Hi experts!
I am newbie for VAS.
After installation of VAS 3.5 on both server(windows server 2003) and client(redhat5.2) according to the manual,
I failed to login the linux client using a Unix enabled domain user :test
I try to run some troubleshooting commands, and get some information as below:
[root@redhat-head ~]# /opt/quest/bin/vastool user checklogin test
WARNING: NSS lookup (getpwnam) for user test failed, this will almost
certainly mean that you will be unable to log in with a username of test.
This should be fixed before worrying about any other failures.
##I checked /etc/nsswith.conf, and found everything is ok.
[root@redhat-head ~]# /opt/quest/bin/vastool nss getpwnam test
ERROR: Could not look up user for name: test, error = 2.
[root@redhat-head ~]# /opt/quest/bin/vastool info domain
test.com
[root@redhat-head ~]#/opt/quest/bin/vastool -u host/ attrs test uidnumber gidnumber unixhomedirectory loginshell userprincipalname DistinguishedName
ginshell userprincipalname DistinguishedName
distinguishedName: CN=test,OU=Unix,DC=pera-test,DC=com
userPrincipalName: test@test.com
uidNumber: 1000
gidNumber: 1000
unixHomeDirectory: /home/test
loginShell: /bin/bash
I can't find where the problem is.
Any advise?
Thank in advance!
↧
problem of vastool user checklogin
↧
IBM DB2 LDAP Plugin and Vintela DB2 Security Plugin
What is the difference between the DB2 LDAP Plug in provided by IBM and DB2 Security Plug in for LDAP from Vintela? Are they the same product? We just converted our IBM SP MPP server from NIS to VAS and have been experiencing randomADM13001E errors during heavy usage on AIX 5.3 with UDB 9.5 (see DB2 log below).
2009-06-23-00.04.31.104862-240 I1220A477 LEVEL: ErrorPID : 4776414 TID : 4884 PROC : db2sysc 3INSTANCE: udbcdwp NODE : 003 DB : CDWPDBAPPHDL : 3-2246EDUID : 4884 EDUNAME: db2agent (CDWP) 3FUNCTION: DB2 Common, Security, Users and Groups, secValidatePasswordPlugin, probe:20DATA #1 : String, 94 bytesdb2ldapGetUserDN:LDAP search failed with ldap rc=81 (Can't contact LDAP server)user='cdwmgr' and 2009-06-23-00.50.36.538464-240 E155194A727 LEVEL: SeverePID : 4309120 TID : 772 PROC : db2acd 8INSTANCE: udbcdwp NODE : 008EDUID : 772 EDUNAME: db2acd 8FUNCTION: DB2 UDB, bsu security, sqlexGetDefaultLoginContext, probe:150MESSAGE : ADM13001E Plug-in "IBMLDAPauthclient" received error code "-1" from the DB2 security plug-in API "db2secGetDefaultLoginContext" with the error message "LDAP WhoAmI: can't determine LDAP user associated with OS user 'udbcdwp': LDAP error while searching for AuthID. Userid attribute='cn' AuthID attribute='cn' user objectClass='user' user base DN='dc=fhlmc,dc=com'".
Message was edited by: kgathmann
↧
↧
GSSException when launching ejb fatclient example from VSJ-WebLogic-Edition
Hi,
I downloaded the vsj-weblogic-3.2 (VSJ-WebLogic-Edition-3.2_Patch-3550). I get the exception below. I saw on a forum that the 3.3 version fix this problem. Is it so? Is the 3.3 version available?
http://allthingsunix.inside.quest.com/thread.jspa?threadID=10055&tstart=0&messageID=30443
Best regards,
Omer
Caused by: javax.security.auth.login.LoginException: LoginException: java.security.PrivilegedActionException: GSSException: com.dstc.security.kerberos.provider.Krb5U2S configured by JCSIKrb5 for GSS-API Mechanism Factory cannot be created
at com.quest.vsj.weblogic.login.EjbClientKerberosLoginModule.login(EjbClientKerberosLoginModule.java:107)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
at com.decsso.client.VSJWebLogicEditionSSOTester$1.run(VSJWebLogicEditionSSOTester.java:50)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
... 3 more
I downloaded the vsj-weblogic-3.2 (VSJ-WebLogic-Edition-3.2_Patch-3550). I get the exception below. I saw on a forum that the 3.3 version fix this problem. Is it so? Is the 3.3 version available?
http://allthingsunix.inside.quest.com/thread.jspa?threadID=10055&tstart=0&messageID=30443
Best regards,
Omer
Caused by: javax.security.auth.login.LoginException: LoginException: java.security.PrivilegedActionException: GSSException: com.dstc.security.kerberos.provider.Krb5U2S configured by JCSIKrb5 for GSS-API Mechanism Factory cannot be created
at com.quest.vsj.weblogic.login.EjbClientKerberosLoginModule.login(EjbClientKerberosLoginModule.java:107)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
at com.decsso.client.VSJWebLogicEditionSSOTester$1.run(VSJWebLogicEditionSSOTester.java:50)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
... 3 more
↧
VSJ and JBoss 7.1
Our company has recently purchased the Standard edition of vsj and we have this running fine on WAS 8. I am trying to get this to run on JBoss 7.1 so we can run our application easily on our local development servers. Has anyone gotten this working with JBoss 7.1? I think I am very close, but an example standalone.xml file would be immensely helpful to know that I have set up my SSL correctly to be used with vsj.
Thanks,
Rob
↧
Not seeing correct AD group membership using vastool
We have an AD group 'foo'. User Abe is added to it using AD tools.
I cannot see this user in the group using vastool on Solaris. And of course the user cannot login.
$ vastool list groups | grep foo
foo:VAS:2010:john.doe@na.company.com,harry.who@na.company.com
$
I've executed vastool flush to no affect.
What am I doing wrong?
↧
↧
SSO with native Solaris 10 sshd
Has anybody managed to propertly set this up?
I got everything working except SSO.
Any pointers to docs etc. would be apreciated.
Regards
erwin
I got everything working except SSO.
Any pointers to docs etc. would be apreciated.
Regards
erwin
↧
Unjoin from Domain
Hi,
I have installed VAS 4.0+ on fedora and joined it to domain, can some one help with instructions to unjoin the linux desktop from the domain.
thanks
I have installed VAS 4.0+ on fedora and joined it to domain, can some one help with instructions to unjoin the linux desktop from the domain.
thanks
↧
Kerberos only SPNEGO with one way trust
I am wondering if anyone has successfully implemented QSJ such that SPNEGO will never fail over using only a one way trust. Microsoft says a 2 way is required to assure always Kerberos and in our pseudo-scientific laboratory environment (created and managed by semi-technicians like myself) that proved to be the case. One way trust resulted in NTLM failover, always. We find a bit of documentation stating this can be done with a one way trust, i'm curious if anyone is doing this with QSJ. thanks in advance.
↧
users-allowed listing
What is the syntax in VAS4X equivalent to the old 3X style 'vastool list users-allowed' ? Our admins are seeing a new message about only locally cached users being displayed.
↧
↧
Single Sign-On for Java 7 Not working
Hi,
We have been using winSSPI.dll on client side from 3.2 package. This dll is not working anymore in JDK 7.
The exception trace as follows :
[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: [init]: OS name = 'Windows 7', version = '6.1'
[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: [init]: isKerberosOS = true, isSessionKeySupported = true
[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: initialize: calling native method ...
[winSSPI.dll] initialize
[winSSPI.dll] initialize: done
[INFO] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: initialize: Successfully initialized Windows SSPI
[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: acquireCredentialsHandle: calling native method ...
[winSSPI.dll] acquireCredentialsHandle
[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: loadCredential: result = 0
Attempting initContext with principal: HTTP/appsec001.gaia.net.intra
initContext failed with principal: HTTP/appsec001.gaia.net.intra error: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created
Attempting initContext with principal: HOST/appsec001.gaia.net.intra
initContext failed with principal: HOST/appsec001.gaia.net.intra error: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created
initContext failed with all attempted principals
java.security.PrivilegedActionException: javax.security.auth.login.LoginException: LoginException: java.security.PrivilegedActionException: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:373)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at weblogic.security.Security.runAs(Security.java:61)
at security.role.TestKerberosEJBCall.main(TestKerberosEJBCall.java:32)
Caused by: javax.security.auth.login.LoginException: LoginException: java.security.PrivilegedActionException: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created
at com.quest.vsj.weblogic.login.EjbClientKerberosLoginModule.login(EjbClientKerberosLoginModule.java:107)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
at security.role.TestKerberosEJBCall$1.run(TestKerberosEJBCall.java:35)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
... 3 more
Any ideas if any newer version or patch is supporting both JDK 7 64 & 32 bit ?
Thanks in advance.
↧
vastool flush - Loading user cache error
Does anyone have a list of the Loading User cache errors?
I did a vastool flush and received the following error:
Loading users cache: ..... Error while loading user cache: 16
I found some of the other error numbers on goole (12,14,22), but I couldn't find 16
↧
VAS login failed
Hello everyone,
One of my solaris server quite often can't login. Even I had run "vastool flush", user still can't login via VAS. Some time it had prompt error when flushing
vasd stopped
Flushing auth cache: OK
Could not load caches- Authentication failed, error = VAS_ERR_NOT_FOUND: Not fou nd
Caused by:
VAS_ERR_KRB5: Failed to obtain credentials. Keytab: , Client: CRS-CCH-APS-003
$@UAS.LOCAL, Service: krbtgt/UAS.LOCAL@UAS.LOCAL,
Server: cs-2k3-vas002.uas.local
Caused by:
KRB5KDC_ERR_PREAUTH_FAILED (-1765328360): Preauthentication failed
It appears that the computer object has not yet replicated to the Global Catalog .
vasd will stay in disconnected mode until this replication takes place.
You do not need to rejoin this computer.
fork_ns_ipc_handler_process: Could not load NS caches - Authentication failed,error = VAS_ERR_NOT_FOUND: Not found
Caused by:
VAS_ERR_KRB5: Failed to obtain credentials. Keytab: , Client: CRS-CCH-APS-003 $@UAS.LOCAL, Service: krbtgt/UAS.LOCAL@UAS.LOCAL, Server: cs-2k3-vas-002.uas.local
Caused by:
KRB5KDC_ERR_PREAUTH_FAILED (-1765328360): Preauthentication failed
Waiting for computer object to be replicated throughout the domain.
The NS IPC handler will be in disconnected mode until the replication takes place.
Only thing I can do is to rejoin the AD.
I checked the message log, following error also found.
vasd[10847]: [ID 608781 daemon.error] password_policy_interval: Failed to locally initialize context and id, will not be able to update password policy. result=2
Did there is anything going wrong??
↧
what does use-dns-srv
What does use-dns-srv do in the vas.conf file? I haven't been able to find it documented anywhere.
↧
↧
Kerberos Error: Message Stream modified
Hi,
I'm using SSO with BOXIR2 that use VSJ,
the SSO is working fine until someday SSO is stop with below error messages:
So how to fix this kinda error?
5609 http-8080-Processor25 ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
5609 http-8080-Processor25 ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication - GSSException Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
5609 http-8080-Processor25 WARN com.crystaldecisions.sdk.occa.security.internal.LogonService - doUserLogon(): failed to logon, logoninfo=user:xxx%xxx,method:GSSCredential,auth=secWinAD,aps=xxx.xx.com
com.crystaldecisions.sdk.exception.SDKException$SecurityError: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department.
cause:GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
detail:The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department.
The exception originally thrown was GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.b.a(Unknown Source)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.d.a(Unknown Source)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.d.continueLogin(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.a(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.a(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.userLogon(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.l.userLogon(Unknown Source)
at com.crystaldecisions.sdk.framework.internal.d.logon(Unknown Source)
at com.crystaldecisions.ePortfolio.framework.logon.LogonAction.singleSignOn(LogonAction.java:406)
at com.crystaldecisions.ePortfolio.framework.logon.LogonAction.autoWrapExceptionPerform(LogonAction.java:525)
at com.crystaldecisions.ePortfolio.framework.common.AutoWrapExceptionAction.process(AutoWrapExceptionAction.java:62)
at com.crystaldecisions.webapp.struts.framework.AbstractEnterpriseAction.perform(AbstractEnterpriseAction.java:38)
at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586)
I'm using SSO with BOXIR2 that use VSJ,
the SSO is working fine until someday SSO is stop with below error messages:
So how to fix this kinda error?
5609 http-8080-Processor25 ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
5609 http-8080-Processor25 ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication - GSSException Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
5609 http-8080-Processor25 WARN com.crystaldecisions.sdk.occa.security.internal.LogonService - doUserLogon(): failed to logon, logoninfo=user:xxx%xxx,method:GSSCredential,auth=secWinAD,aps=xxx.xx.com
com.crystaldecisions.sdk.exception.SDKException$SecurityError: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department.
cause:GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
detail:The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department.
The exception originally thrown was GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.b.a(Unknown Source)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.d.a(Unknown Source)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.d.continueLogin(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.a(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.a(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.userLogon(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.l.userLogon(Unknown Source)
at com.crystaldecisions.sdk.framework.internal.d.logon(Unknown Source)
at com.crystaldecisions.ePortfolio.framework.logon.LogonAction.singleSignOn(LogonAction.java:406)
at com.crystaldecisions.ePortfolio.framework.logon.LogonAction.autoWrapExceptionPerform(LogonAction.java:525)
at com.crystaldecisions.ePortfolio.framework.common.AutoWrapExceptionAction.process(AutoWrapExceptionAction.java:62)
at com.crystaldecisions.webapp.struts.framework.AbstractEnterpriseAction.perform(AbstractEnterpriseAction.java:38)
at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586)
↧
VAS_ERR_INVALID_PARAM: Invalid unix name
Hi all,
I'm having trouble when users from other domains out of the web server's domain.
I'm using VAS 3.6.8.1
Here's the error we're getting:
[Tue Dec 17 14:39:07 2013] [debug] mod_auth_vas.c(1339): [client 10.10.10.10] [mod_auth_vas] auth_vas_cleanup_request
[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(2312): [client 10.10.10.10] [mod_auth_vas] auth_vas_check_user_id: auth_type=VAS
[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(2359): [client 10.10.10.10] [mod_auth_vas] Got: 'Authorization: Basic [...]'
[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(2422): [client 10.10.10.10] [mod_auth_vas] apr_base64_decode returned 25 btyes
[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(1154): [client 10.10.10.10] [mod_auth_vas] do_basic_accept
[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(1194): [client 10.10.10.10] [mod_auth_vas] check_password: user='DOMAIN2\\USER1'
[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(1416): [client 10.10.10.10] [mod_auth_vas] rnote_get: creating rnote
[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(1367): [client 10.10.10.10] [mod_auth_vas] initialize_user
[Tue Dec 17 14:39:33 2013] [error] [client 10.10.10.10] [mod_auth_vas] initialize_user: Failed to initialize user for DOMAIN2\\USER1: VAS_ERR_INVALID_PARAM: Invalid unix name DOMAIN2\\USER1
The server is located at DOMAIN1
And the user which is trying to access the website is on DOMAIN1
Here's my VAS Conf:
<Directory />
Options FollowSymLinks
AllowOverride None
# Enable VAS authentication for entire site:
AuthType VAS
AuthVasRemoteUserMap ldap-attr sAMAccountName
AuthVasAuthoritative On
AuthVasUseNegotiate On
# If client cannot negotiate, fall back on basic authentication
AuthVasUseBasic On
AuthName "your Windows account"
# The criteria for accessing these web page
Require user USER1
Order deny,allow
Deny from all
</Directory>
I need to be able to authenticate users from DOMAIN1 and DOMAIN2
Regards,
Obed N Munoz
↧
Login using VAS only possible with userid in capital letters
Hi,
I have pretty new to VAS and we have an issue on one system where we are only able to log in using our userid in capital letters. On other systems we are perfectly able to login in using small cap.
Is this a config I can change or is this a known issue?
Thanks,
↧
QAS - Using Text Replacement Macros in GPO Dynamic File Copy Source Path ?
Working with a customer where there a large number of unix hosts that require differing "user-override" files applied - ie for the same AD user - apply different overrides on different hosts.
While it is possible to deploy the user-override files when the host is QAS joined to AD - we would prefer to use the GPO's applied to the hosts to deploy the files/overrides so that they can then be centrally managed - and eventually removed once the the "dirty" user config has been resolved.
It appears that it is not possible to use a Text Replacement Macro in a GPO in the source path for the Dynamic File Copy ? - I'd like to set up a per-host sub directory - and have a single GPO used to copy the correct file from the host specific subdirectory to the host ? eg \somepath\%hostname%\user-override. A text replacement macro is then used to determine which file gets copied to the host when the policy is applied . . ..
Looking at the GPO directory structure on SYSVOL on the DC - after a Dynamic File Copy has been defined - it simple places the source file in a flat directory structure . . .
Any ideas on how this can be accomplished - without having to create a seperate GPO per host . .. . .
TIA
↧
↧
Processing order of user-overrides if directory is used
I'm look at putting together a solution for a rather complex user-override situation - using the user-override-directory -
I've configured vasd to use the directory - and it appears to do so - however . . . there is no indication of what order the files in the directory are processed / searched ? I've tried experimenting with file names to see if it's alphanumeric based on file name - however that does not seem the case . . . .
The man pages seem to indicate that the files are processed until a match is reached - if it is . . . how can I determine the order of file searching ?
eg - If a user two differant overrides defined in two files in the directory - which one is used ?
Added log file showing wierd, unpredictable processing of files
TIA
↧
2 Apache instances running with different Service Account
Hi all,
I;m having trouble with on of 2 Apache instances. The VHOST seems to take well the HTTP.keytab and Server Principal configuration at the startup of the Apache Service.
But when the first web request, it seems like it's not accepting the HTTP.keytab location defined at the beginning and it's trying to look on default location.
I'm using the AuthVasKeytabFile directive for defining the location of the file.
[Thu Sep 19 11:05:17 2013] [debug] mod_auth_vas.c(2312): [client 1.1.1.1] [mod_auth_vas] auth_vas_check_user_id: auth_type=VAS
[Thu Sep 19 11:05:17 2013] [debug] mod_auth_vas.c(2342): [client 1.1.1.1] [mod_auth_vas] sending initial negotiate headers
[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(2312): [client 1.1.1.1] [mod_auth_vas] auth_vas_check_user_id: auth_type=VAS
[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(2359): [client 1.1.1.1] [mod_auth_vas] Got: 'Authorization: Negotiate [...]'
[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(1457): [client 1.1.1.1] [mod_auth_vas] do_gss_spnego_accept: line='YIIIUQYGKwYBBQUCoIIIRTCCCEGgMDAu...'
[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(1469): [client 1.1.1.1] [mod_auth_vas] do_gss_spnego_accept: server keytab: /nfs/path/HTTP.keytab
[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(1470): [client 1.1.1.1] [mod_auth_vas] do_gss_spnego_accept: server principal: HTTP/myhost.com
[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(1416): [client 1.1.1.1] [mod_auth_vas] rnote_get: creating rnote
[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(1498): [client 1.1.1.1] [mod_auth_vas] calling vas_gss_spnego_accept, base64 token_size=2844
[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(1513): [client 1.1.1.1] [mod_auth_vas] do_gss_spnego_accept: server keytab /nfs/path/HTTP.keytab
[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(1367): [client 1.1.1.1] [mod_auth_vas] initialize_user
[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(1395): [client 1.1.1.1] [mod_auth_vas] initialize_user: Remote user principal name is user@mydomain.com
[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(2922): [client 1.1.1.1] [mod_auth_vas] set_remote_user: setting REMOTE_USER for user@mydomain.com
[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(2936): [client 1.1.1.1] [mod_auth_vas] set_remote_user: setting REMOTE_USER variable using ldap-attr sAMAccountName name mapping
[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(492): [client 1.1.1.1] [mod_auth_vas] set_user_obj
[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(2655): [client 1.1.1.1] [mod_auth_vas] set_remote_user_attr: Using VAS cache for lookup of sAMAccountName attribute
[Thu Sep 19 11:05:18 2013] [info] [client 1.1.1.1] [mod_auth_vas] Remote user set from user@mydomain.com to user (attribute sAMAccountName)
[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(2944): [client 1.1.1.1] [mod_auth_vas] set_remote_user: Mapped user to juancgox using ldap-attr sAMAccountName name mapping
[Thu Sep 19 11:05:18 2013] [error] [client 1.1.1.1] [mod_auth_vas] do_gss_spnego_accept: auth_vas_user_use_gss_result failed: VAS_ERR_CRED_NEEDED: Unable to find a keytab entry in /etc/opt/quest/vas/HTTP.keytabfor HTTP/myhost.com
[Thu Sep 19 11:05:18 2013] [error] [client 1.1.1.1] [mod_auth_vas] auth_vas_user_use_gss_result: unknown routine error
[Thu Sep 19 11:05:18 2013] [error] [client 1.1.1.1] [mod_auth_vas] auth_vas_user_use_gss_result: Success
[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(1339): [client 1.1.1.1] [mod_auth_vas] auth_vas_cleanup_request
Thanks in advance for your help,
Regards,
Obed N Munoz
↧
QAS and NTLMV2
We're getting ready to switch over to NTLMv2 exclusively in the AD world ... are there any negatie implications for a mixed deployment of mostly QAS 4X - with a few 3X stragglers in the mix?
↧