Quantcast
Channel: Software Communities : Popular Discussions - All Things Unix
Viewing all 1046 articles
Browse latest View live

VAS_ERR_INVALID_PARAM: Invalid unix name

December 17, 2013, 3:39 pm
$
0
0

Hi all,

 

I'm having trouble when users from other domains out of the web server's domain.

 

I'm using VAS 3.6.8.1

 

Here's the error we're getting:

 

[Tue Dec 17 14:39:07 2013] [debug] mod_auth_vas.c(1339): [client 10.10.10.10] [mod_auth_vas] auth_vas_cleanup_request

[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(2312): [client 10.10.10.10] [mod_auth_vas] auth_vas_check_user_id: auth_type=VAS

[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(2359): [client 10.10.10.10] [mod_auth_vas] Got: 'Authorization: Basic [...]'

[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(2422): [client 10.10.10.10] [mod_auth_vas] apr_base64_decode returned 25 btyes

[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(1154): [client 10.10.10.10] [mod_auth_vas] do_basic_accept

[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(1194): [client 10.10.10.10] [mod_auth_vas] check_password: user='DOMAIN2\\USER1'

[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(1416): [client 10.10.10.10] [mod_auth_vas] rnote_get: creating rnote

[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(1367): [client 10.10.10.10] [mod_auth_vas] initialize_user

[Tue Dec 17 14:39:33 2013] [error] [client 10.10.10.10] [mod_auth_vas] initialize_user: Failed to initialize user for DOMAIN2\\USER1: VAS_ERR_INVALID_PARAM: Invalid unix name DOMAIN2\\USER1

 

The server is located at DOMAIN1

And the user which is trying to access the website is on DOMAIN1

 

Here's my VAS Conf:

 

<Directory />

    Options FollowSymLinks

    AllowOverride None

    # Enable VAS authentication for entire site:

    AuthType VAS

    AuthVasRemoteUserMap ldap-attr sAMAccountName

    AuthVasAuthoritative On

    AuthVasUseNegotiate On

    # If client cannot negotiate, fall back on basic authentication

    AuthVasUseBasic On

    AuthName "your Windows account"

 

 

    # The criteria for accessing these web page

    Require user USER1

    Order deny,allow

    Deny from all

</Directory>

 

I need to be able to authenticate users from DOMAIN1 and DOMAIN2

 

Regards,

Obed N Munoz

Search

Single Sign-On for Java 7 Not working

August 26, 2013, 5:36 am
$
0
0

Hi,

 

We have been using winSSPI.dll on client side from 3.2 package. This dll is not working anymore in JDK 7.

 

The exception trace as follows :

 

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: [init]: OS name = 'Windows 7', version = '6.1'

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: [init]: isKerberosOS = true, isSessionKeySupported = true

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: initialize: calling native method ...

[winSSPI.dll] initialize

[winSSPI.dll] initialize: done

[INFO] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: initialize: Successfully initialized Windows SSPI

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: acquireCredentialsHandle: calling native method ...

[winSSPI.dll] acquireCredentialsHandle

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: loadCredential: result = 0

Attempting initContext with principal: HTTP/appsec001.gaia.net.intra

initContext failed with principal: HTTP/appsec001.gaia.net.intra error: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

Attempting initContext with principal: HOST/appsec001.gaia.net.intra

initContext failed with principal: HOST/appsec001.gaia.net.intra error: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

initContext failed with all attempted principals

java.security.PrivilegedActionException: javax.security.auth.login.LoginException: LoginException: java.security.PrivilegedActionException: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

          at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:373)

          at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)

          at weblogic.security.Security.runAs(Security.java:61)

          at security.role.TestKerberosEJBCall.main(TestKerberosEJBCall.java:32)

Caused by: javax.security.auth.login.LoginException: LoginException: java.security.PrivilegedActionException: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

          at com.quest.vsj.weblogic.login.EjbClientKerberosLoginModule.login(EjbClientKerberosLoginModule.java:107)

          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

          at java.lang.reflect.Method.invoke(Method.java:606)

          at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)

          at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)

          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)

          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)

          at java.security.AccessController.doPrivileged(Native Method)

          at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)

          at javax.security.auth.login.LoginContext.login(LoginContext.java:594)

          at security.role.TestKerberosEJBCall$1.run(TestKerberosEJBCall.java:35)

          at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)

          ... 3 more

 

Any ideas if any newer version or patch is supporting both JDK 7 64 & 32 bit ?

 

Thanks in advance.

FATAL ERROR: Server unexpectedly closed network connection in using Plink

November 14, 2008, 4:41 am
$
0
0
Hi,

Could any one please let me know why this error is occuring randomly while using Plink? Some days it works fine and suddenly it stops to work with this error message.

FATAL ERROR: Server unexpectedly closed network connection

I am using below command

"C:\Program Files\PuTTY\plink.exe" -load MyProfile -ssh -x -a -t -l userID HostName Command

Thanks,
Megha





Stuck with kerberos authentication to Sharepoint

October 10, 2012, 3:03 pm
$
0
0
I have to connect to MS IIS server using SPNEGO token with Kerberos ticket inside, exactly as Internet Explorer does it.

If I use java GSSManager.initiateContext() it does request tickets with incorrect KDCOptions, dates and some other params I cannot control.

I tried com.dstc.security lib, and was able to get tickets axactly as Internet Explorer with couple of lines:

prepare required KDCOptions;
Credential tgt = kerberos.requestTicketGrantingTicket(new KerberosPassword(password.getBytes()), kdo, new Date(), d, new InetAddress[] {InetAddress.getByName("somename")}, null);
Credential srvt = kerberos.requestServiceTicket(TGT, new PrincipalName(2, "HTTP/server.domain.net"), REALM, kdo);

But how can I use these credentials or tickets inside to create SPNEGO token same as I can get with GSSManager.initiateContext()?

VAS User Group Membership Issues

October 25, 2013, 11:06 am
$
0
0

Hello everybody,

 

I have been working on this issue for awhile now, and I am having no luck.

I am having an issue with Quest (VAS) authentication as user groups.

 

I am having an issue where a user can log into a RedHat server with no issues, but they cannot access a specific directory owned by a group (Permission Denied).

As root, I do a vastool flush on the server, and then I "su -" to the user. At that point I can access the directory with no issues.

I do an "ID" command, and I see the user is a member of about 11 groups.

 

Now for the fun part.......

 

I tell the user it is fixed, and then they LOGIN.

Of course, they can't access the directory. I log into the server and "su -" to the user and sure enough, the user can't access the directory.

I run the "ID" command again, and this time the user is showing as a member of a much larger number of groups.

I assume the directory access could be due to the user being a member of too many groups (even though one of the groups is the group they need).

 

I have tried to flush several times. I have even unjoined/rejoined the server. Still the same behavior ----- I do a flush as root and access is okay until the user logs in.

Then the number of groups the user is a member of increases and access is denied.

I assume that VAS calls the AD information differently durning the login process versus root doing a "su -" to the user.

 

Has anyone seen this issue before?

I've tried about everything, so any help would be appreciated.

 

Thanks,

Chuck

VAS-Authentication without HTTP/ -Service-Account?

January 17, 2011, 12:46 am
$
0
0

Hi everybody!


I am trying to bring up VAS authentication for one of our webservers. The machine has been joined to our AD previously and unix user authentication is working fine.


Unfortunately our rights in AD are pretty restricted, I am not able to create anything else but machine-accounts in AD, so the setup-script fails to create the HTTP/-thing.


Is there any way to use the machine account to authenticate users without having to create a HTTP/-service-account?

vastool flush - Loading user cache error

November 1, 2013, 9:10 am
$
0
0

Does anyone have a list of the Loading User cache errors?

 

I did a vastool flush and received the following error:

 

     Loading users cache: ..... Error while loading user cache: 16

 

I found some of the other error numbers on goole (12,14,22), but I couldn't find 16

Unlock AD Entry via Vastool & Keytab

January 6, 2009, 12:27 pm
$
0
0
I have a number of lightly used systems which periodically get locked out of Active Directory (I'm not certain the cause, perhaps they're not changing their password quick enough).  Anyways, I was wondering if there's a way to unlock them using vastool amd the keytab which created them (since it has access to that object in the OU).

The specific error I'm seeing is:
<<<<<
# vastool flush
Flushing auth cache: OK
Could not load caches- Authentication failed, error = VAS_ERR_NOT_FOUND: Not found
   Caused by:
   VAS_ERR_KRB5: Failed to obtain credentials. Keytab: , Client: IAE2-LZ$@ENT.X.CORP, Service: krbtgt/ENT.X.CORP@ENT.X.CORP
   Caused by:
   KRB5KDC_ERR_CLIENT_REVOKED (-1765328366): Clients credentials have been revoked

It appears that the computer object has not yet replicated to the Global Catalog.
vasd will stay in disconnected mode until this replication takes place.
You do not need to rejoin this computer.
>>>>>

An unjoin/rejoin does resolve the problem, or unlocking them in AD via some Windows admin tools.  However I was hoping for a more graceful solution than unjoin/join which I can run from the command line.


Message was edited by: nicholas.andrade_123127335115
Search

using vastool to perform LDAP queries

March 31, 2010, 3:00 pm
$
0
0
Pardon me if there is another subject related to this question already./

I am a recent QAS/VAS customer, and am performing discovery and preperation to convert all AIX/Linux boxes in our environment to leverage AD with QAS.

We have about 1200 users across several hundred servers, and i have created a de-duplicated list of all users across all UNIX boxes.

I want to know if theres a way with vastool or some other tool to query the Domain Controller and find out which users are "disabled" in AD.  And also find out which users are do not have a match in AD.

Some users will have the same unix username as they do SAM account name in AD, some will not, this will help me to find out which ones i need to have special cases for, and which are valid users that i need to Unix enable in AD.   Identifying the Disabled users would allow me remove potentially hundreds of users from my master user list and also clean them off locally on all the UNIX boxes.

I'm not very experienced but it seems like some form of "vastool search" might be able to provide such information?

Netgroups using AD native groups

November 1, 2006, 12:49 am
$
0
0
I have posed this to VAS product management (Eyes, Wilson) but interested to see other interest in supporting netgroups from native AD groups, i.e. a netgroup triple exposed from NSS but data held in native AD groups rather than rfc2307 netgroup objects.

Any potential gotchas with this solution (apart from fact that AD becomes one "NIS" domain and a flat name space for netgroups)? Do any platforms not support netgroups through NSS for anything other than NIS? I am not talking of using NIS ypdaemon but equivalent of nss_ldap.

Since netgroups are the UNIX equivalent of AD distribution groups and do not impact gid security group limits this appears to be an interesting option.

NTLM SMB issue - Could not get valid NTLM challenge from ........

July 27, 2012, 10:36 am
$
0
0
I'm trying to debug an issue with NTLM failback, I have the filter configured correctly as per any other deployments.

I'm able to authenticate users correctly using Kerberos, but I have noticed in the logs an issue with NTLM.

This was discovered because of a Java Applet which is posting back to the server, the applet is not using kerberos but NTLM to authenticate the user.

The application server is Tomcat 5, using Quest VSJ "VSJ Standard Edition 3_3 Patch 3548"

From what can be seen within the server logs is that QuestSSO performs a DNS lookup and attempts to connect to all of the GCs which are returned.

Example:
- Starting Coyote HTTP/1.1 on http-80
- JK: ajp13 listening on /0.0.0.0:8009
- Jk running ID=0 time=0/47  config=null
- Host server1.domain.ltd/1.1.1.1:389 appears to be down
- Could not get valid NTLM challenge from server1.domain.ltd/1.1.1.1
Exception: com.wedgetail.idm.sso.ntlm.NtlmException: NTLM challenge was null
- Host server2.domain.ltd/1.1.1.2:389 appears to be down
- Could not get valid NTLM challenge from server2.domain.ltd/1.1.1.2
Exception: com.wedgetail.idm.sso.ntlm.NtlmException: NTLM challenge was null
- Host server3.domain.ltd/1.1.1.3:389 appears to be down
...
... etc


I have enabled the debug level and log4j configuration, but this is not showing any errors.

I have used PortQry.exe to scan the AD servers and they are accessible.


What can I do to move forward? Any ideas ?

Not seeing correct AD group membership using vastool

May 22, 2013, 8:55 am
$
0
0

We have an AD group 'foo'.  User Abe is added to it using AD tools.

 

I cannot see this user in the group using vastool on Solaris.  And of course the user cannot login.

 

$ vastool list groups | grep foo

foo:VAS:2010:john.doe@na.company.com,harry.who@na.company.com

$

 

I've executed vastool flush to no affect.

 

What am I doing wrong?

VASD Errors

November 8, 2013, 10:20 am
$
0
0

When running vas_status.sh,  I am getting this alot with version 4.1.20185:

FAILURE: 721 In-consistent access control ALLOW cache

 

What does this mean and is it fatal?

Would it also be possible to get a doc on the error numbers and their meaning?  I understand if this may not be a GA doc...

 

Thanks, Scott

4.0.3 bug fixed in 4.1?

November 14, 2013, 9:25 am
$
0
0

Was the bug defect 25868 resolved in QAS 4.1?   error: vasd: Fixed sefgault in LDAP handler on certain group updates

QAS uidnumber generation

November 27, 2013, 10:56 am
$
0
0

We use ActiveRoles and Authentication Services to administer UNIX user attributes and our UNIX admins are having troubles with uidnumber re-use. For example a uidnumber assigned to a previous user that is no longer in AD, is being reassigned to a new user. Apparently this reuse is occurring fairly soon after the previous user has left.

 

Our original uidnumber space was imported from a separately managed UNIX environment, where the uidnumbers were previously assigned. QAS was not used to generated these original uidnumbers. Within QAS we have the minimum uidnumber set to 1000 and the max to 64000

 

How do the different methods of generating a unique ID work? Are they always starting at the minimum value and working up to find an available uidnumber to assign to a new user? Can it be configured to start at the last assigned uidnumber and work up, until it gets to the max possible uidnumber before starting again at the minimum value?

Search

Unlock AD Entry via Vastool & Keytab

January 6, 2009, 12:27 pm
$
0
0
I have a number of lightly used systems which periodically get locked out of Active Directory (I'm not certain the cause, perhaps they're not changing their password quick enough).  Anyways, I was wondering if there's a way to unlock them using vastool amd the keytab which created them (since it has access to that object in the OU).

The specific error I'm seeing is:
<<<<<
# vastool flush
Flushing auth cache: OK
Could not load caches- Authentication failed, error = VAS_ERR_NOT_FOUND: Not found
   Caused by:
   VAS_ERR_KRB5: Failed to obtain credentials. Keytab: , Client: IAE2-LZ$@ENT.X.CORP, Service: krbtgt/ENT.X.CORP@ENT.X.CORP
   Caused by:
   KRB5KDC_ERR_CLIENT_REVOKED (-1765328366): Clients credentials have been revoked

It appears that the computer object has not yet replicated to the Global Catalog.
vasd will stay in disconnected mode until this replication takes place.
You do not need to rejoin this computer.
>>>>>

An unjoin/rejoin does resolve the problem, or unlocking them in AD via some Windows admin tools.  However I was hoping for a more graceful solution than unjoin/join which I can run from the command line.


Message was edited by: nicholas.andrade_123127335115

VAS User Group Membership Issues

October 25, 2013, 11:06 am
$
0
0

Hello everybody,

 

I have been working on this issue for awhile now, and I am having no luck.

I am having an issue with Quest (VAS) authentication as user groups.

 

I am having an issue where a user can log into a RedHat server with no issues, but they cannot access a specific directory owned by a group (Permission Denied).

As root, I do a vastool flush on the server, and then I "su -" to the user. At that point I can access the directory with no issues.

I do an "ID" command, and I see the user is a member of about 11 groups.

 

Now for the fun part.......

 

I tell the user it is fixed, and then they LOGIN.

Of course, they can't access the directory. I log into the server and "su -" to the user and sure enough, the user can't access the directory.

I run the "ID" command again, and this time the user is showing as a member of a much larger number of groups.

I assume the directory access could be due to the user being a member of too many groups (even though one of the groups is the group they need).

 

I have tried to flush several times. I have even unjoined/rejoined the server. Still the same behavior ----- I do a flush as root and access is okay until the user logs in.

Then the number of groups the user is a member of increases and access is denied.

I assume that VAS calls the AD information differently durning the login process versus root doing a "su -" to the user.

 

Has anyone seen this issue before?

I've tried about everything, so any help would be appreciated.

 

Thanks,

Chuck

facing issue while upgarding our code to weblogic 10.3.2

January 13, 2010, 4:31 pm
$
0
0
we are doing migration from weblogic 8.1 to 10.3.2.  I have deployed the same WAR file in weblogic 8.1 to weblogic 10.3.2. App is comming up fine in weblogic 10.3.2 and it is doing initial SSO authentication fine.

we have applet in our application which will download the some JAR file from server. now while applet downloading the file from server in weblogic 10.3 its throwing NTLM exception. the same code is working fine in weblogic 8.1. do I need to do any additional settings in weblogic 10.3

I am new to Vintella, can any one help me.....

Jar File we are using: vsj-standard-3.3.jar

Exception:
=======
    Request: /lib/dnd-applet.jar
    Remote: 10.210.56.140
    Principal: HTTP/Auswlpcnsit01.aus.amer.dell.com@AMER.DELL.COM
    Message: Could not authorize request: com.wedgetail.idm.sso.ntlm.NtlmException: NTLM token is Type 3 but we have no saved challenge:  "NTLM TlRMTVNTUAADAAAAGAAYAHoAAAAYABgAkgAAABAAEABIAAAADAAMAFgAAAAWABYAZAAAAAAAAACqAAAABQIAAgUBKAoAAAAPQQBNAEUAUgBJAEMAQQBTAEoAXwBEAHUAawBlAFcAWABQAC0AMgBWAFEASABSAEIAMQCcsZ4eels1AB76mPMMdM3uBWBTZGq2iQfV1QpG10BiZNtSphIQ7ifZ34gHaOxnj2k="
2010-01

HTTP Status 500 - com.wedgetail.idm.sso.ntlm.NtlmException: NTLM token is T

April 12, 2010, 9:37 am
$
0
0

removed


Message was edited by: MarkBarc

quest-vasidmap.1.1.0.181 and AIX 6.1

March 18, 2009, 12:04 am
$
0
0

Hi,
we should be implemeting vas authentication with samba support in our AIX 6.1 (ClearCase server). AIX 6.1 is _required_ for other reasons and cannnot be downgraded.

Quest samba installs OK:
  quest-samba.adt           3.0.34.0  COMMITTED  quest-samba 3.0.34 developer
  quest-samba.rte           3.0.34.0  COMMITTED  quest-samba 3.0.34 runtime

But quest-vasidmap.1.1.0.181.bff not (smitty log):

Validating RPM package selections ...

+-----------------------------------------------------------------------------+
                          RPM  Error Summary:
+-----------------------------------------------------------------------------+
The following packages were requested for installation
but are not valid RPM packages:
quest-vasidmap.1.1.0.181.bff


Any hints/ideas?

Regards,
Kari Pulkkinen

Viewing all 1046 articles
Browse latest View live
Search