IBM DB2 LDAP Plugin and Vintela DB2 Security Plugin

June 29, 2009, 11:38 am

≪ Previous: quest-vasidmap.1.1.0.181 and AIX 6.1

What is the difference between the DB2 LDAP Plug in provided by IBM and DB2 Security Plug in for LDAP from Vintela? Are they the same product? We just converted our IBM SP MPP server from NIS to VAS and have been experiencing randomADM13001E errors during heavy usage on AIX 5.3 with UDB 9.5 (see DB2 log below).

2009-06-23-00.04.31.104862-240 I1220A477 LEVEL: ErrorPID : 4776414 TID : 4884 PROC : db2sysc 3INSTANCE: udbcdwp NODE : 003 DB : CDWPDBAPPHDL : 3-2246EDUID : 4884 EDUNAME: db2agent (CDWP) 3FUNCTION: DB2 Common, Security, Users and Groups, secValidatePasswordPlugin, probe:20DATA #1 : String, 94 bytesdb2ldapGetUserDN:LDAP search failed with ldap rc=81 (Can't contact LDAP server)user='cdwmgr' and 2009-06-23-00.50.36.538464-240 E155194A727 LEVEL: SeverePID : 4309120 TID : 772 PROC : db2acd 8INSTANCE: udbcdwp NODE : 008EDUID : 772 EDUNAME: db2acd 8FUNCTION: DB2 UDB, bsu security, sqlexGetDefaultLoginContext, probe:150MESSAGE : ADM13001E Plug-in "IBMLDAPauthclient" received error code "-1" from the DB2 security plug-in API "db2secGetDefaultLoginContext" with the error message "LDAP WhoAmI: can't determine LDAP user associated with OS user 'udbcdwp': LDAP error while searching for AuthID. Userid attribute='cn' AuthID attribute='cn' user objectClass='user' user base DN='dc=fhlmc,dc=com'".

Message was edited by: kgathmann

↧

vastool unjoin failed

July 1, 2009, 7:59 am

≫ Next: Unjoin from Domain

≪ Previous: IBM DB2 LDAP Plugin and Vintela DB2 Security Plugin

I'm getting a strange error when trying to unjoin a host from the domain:

[root@linux ~]# vastool -u host/ unjoin
Removing Computer from the Domain ... Failed
vastool unjoin failed - the host is still configured to use VAS.
ERROR: Could not unjoin from the domain.

I thought "vastool unjoin" was supposed to automatically unconfigure VAS as part of that process? Also, when I manually unconfigure pam and nss I still get the message so I'm not sure what this is all about.

Is it just that you can't unjoin a host using its keytab?

↧

Unjoin from Domain

March 11, 2012, 10:49 pm

≫ Next: wyse T50 problem with key "." layout pt-BR keyboard ABNT2

≪ Previous: vastool unjoin failed

Hi,

I have installed VAS 4.0+ on fedora and joined it to domain, can some one help with instructions to unjoin the linux desktop from the domain.

thanks

↧

wyse T50 problem with key "." layout pt-BR keyboard ABNT2

February 18, 2013, 7:29 am

≫ Next: QAS and FileVault on OS X

≪ Previous: Unjoin from Domain

I'm using Wyse T50 with brazilian ABNT2 keyboard(pt-BR) and the key "."(point) in numeric keyboard does work inside rdpclient. It works fine with console and other apps outside rdpclient but not inside. Using rdpclient with parameter --lx-debug helped to get the keycode 0x79 but I do not how to fix it. I installed Remmina/Rdesktop and all the keys works fine, so I guess the problem is with Wyse-rdpclient/RDP.

Any idea?

Thanks in advance

↧

QAS and FileVault on OS X

January 8, 2013, 9:14 am

≫ Next: using vastool to perform LDAP queries

≪ Previous: wyse T50 problem with key "." layout pt-BR keyboard ABNT2

Is there a way to use FileVault on OS X Mountain Lion with QAS? I mean so that the AD user can be selected during boot for the FileVault authentication.

Thanks,

Nils

↧

using vastool to perform LDAP queries

March 31, 2010, 3:00 pm

≫ Next: Using Cached Kerberos Ticket to Authenticate SMB Share

≪ Previous: QAS and FileVault on OS X

Pardon me if there is another subject related to this question already./

I am a recent QAS/VAS customer, and am performing discovery and preperation to convert all AIX/Linux boxes in our environment to leverage AD with QAS.

We have about 1200 users across several hundred servers, and i have created a de-duplicated list of all users across all UNIX boxes.

I want to know if theres a way with vastool or some other tool to query the Domain Controller and find out which users are "disabled" in AD. And also find out which users are do not have a match in AD.

Some users will have the same unix username as they do SAM account name in AD, some will not, this will help me to find out which ones i need to have special cases for, and which are valid users that i need to Unix enable in AD. Identifying the Disabled users would allow me remove potentially hundreds of users from my master user list and also clean them off locally on all the UNIX boxes.

I'm not very experienced but it seems like some form of "vastool search" might be able to provide such information?

↧

Using Cached Kerberos Ticket to Authenticate SMB Share

June 19, 2013, 7:57 am

≫ Next: VAS_ERR_DNS: Unable to look up any DNS SRV records for domain

≪ Previous: using vastool to perform LDAP queries

I am using Quest Authentication Services to integrate my Linux systems with our lab domain. I want to use the cached kerberos tickets to authenticate without providing a password when mounting an exported SMB share using the command 'mount -t cifs <device> <dir> -o sec=krb5'. My understanding is that when request-key is called by the kernel cifs.upcall is used to locate the cached kerberos ticket. The problem I am having is that when I directly call cifs.upcall with the uid of the user it does not return anything and it has an exit code of 1. If I look at /var/log/messages I see the following log message related to the call.

Jun 19 09:55:03 merlin cifs.upcall: keyctl_describe_alloc failed: Required key not available

Per the cifs.upcall man page I added the following two lines to request-key.conf

create cifs.spnego * * /usr/local/sbin/cifs.upcall %k

create dns_resolver * * /usr/local/sbin/cifs.upcall %k

↧

VAS_ERR_DNS: Unable to look up any DNS SRV records for domain

September 22, 2008, 4:10 pm

≫ Next: Kerberos Error: Message Stream modified

≪ Previous: Using Cached Kerberos Ticket to Authenticate SMB Share

Hi, I am running AIX5.3 with VAS agent 3.3.1.83. I get an error when running the join command to join the server to AD domain...

It takes a long time to check if the computer is already joined to a domain....and then gives the VAS_ERR_DNS error.

Any one run into this?

"
Checking whether computer is already joined to a domain ... no
ERROR: Could not join to the domain
VAS_ERR_DNS: Unable to look up any DNS SRV records for domain <domain-name>
"

Thanks,
Konti

↧

Kerberos Error: Message Stream modified

June 22, 2010, 9:43 pm

≫ Next: Sudo issue with NIS (QAS) groups in Ubuntu 12.04

≪ Previous: VAS_ERR_DNS: Unable to look up any DNS SRV records for domain

Hi,
I'm using SSO with BOXIR2 that use VSJ,
the SSO is working fine until someday SSO is stop with below error messages:
So how to fix this kinda error?

5609 http-8080-Processor25 ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
5609 http-8080-Processor25 ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication - GSSException Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
5609 http-8080-Processor25 WARN com.crystaldecisions.sdk.occa.security.internal.LogonService - doUserLogon(): failed to logon, logoninfo=user:xxx%xxx,method:GSSCredential,auth=secWinAD,aps=xxx.xx.com
com.crystaldecisions.sdk.exception.SDKException$SecurityError: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department.
cause:GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
detail:The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department.
The exception originally thrown was GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.b.a(Unknown Source)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.d.a(Unknown Source)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.d.continueLogin(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.a(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.a(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.userLogon(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.l.userLogon(Unknown Source)
at com.crystaldecisions.sdk.framework.internal.d.logon(Unknown Source)
at com.crystaldecisions.ePortfolio.framework.logon.LogonAction.singleSignOn(LogonAction.java:406)
at com.crystaldecisions.ePortfolio.framework.logon.LogonAction.autoWrapExceptionPerform(LogonAction.java:525)
at com.crystaldecisions.ePortfolio.framework.common.AutoWrapExceptionAction.process(AutoWrapExceptionAction.java:62)
at com.crystaldecisions.webapp.struts.framework.AbstractEnterpriseAction.perform(AbstractEnterpriseAction.java:38)
at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586)

↧

Sudo issue with NIS (QAS) groups in Ubuntu 12.04

April 17, 2012, 12:20 am

≫ Next: Stuck with kerberos authentication to Sharepoint

≪ Previous: Kerberos Error: Message Stream modified

Hi,

We're running QAS 3.5.2.80 on the Ubuntu 12.04 beta and we're running into an issue with sudo. Our setup is a full NIS proxy setup where each host is its own proxy. Everything else works just fine, logging in, name resolution, group resolution, etc, etc.
But, in sudo we get an issue with accesses tied to normal groups. If we use netgroups or regular usernames it works fine, but normal gruops... just don't work.
id -a shows all the right memberships, "groups" shows all the right stuff, "ypcat" on the NIS maps works perfect. sudo works fine too, as long as you are using rules based on netgroups or usernames.

Has anyone seen this before? Or even have any clue as to how to debug this issue?

↧

Stuck with kerberos authentication to Sharepoint

October 10, 2012, 3:03 pm

≫ Next: VSJ and JBoss 7.1

≪ Previous: Sudo issue with NIS (QAS) groups in Ubuntu 12.04

I have to connect to MS IIS server using SPNEGO token with Kerberos ticket inside, exactly as Internet Explorer does it.

If I use java GSSManager.initiateContext() it does request tickets with incorrect KDCOptions, dates and some other params I cannot control.

I tried com.dstc.security lib, and was able to get tickets axactly as Internet Explorer with couple of lines:

prepare required KDCOptions;
Credential tgt = kerberos.requestTicketGrantingTicket(new KerberosPassword(password.getBytes()), kdo, new Date(), d, new InetAddress[] {InetAddress.getByName("somename")}, null);
Credential srvt = kerberos.requestServiceTicket(TGT, new PrincipalName(2, "HTTP/server.domain.net"), REALM, kdo);

But how can I use these credentials or tickets inside to create SPNEGO token same as I can get with GSSManager.initiateContext()?

↧

VSJ and JBoss 7.1

March 27, 2013, 8:51 am

≫ Next: Single Sign-On for Java 7 Not working

≪ Previous: Stuck with kerberos authentication to Sharepoint

Our company has recently purchased the Standard edition of vsj and we have this running fine on WAS 8. I am trying to get this to run on JBoss 7.1 so we can run our application easily on our local development servers. Has anyone gotten this working with JBoss 7.1? I think I am very close, but an example standalone.xml file would be immensely helpful to know that I have set up my SSL correctly to be used with vsj.

Thanks,

Rob

↧

Single Sign-On for Java 7 Not working

August 26, 2013, 5:36 am

≫ Next: Segmentation fault when mod_auth_vas finds no matches

≪ Previous: VSJ and JBoss 7.1

Hi,

We have been using winSSPI.dll on client side from 3.2 package. This dll is not working anymore in JDK 7.

The exception trace as follows :

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: [init]: OS name = 'Windows 7', version = '6.1'

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: [init]: isKerberosOS = true, isSessionKeySupported = true

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: initialize: calling native method ...

[winSSPI.dll] initialize

[winSSPI.dll] initialize: done

[INFO] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: initialize: Successfully initialized Windows SSPI

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: acquireCredentialsHandle: calling native method ...

[winSSPI.dll] acquireCredentialsHandle

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: loadCredential: result = 0

Attempting initContext with principal: HTTP/appsec001.gaia.net.intra

initContext failed with principal: HTTP/appsec001.gaia.net.intra error: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

Attempting initContext with principal: HOST/appsec001.gaia.net.intra

initContext failed with principal: HOST/appsec001.gaia.net.intra error: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

initContext failed with all attempted principals

java.security.PrivilegedActionException: javax.security.auth.login.LoginException: LoginException: java.security.PrivilegedActionException: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:373)

at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)

at weblogic.security.Security.runAs(Security.java:61)

at security.role.TestKerberosEJBCall.main(TestKerberosEJBCall.java:32)

Caused by: javax.security.auth.login.LoginException: LoginException: java.security.PrivilegedActionException: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

at com.quest.vsj.weblogic.login.EjbClientKerberosLoginModule.login(EjbClientKerberosLoginModule.java:107)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:606)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)

at javax.security.auth.login.LoginContext.login(LoginContext.java:594)

at security.role.TestKerberosEJBCall$1.run(TestKerberosEJBCall.java:35)

at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)

... 3 more

Any ideas if any newer version or patch is supporting both JDK 7 64 & 32 bit ?

Thanks in advance.

↧

Segmentation fault when mod_auth_vas finds no matches

June 1, 2012, 6:51 am

≫ Next: QAS and FileVault on OS X

≪ Previous: Single Sign-On for Java 7 Not working

Hello,

We are using mod_auth_vas.so 3.6.7 with Oracle HTTP Server which is effectively Apache 2.0. Recently, we have noticed that an Apache process is terminated with a segmentation fault in case of mod_auth_vas trying to match the requestor's name to the list of allowed user names and but not finding it there. The client's browser receives 401 in this case. Could you please help with it?

Please find an excerpt from the error log

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1581: [mod_auth_vas] authenticated user: 'Dmitry_Donetskov@EMEA.DELL.COM'

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1037: [mod_auth_vas] auth_vas_auth_checker: user=Dmitry_Donetskov@EMEA.DELL.COM authtype=VAS

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1055: [mod_auth_vas] requires->nelts = 3

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:541: [mod_auth_vas] match_user: name=ServiceSFDCWPSIT@emea.dell.com RUSER=Dmitry_Donetskov@EMEA.DELL.COM

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1422: [mod_auth_vas] rnote_get: reusing existing rnote

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:490: [mod_auth_vas] set_user_obj

[2012-06-01T14:14:38.8708+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:574: [mod_auth_vas] match_user: user does not match

[2012-06-01T14:14:38.8708+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:584: [mod_auth_vas] match_user: <CN=ServiceSFDCWPSIT,OU=Service Accounts,DC=emea,DC=dell,DC=com> <CN=dmitry_donetskov,OU=Users,OU=Moscow,DC=emea,DC=dell,DC=com> no-match

[2012-06-01T14:14:38.8709+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1100: [mod_auth_vas] require user "ServiceSFDCWPSIT@emea.dell.com" -> FAIL

...........

[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:584: [mod_auth_vas] match_user: <CN=Alexey_Lysak,OU=Users,OU=Non Dell,DC=emea,DC=dell,DC=com> <CN=dmitry_donetskov,OU=Users,OU=Moscow,DC=emea,DC=dell,DC=com> no-match

[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1100: [mod_auth_vas] require user "Alexey_Lysak@emea.dell.com" -> FAIL

[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1422: [mod_auth_vas] rnote_get: reusing existing rnote

[2012-06-01T14:14:39.4014+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_ssl.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_ssl.c:633: Connection to child 0 established (server ausvmqtcdevap19.us.dell.com:8044)

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:720: inside shmcb_retrieve_session

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:732: id[0]=4, masked index=4

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1197: entering shmcb_lookup_session_id

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:983: entering shmcb_expire_division

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1207: loop=0, count=1, curr_pos=0

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1211: idx->s_id2=47, id[1]=47, offset=0

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1228: at index 0, found possible session match

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1247: a match!

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:748: leaving shmcb_retrieve_session

[2012-06-01T14:14:39.4017+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:435: shmcb_retrieve had a hit

[2012-06-01T14:14:39.4017+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_engine_kernel.c:2304: Inter-Process Session Cache: request=GET status=FOUND id=042F8428065947E3DA8D7A7B77690889 (session reuse)

[2012-06-01T14:14:39.6975+01:00] [OHS] [NOTIFICATION:16] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 14727] [tid: 47292192636960] [user: oracle] [VirtualHost: main] mpm_common.c:475: child pid 27200 exit signal Segmentation fault (11), possible coredump in /u01/app/oracle/fusion/mw_1/Oracle_WT1/instances/instance1/config/OHS/ohs1

Message was edited by: dmitry_donetskov_265

↧

QAS and FileVault on OS X

January 8, 2013, 9:14 am

≫ Next: vastool flush - Loading user cache error

≪ Previous: Segmentation fault when mod_auth_vas finds no matches

Is there a way to use FileVault on OS X Mountain Lion with QAS? I mean so that the AD user can be selected during boot for the FileVault authentication.

Thanks,

Nils

↧

vastool flush - Loading user cache error

November 1, 2013, 9:10 am

≫ Next: problem of vastool user checklogin

≪ Previous: QAS and FileVault on OS X

Does anyone have a list of the Loading User cache errors?

I did a vastool flush and received the following error:

Loading users cache: ..... Error while loading user cache: 16

I found some of the other error numbers on goole (12,14,22), but I couldn't find 16

↧

problem of vastool user checklogin

March 16, 2009, 3:24 am

≫ Next: VAS_ERR_INVALID_PARAM: Invalid unix name

≪ Previous: vastool flush - Loading user cache error

Hi experts!

I am newbie for VAS.

After installation of VAS 3.5 on both server(windows server 2003) and client(redhat5.2) according to the manual,

I failed to login the linux client using a Unix enabled domain user :test

I try to run some troubleshooting commands, and get some information as below:

[root@redhat-head ~]# /opt/quest/bin/vastool user checklogin test
WARNING: NSS lookup (getpwnam) for user test failed, this will almost
certainly mean that you will be unable to log in with a username of test.
This should be fixed before worrying about any other failures.
##I checked /etc/nsswith.conf, and found everything is ok.

[root@redhat-head ~]# /opt/quest/bin/vastool nss getpwnam test
ERROR: Could not look up user for name: test, error = 2.

[root@redhat-head ~]# /opt/quest/bin/vastool info domain
test.com

[root@redhat-head ~]#/opt/quest/bin/vastool -u host/ attrs test uidnumber gidnumber unixhomedirectory loginshell userprincipalname DistinguishedName
ginshell userprincipalname DistinguishedName
distinguishedName: CN=test,OU=Unix,DC=pera-test,DC=com
userPrincipalName: test@test.com
uidNumber: 1000
gidNumber: 1000
unixHomeDirectory: /home/test
loginShell: /bin/bash

I can't find where the problem is.

Any advise?

Thank in advance!

↧

VAS_ERR_INVALID_PARAM: Invalid unix name

December 17, 2013, 3:39 pm

≫ Next: Crash when authenticating

≪ Previous: problem of vastool user checklogin

Hi all,

I'm having trouble when users from other domains out of the web server's domain.

I'm using VAS 3.6.8.1

Here's the error we're getting:

[Tue Dec 17 14:39:07 2013] [debug] mod_auth_vas.c(1339): [client 10.10.10.10] [mod_auth_vas] auth_vas_cleanup_request

[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(2312): [client 10.10.10.10] [mod_auth_vas] auth_vas_check_user_id: auth_type=VAS

[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(2359): [client 10.10.10.10] [mod_auth_vas] Got: 'Authorization: Basic [...]'

[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(2422): [client 10.10.10.10] [mod_auth_vas] apr_base64_decode returned 25 btyes

[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(1154): [client 10.10.10.10] [mod_auth_vas] do_basic_accept

[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(1194): [client 10.10.10.10] [mod_auth_vas] check_password: user='DOMAIN2\\USER1'

[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(1416): [client 10.10.10.10] [mod_auth_vas] rnote_get: creating rnote

[Tue Dec 17 14:39:33 2013] [debug] mod_auth_vas.c(1367): [client 10.10.10.10] [mod_auth_vas] initialize_user

[Tue Dec 17 14:39:33 2013] [error] [client 10.10.10.10] [mod_auth_vas] initialize_user: Failed to initialize user for DOMAIN2\\USER1: VAS_ERR_INVALID_PARAM: Invalid unix name DOMAIN2\\USER1

The server is located at DOMAIN1

And the user which is trying to access the website is on DOMAIN1

Here's my VAS Conf:

Options FollowSymLinks

AllowOverride None

# Enable VAS authentication for entire site:

AuthType VAS

AuthVasRemoteUserMap ldap-attr sAMAccountName

AuthVasAuthoritative On

AuthVasUseNegotiate On

# If client cannot negotiate, fall back on basic authentication

AuthVasUseBasic On

AuthName "your Windows account"

# The criteria for accessing these web page

Require user USER1

Order deny,allow

Deny from all

</Directory>

I need to be able to authenticate users from DOMAIN1 and DOMAIN2

Regards,

Obed N Munoz

↧

Crash when authenticating

November 15, 2012, 1:37 pm

≫ Next: Quest Equivalent Product

≪ Previous: VAS_ERR_INVALID_PARAM: Invalid unix name

I'm seeing the following crash during authentication:

glibc detected *** /usr/java/jdk1.6.0_25/bin/java: free(): invalid pointer: 0x0000000041e33450 ***
======= Backtrace: =========
/lib64/libc.so.60x3b66275916
/opt/quest/lib64/libvas.so.4(vas_string_zerofree+0x4b)0x7ffd9cc615f0
/lib64/security/pam_vas3.so(pam_vas_do_conversation+0x210)0x7ffd9ce01c7d
/lib64/security/pam_vas3.so(pam_vas_am_prompt_for_cred+0x2ff)0x7ffd9cdfc85b
/lib64/security/pam_vas3.so(pam_sm_authenticate+0xb30)0x7ffd9cdf772a
/lib64/libpam.so.00x3b69202cee
/lib64/libpam.so.0(pam_authenticate+0x40)0x3b69202600

Any ideas as to what may be causing it? The pam config looks like:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_vas3.so create_homedir get_nonvas_pass store_creds
auth requisite pam_vas3.so echo_return
auth sufficient pam_unix.so nullok try_first_pass use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account sufficient pam_vas3.so
account requisite pam_vas3.so echo_return
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password sufficient pam_vas3.so
password requisite pam_vas3.so echo_return
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session required pam_vas3.so create_homedir
session requisite pam_vas3.so echo_return
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

↧

Quest Equivalent Product

April 18, 2013, 9:01 am

≫ Next: VAS Error Codes???

≪ Previous: Crash when authenticating

Is there a Quest product that is equivalent to CF engine?

Thanks

Steve

↧