation+0x210)0x7ffd9ce01c7d
/lib64/security/pam_vas3.so(pam_vas_am_prompt_for_cred+0x2ff)0x7ffd9cdfc85b
/lib64/security/pam_vas3.so(pam_sm_authenticate+0xb30)0x7ffd9cdf772a
/lib64/libpam.so.00x3b69202cee
/lib64/libpam.so.0(pam_authenticate+0x40)0x3b69202600

Any ideas as to what may be causing it? The pam config looks like:


#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_vas3.so create_homedir get_nonvas_pass store_creds
auth requisite pam_vas3.so echo_return
auth sufficient pam_unix.so nullok try_first_pass use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account sufficient pam_vas3.so
account requisite pam_vas3.so echo_return
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password sufficient pam_vas3.so
password requisite pam_vas3.so echo_return
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session required pam_vas3.so create_homedir
session requisite pam_vas3.so echo_return
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

mod_auth_vas, Tomcat, mod_jk and getRemoteUser() == null

February 12, 2007, 8:55 pm
$
0
0
Hi, everyone.

VAS+mod_auth_vas can be used to authenticate forTomcat servlets. You only need to install the mod_jk module into apacheand tweak a connector. Tomcat generally comes with a pre-configured AJPconnector that will listen to mod_jk.

The biggest 'gotcha' isthat you will need to configure Tomcat so that it stops doing its ownauthentication, and starts believing the auth information supplied byapache. This is done by turning off the connector's tomcatAuthenticationproperty, which normally defaults to'true'. Do this either by editing$BASEDIR/conf/jk2.properties andadding
request.tomcatAuthentication=false
ORby editing $BASEDIR/server.xml, finding the AJP connector andadding tomcatAuthentication="false" as an attribute. For example:
<Connector port="8009"
    enableLookups="false" redirectPort="8443" debug="0"
    protocol="AJP/1.3"
    tomcatAuthentication="false"  />
Besure to add a <Location> element somewhere inApache'sconfiguration area that enables mod_auth_vas for the servletsyou wantto protect. For example, I test with this:
<Location "/servlets-examples">
    AuthType VAS
    Require valid-user
</Location>
Afterthis, the servlets' request.getAuthType() will return "VAS"and request.getRemoteUser() will return the User Principal Name ofthe authenticated user eg "user@DOMAIN.COM", (not the unix user name...unless you enable AuthVasLocalizeUserName, a new optioninmod_auth_vas-3.4.)

Please note that mod_auth_vas does not doNTLM authentication; it only does GSSAPI/Kerberos. You should look to Quest'sVSJ product to support NTLM, and for excellent supported integrationinto other application server products (like websphere, jboss, etc).

Cheers!

d
Viewing all 1046 articles
Browse latest View live
Search