Quantcast
Channel: Software Communities : Popular Discussions - All Things Unix
Viewing all 1046 articles
Browse latest View live

VAS Error Codes???

November 2, 2006, 6:14 am
$
0
0

It’s not verbose but it’ll give you the idea of which codes mean what.

 

/** vas_err_t error codes

 * Nearly all VAS API functions return a vas_err_t type. More information about

 * the specific VAS error conditions that may result can be found in the

 * documentation for each VAS API function.

 **/

typedef enum vas_err

{

    VAS_ERR_BAD_ERR         = -1,

    VAS_ERR_SUCCESS         =  0,

    VAS_ERR_FAILURE         =  1,

    VAS_ERR_KRB5            =  2,

    VAS_ERR_KPASSWD         =  3,

    VAS_ERR_LDAP            =  4,

    VAS_ERR_INVALID_PARAM   =  5,

    VAS_ERR_NO_MEMORY       =  6,

    VAS_ERR_ACCESS          =  7,

    VAS_ERR_NOT_FOUND       =  8,

    VAS_ERR_THREAD          =  9,

    VAS_ERR_CONFIG          =  10,

    VAS_ERR_INTERNAL        =  11,

    VAS_ERR_EXISTS          =  12,

    VAS_ERR_DNS             =  13,

    VAS_ERR_CRED_EXPIRED    =  14,

    VAS_ERR_CRED_NEEDED     =  15,

    VAS_ERR_MORE_VALS       =  16,

    VAS_ERR_TIMEDOUT        =  17,

    VAS_ERR_INCOMPLETE      =  18,

    VAS_ERR_PKCS11          =  19,

    VAS_ERR_NOT_IMPLEMENTED =  20

} vas_err_t;

 

From:Michael Thompson
Sent: Monday, October 30, 2006 8:53 AM
Subject: RE: Error codes and messages

 

The VAS specific codes and brief explanation can be found in the vas.h file installed at /opt/quest/include in conjunction with the vasdev package. I believe that’s included on the iso under SDK.

 


-----Original Message-----
From: Ewan Millington
Sent: Monday, October 30, 2006 8:45 AM
Subject: Error codes and messages

 

Hi All,

 

A customer has asked if there are any documents detailing what error messages and codes logged by vasd, vgp, and vasypserv etc mean. 

Thanks in advance,

 

Ewan Millington

Tech. Support Engineer

Quest Software (UK) Ltd

Phone: +44 01628518007

http://support.quest.com

 

Search

IBM DB2 LDAP Plugin and Vintela DB2 Security Plugin

June 29, 2009, 11:38 am
$
0
0

What is the difference between the DB2  LDAP Plug in provided by IBM and DB2 Security Plug in for LDAP from Vintela?  Are they the same product?  We just converted our IBM SP MPP server from NIS to VAS and have been experiencing randomADM13001E errors during heavy usage on AIX 5.3 with UDB 9.5 (see DB2 log below).


2009-06-23-00.04.31.104862-240 I1220A477          LEVEL: ErrorPID     : 4776414              TID  : 4884        PROC : db2sysc 3INSTANCE: udbcdwp              NODE : 003         DB   : CDWPDBAPPHDL  : 3-2246EDUID   : 4884                 EDUNAME: db2agent (CDWP) 3FUNCTION: DB2 Common, Security, Users and Groups, secValidatePasswordPlugin, probe:20DATA #1 : String, 94 bytesdb2ldapGetUserDN:LDAP search failed with ldap rc=81 (Can't contact LDAP server)user='cdwmgr' and 2009-06-23-00.50.36.538464-240 E155194A727        LEVEL: SeverePID     : 4309120              TID  : 772         PROC : db2acd 8INSTANCE: udbcdwp              NODE : 008EDUID   : 772                  EDUNAME: db2acd 8FUNCTION: DB2 UDB, bsu security, sqlexGetDefaultLoginContext, probe:150MESSAGE : ADM13001E  Plug-in "IBMLDAPauthclient" received error code "-1" from          the DB2 security plug-in API "db2secGetDefaultLoginContext" with the          error message "LDAP WhoAmI: can't determine LDAP user associated with          OS user 'udbcdwp': LDAP error while searching for AuthID. Userid          attribute='cn'  AuthID attribute='cn' user objectClass='user'  user          base DN='dc=fhlmc,dc=com'". 

Message was edited by: kgathmann

Create pre-auth computer object with vastool

December 17, 2009, 4:34 am
$
0
0
Hi,

I need to be able to create computer objects with vastool instead of being forced to log in to a windows server, run a vbs, and then drag'n'drop the object to the correct OU (OU varies alot).

It seems like vastool create should be able to help me out, but I can't get it to produce objects that can be joined to without password.

I've created a AD user (unixbuild) that has permissions to create computer objects, and to create the object I run this command:

#> vastool -u unixbuild create -o -c "OU=JavaServerPlatform,OU=SolarisServer,OU=Production,DC=deploylab,DC=bj" computer testzone
Password for unixbuild@DEPLOYLAB.BJ:
Computer testzone created
#>

If I check in AD I can see the new object in the correct OU, but when I then try to join it using:

root@testzone:~# vastool -u host/ -w testzone join -f -n testzone.deploylab.bj deploylab.bj

I get:

Checking whether computer is already joined to a domain ... no
ERROR: Could not authenticate as host/. Invalid username or password.
VAS_ERR_KRB5: Failed to obtain credentials. Client: TESTZONE$@DEPLOYLAB.BJ, Service: krbtgt/DEPLOYLAB.BJ@DEPLOYLAB.BJ, Server: bj-labdc-01.deploylab.bj
   Caused by:
   KRB5KDC_ERR_PREAUTH_FAILED (-1765328360): Preauthentication failed
ERROR: Could not join to the domain

So this seems like the "default" computer object password has not been set correctly, is there an option to the vastool create command I need to use, or do I need to specify my own "default" password (also needed to be put in the join script)?

Please help me in my quest for not needing to "use" a windows server when deploying and using my Solaris servers!

BR // Andreas Bjorshammar


Message was edited by: anbj_562

AIX VAS NIS authentication issues

July 1, 2008, 2:16 pm
$
0
0
Hello All-

    Here's my issue, we have AIX 5.3 running NIS.  We are moving our environment to VAS but we need both authentication methods while we complete the process.  When VAS and ypbind are running, AIX always uses NIS as its primary method if you using SSH and keys.  I also setup the /etc/security/user default stanza to use VAS as SYSTEM default only, it still uses NIS.  I also set the registry = VAS, NIS still wins.  If I remove the ypbind service, VAS works as it should.
   We can not be the only company that needs to use VAS as a primary login method and NIS as secondary on AIX.  We have Solaris and Redhat boxes and no issues at all.  Of course they use nsswitch.conf, which AIX does not.  I have an open ticket with IBM and Quest, no soltions yet.

Thanks.



Unlock AD Entry via Vastool & Keytab

January 6, 2009, 12:27 pm
$
0
0
I have a number of lightly used systems which periodically get locked out of Active Directory (I'm not certain the cause, perhaps they're not changing their password quick enough).  Anyways, I was wondering if there's a way to unlock them using vastool amd the keytab which created them (since it has access to that object in the OU).

The specific error I'm seeing is:
<<<<<
# vastool flush
Flushing auth cache: OK
Could not load caches- Authentication failed, error = VAS_ERR_NOT_FOUND: Not found
   Caused by:
   VAS_ERR_KRB5: Failed to obtain credentials. Keytab: , Client: IAE2-LZ$@ENT.X.CORP, Service: krbtgt/ENT.X.CORP@ENT.X.CORP
   Caused by:
   KRB5KDC_ERR_CLIENT_REVOKED (-1765328366): Clients credentials have been revoked

It appears that the computer object has not yet replicated to the Global Catalog.
vasd will stay in disconnected mode until this replication takes place.
You do not need to rejoin this computer.
>>>>>

An unjoin/rejoin does resolve the problem, or unlocking them in AD via some Windows admin tools.  However I was hoping for a more graceful solution than unjoin/join which I can run from the command line.


Message was edited by: nicholas.andrade_123127335115

AIX agent Management Console

December 11, 2012, 6:42 am
$
0
0
Hi,

Looking for the/an agent which let me connect my AIX servers to the Quest One Management Consolefor Unix server.

I found an linux/solaris/mac OS/windows agent but none for AIX ...
but in the supported list there is AIX.

could someone advise?

thanks in advance,

Rohald

Not seeing correct AD group membership using vastool

May 22, 2013, 8:55 am
$
0
0

We have an AD group 'foo'.  User Abe is added to it using AD tools.

 

I cannot see this user in the group using vastool on Solaris.  And of course the user cannot login.

 

$ vastool list groups | grep foo

foo:VAS:2010:john.doe@na.company.com,harry.who@na.company.com

$

 

I've executed vastool flush to no affect.

 

What am I doing wrong?

Putty 0.62 session menu with Windows 7

June 17, 2013, 8:18 am
$
0
0

I've recently upgraded to Windows 7, and am enjoying the menu of open putty sessions displayed when I hover my mouse over the putty icon in my toolbar.  HOWEVER, one aspect which bothers me is how the menu displays.  Initially it displays a horizontal list of icons for each session, expanding the list up to 10 sessions, after which it tranforms that list to a vertical list of lines in a single window, one line for each session.  My issue is that once the horizontal list exceeds 6 sessions, the session names contained in the icons get truncated from the right to the point that they are no longer unique, rendering them useless.  Consequently, once I open a 7th session, I proceed to open another 4 simply to maintain the usability of my session menu.  Does anyone know a way to customize either the point at which the menu transfers to a horizontal list, or the session name truncation so that it truncates from the left instead of the right?

Search

VSJ could not authorize the request

January 9, 2014, 8:33 am
$
0
0

When deploying the code to the test environment, the application fails with the following error. I am not too sure what else need to be changed from the configuration to make it works.

The code works fine on the development environment.

 

2014-01-09 09:41:08 DEBUG [CommonsSsoLogger - debug] - Session ID: b6a4c82bc71daace11bd88205a4a86ccc2fed8098f462d51039ba3ac3423d331

    Request: /rootpj/login-action.vsj

    Remote: 101.203.67.93

    Principal: rootpjqsjsvc@DM.FAIRPLAYNET.COM

    Message: Method = GET, doAuthentication = true, isUnsolicited = false

2014-01-09 09:41:08 DEBUG [CommonsSsoLogger - debug] - Session ID: b6a4c82bc71daace11bd88205a4a86ccc2fed8098f462d51039ba3ac3423d331

    Request: /rootpj/login-action.vsj

    Remote: 101.203.67.93

    Principal: rootpjqsjsvc@DM.FAIRPLAYNET.COM

    Message: Attempting to negotiate using SPNEGO

2014-01-09 09:41:08 DEBUG [CommonsLogWrapper - debug] - GSS: Acceptor supports: KRB5

2014-01-09 09:41:08 DEBUG [CommonsLogWrapper - debug] - Ticket service name is: HTTP/ms03012.mss.fairplaynet.com@DMTEST.FAIRPLAYNET.COM

2014-01-09 09:41:08 DEBUG [CommonsLogWrapper - debug] - GSS name is: rootpjqsjsvc@DM.FAIRPLAYNET.COM

2014-01-09 09:41:08 DEBUG [CommonsLogWrapper - debug] - Using keytab entry for: rootpjqsjsvc@DM.FAIRPLAYNET.COM

2014-01-09 09:41:08 DEBUG [CommonsLogWrapper - debug] - ** decrypting ticket .. **

  with key

  Principal: rootpjqsjsvc@DM.FAIRPLAYNET.COM

  Type: 1

  TimeStamp: Thu Jan 09 09:40:55 EST 2014

  KVNO: -1

  Key: [23,  af 97 1a 61 10 f9 44 f8 10 7e eb cc 92 6f fd 99 ]

2014-01-09 09:41:08 DEBUG [CommonsLogWrapper - debug] - Could not decrypt service ticket with Key type 23, KVNO 5, Principal "HTTP

    /ms03012.mss.fairplaynet.com@DMTEST.FAIRPLAYNET.COM" using key:

Principal: [1] rootpjqsjsvc@DM.FAIRPLAYNET.COM

  TimeStamp: Thu Jan 09 09:40:55 EST 2014

  KVNO: -1

  EncType: 23

  Key: 16 bytes, fingerprint = [c2 e6 1 d 13 13 1a ec 3e 83 3c 41 63 c7 9f f8]

Exception for this key was:  com.dstc.security.kerberos.CryptoException: Integrity check failure[Note:  principal names are different

    ;  this may or may not be a problem]

[Note:  KVNO used wildcard match, not exact match;  perhaps the password used to generate this key is not the most recent password?]

com.dstc.security.kerberos.CryptoException: Integrity check failure

    at com.dstc.security.kerberos.RC4KerberosCipher.decrypt(RC4KerberosCipher.java:107)

    at com.dstc.security.kerberos.TicketImpl.decrypt(TicketImpl.java:113)

    at com.dstc.security.kerberos.Kerberos.decryptTicket(Kerberos.java:1566)

    at com.dstc.security.kerberos.gssapi.ServerHandShaker.decryptU2STicket(ServerHandShaker.java:462)

    at com.dstc.security.kerberos.gssapi.ServerHandShaker.authenticateClient(ServerHandShaker.java:241)

    at com.dstc.security.kerberos.gssapi.ServerHandShaker.handle(ServerHandShaker.java:186)

    at com.dstc.security.kerberos.gssapi.GSSContext.acceptSecContext(GSSContext.java:349)

    at com.dstc.security.kerberos.gssapi.GSSContext.acceptSecContext(GSSContext.java:323)

    at com.wedgetail.idm.spnego.server.SpnegoServer.handle(SpnegoServer.java:158)

    at com.wedgetail.idm.sso.AbstractAuthenticator.processSpnego(AbstractAuthenticator.java:1794)

    at com.wedgetail.idm.sso.MechChecker.authenticate(MechChecker.java:231)

    at com.wedgetail.idm.sso.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:1444)

    at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthenticationOnly(AbstractAuthenticator.java:1330)

    at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthentication(AbstractAuthenticator.java:1139)

    at com.fairplaynet.rootpj.questAuth.SsoAndFormsAuthFilter.processLoginAction(SsoAndFormsAuthFilter.java:102)

    at com.fairplaynet.rootpj.questAuth.FormsAuthFilter.filter(FormsAuthFilter.java:337)

    at com.fairplaynet.rootpj.questAuth.FormsAuthFilter.doFilter(FormsAuthFilter.java:309)

    at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:644)

    at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:391)

    at com.evermind.server.http.HttpRequestHandler.handleNotFound(HttpRequestHandler.java:1087)

    at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:948)

    at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:458)

    at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:313)

    at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:199)

    at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)

    at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)

    at java.lang.Thread.run(Thread.java:595)

2014-01-09 09:41:08 ERROR [CommonsSsoLogger - error] - Provider protocol error: com.wedgetail.idm.spnego.server.SpnegoException: GSSException

    : Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket

    with Key type 23, KVNO 5, Principal "HTTP/ms03012.mss.fairplaynet.com@DMTEST.FAIRPLAYNET.COM" using key:

Principal: [1] rootpjqsjsvc@DM.FAIRPLAYNET.COM

  TimeStamp: Thu Jan 09 09:40:55 EST 2014

  KVNO: -1

  EncType: 23

  Key: 16 bytes, fingerprint = [c2 e6 1 d 13 13 1a ec 3e 83 3c 41 63 c7 9f f8]

Exception for this key was:  com.dstc.security.kerberos.CryptoException: Integrity check failure[Note:  principal names are different

    ;  this may or may not be a problem]

[Note:  KVNO used wildcard match, not exact match;  perhaps the password used to generate this key is not the most recent password?]

)

2014-01-09 09:41:08 ERROR [CommonsSsoLogger - error] - Session ID: b6a4c82bc71daace11bd88205a4a86ccc2fed8098f462d51039ba3ac3423d331

    Request: /rootpj/login-action.vsj

    Remote: 101.203.67.93

    Principal: rootpjqsjsvc@DM.FAIRPLAYNET.COM

    Message: Could not authorize request: com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException

    : GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Could not decrypt

    service ticket with Key type 23, KVNO 5, Principal "HTTP/ms03012.mss.fairplaynet.com@DMTEST.FAIRPLAYNET.COM" using key:

Principal: [1] rootpjqsjsvc@DM.FAIRPLAYNET.COM

  TimeStamp: Thu Jan 09 09:40:55 EST 2014

  KVNO: -1

  EncType: 23

  Key: 16 bytes, fingerprint = [c2 e6 1 d 13 13 1a ec 3e 83 3c 41 63 c7 9f f8]

Exception for this key was:  com.dstc.security.kerberos.CryptoException: Integrity check failure[Note:  principal names are different

    ;  this may or may not be a problem]

[Note:  KVNO used wildcard match, not exact match;  perhaps the password used to generate this key is not the most recent password?]

)

Wrong ticket encryption for W2K clients only causes VSJ to fail

August 5, 2007, 10:54 am
$
0
0

Hi,

I am facing the following problem.

The Windows service account used for Vintela SSO is set up using "Use DES encryption for this account". The keytab is created with ktpass ... -crypto DES-CBC-MD5 encryption.

Everything is working when I login to the web application from a Windows 2003 server machine. On the Windows 2003 server machine part of the klist tickets command is as follows (Kerberos ticket encryption of type DES-CBC-MD5 as expected):

   Server: HTTP/server.eu.xxx.com@EU.XXX.COM
      KerbTicket Encryption Type: Kerberos DES-CBC-MD5
      End Time: 8/3/2007 21:38:37
      Renew Time: 8/10/2007 11:38:37

But on the Windows 2000 clients the ticket is encrypted with RC4-HMAC-NT:

   Server: HTTP/server@EU.XXX.COM
      KerbTicket Encryption Type: Kerberos RSADSI RC4-HMAC(NT)
      End Time: 8/3/2007 21:42:55
      Renew Time: 8/10/2007 11:42:55

The wrong obtained ticket causes SSO to fail.

Tomcat output is:

HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Successfully matched service principal "HTTP/SERVER.EU.XXX.COM@EU.XXX.COM but not key type (23) + KVNO (2) in this entry: Principal: HTTP/SERVER.EU.XXX.COM@EU.XXX.COM Type: 1 TimeStamp: Wed Dec 31 19:00:00 EST 1969 KVNO: -1 Key: [3, 67 ec a8 a8 75 e0 ab 3e ] )

So the encryption type of the client ticket (which is of type 23=RC4-HMAC-NT) does not match the entry in the keytab (type 3=DES-CBC-MD5).

Why does the Windows 2000 machine get a different encrypted ticket? Also, there is a difference in the SPN returned in the output of the klist tickets above.

Any help would be greatly appreciated.

Thanks,

Ron

vasd won't stop

May 18, 2011, 4:06 pm
$
0
0

On a couple AIX 5.3 servers (running DB2), the vasd daemons cannot be stopped by using "/etc/rc.d/init.d/vasd stop".  Instead, I have to "kill" the processes in order for them to stop.

vasd reports "disconnected".  Users are unable to login when vasd is in this state.  The logs show login attempts such as:

May 18 16:49:31 server05 auth|security:info sshd2[254108]: pam_vas: Authentication <succeeded disconnected> for <Mapped> user: <user1> account: <user1@mydomain.com> service: <ssh> reason: <N/A> Access Control Identifier(UPN):<user1@mydomain.com>
May 18 16:49:31 server05 auth|security:info sshd2[254108]: pam_vas: Authentication <succeeded disconnected> for <Mapped> user: <user1> account: <user1@mydomain.com> service: <ssh> reason: <N/A> Access Control Identifier(UPN):<user1@mydomain.com>
May 18 16:49:31 server05 auth|security:info sshd2[254108]: pam_vas: Authentication <failed passwordless> for <Mapped> user: <user1> account: <user1@mydomain.com> service: <ssh> reason: <Password is expired.> Access Control Identifier(UPN):<user1@mydomain.com>
May 18 16:49:31 server05 auth|security:info sshd2[254108]: pam_vas: Authentication <failed passwordless> for <Mapped> user: <user1> account: <user1@mydomain.com> service: <ssh> reason: <Password is expired.> Access Control Identifier(UPN):<user1@mydomain.com>

However, i know user1's password is not expired since the user can successfully login to server04 (also AIX and configured identically).  Here is some more info from an affected server:

1) Prompt:
$ ssh server05

DISCONNECTED MODE: enter password:
Current password foruser1@mydomain.com:
New password:

2) vastool status
# vastool status

VAS is currently joined to:                      mydomain.com
Join command found in:                           /etc/opt/quest/vas/lastjoin
Verifying timesync with domain controller:       YES
  Time delta: 0 seconds
Are valid VAS licenses installed?                YES
Checking to see if VAS daemon is running:        YES
Checking for valid computer account (SAMNAME)
 SERVER05$@MYDOMAIN.COM                    YES
Checking for valid computer account (SPN)
 host/server05.mydomain.com@MYDOMAIN.COYES
Checking to see if VAS is in connected state:    NO
Verifying VAS is configured for name service:    NO
Verifying VAS is configured for auth service:    YES
Verifying VAS configuration file is correct:     YES
Verifying sanity of users allow file:            YES
Verifying sanity of users deny file:             YES
Verifying sanity of group-override file:         YES
Verifying sanity of user-override file:          YES

3) ipc file exists
# ls /var/opt/quest/vas/vasd/.vasd_ipc_sock
/var/opt/quest/vas/vasd/.vasd_ipc_sock

4) host auth works
# /opt/quest/bin/vastool -u host/ auth -S host/
SERVER05$@MYDOMAIN.COMwas successfully authenticated toSERVER05$@MYDOMAIN.COM.

Anyone seen this before or have any ideas what might be triggering this condition?

Thanks.

NTLM SMB issue - Could not get valid NTLM challenge from ........

July 27, 2012, 10:36 am
$
0
0
I'm trying to debug an issue with NTLM failback, I have the filter configured correctly as per any other deployments.

I'm able to authenticate users correctly using Kerberos, but I have noticed in the logs an issue with NTLM.

This was discovered because of a Java Applet which is posting back to the server, the applet is not using kerberos but NTLM to authenticate the user.

The application server is Tomcat 5, using Quest VSJ "VSJ Standard Edition 3_3 Patch 3548"

From what can be seen within the server logs is that QuestSSO performs a DNS lookup and attempts to connect to all of the GCs which are returned.

Example:
- Starting Coyote HTTP/1.1 on http-80
- JK: ajp13 listening on /0.0.0.0:8009
- Jk running ID=0 time=0/47  config=null
- Host server1.domain.ltd/1.1.1.1:389 appears to be down
- Could not get valid NTLM challenge from server1.domain.ltd/1.1.1.1
Exception: com.wedgetail.idm.sso.ntlm.NtlmException: NTLM challenge was null
- Host server2.domain.ltd/1.1.1.2:389 appears to be down
- Could not get valid NTLM challenge from server2.domain.ltd/1.1.1.2
Exception: com.wedgetail.idm.sso.ntlm.NtlmException: NTLM challenge was null
- Host server3.domain.ltd/1.1.1.3:389 appears to be down
...
... etc


I have enabled the debug level and log4j configuration, but this is not showing any errors.

I have used PortQry.exe to scan the AD servers and they are accessible.


What can I do to move forward? Any ideas ?

Invalid AD Groups

November 11, 2013, 8:05 am
$
0
0

All,  we have experienced where bad or no longer valid AD groups are in users.allow,  this negates authentication across the board.  Version 4.1 QAS.  Is this by design?  Is there a stanza in vas.conf that can bypass any bad entries?

 

Thanks,

 

Scott

QAS and NTLMV2

October 24, 2013, 10:08 am
$
0
0

We're getting ready to switch over to NTLMv2 exclusively in the AD world ... are there any negatie implications for a mixed deployment of mostly QAS 4X - with a few 3X stragglers in the mix?

VAS User Group Membership Issues

October 25, 2013, 11:06 am
$
0
0

Hello everybody,

 

I have been working on this issue for awhile now, and I am having no luck.

I am having an issue with Quest (VAS) authentication as user groups.

 

I am having an issue where a user can log into a RedHat server with no issues, but they cannot access a specific directory owned by a group (Permission Denied).

As root, I do a vastool flush on the server, and then I "su -" to the user. At that point I can access the directory with no issues.

I do an "ID" command, and I see the user is a member of about 11 groups.

 

Now for the fun part.......

 

I tell the user it is fixed, and then they LOGIN.

Of course, they can't access the directory. I log into the server and "su -" to the user and sure enough, the user can't access the directory.

I run the "ID" command again, and this time the user is showing as a member of a much larger number of groups.

I assume the directory access could be due to the user being a member of too many groups (even though one of the groups is the group they need).

 

I have tried to flush several times. I have even unjoined/rejoined the server. Still the same behavior ----- I do a flush as root and access is okay until the user logs in.

Then the number of groups the user is a member of increases and access is denied.

I assume that VAS calls the AD information differently durning the login process versus root doing a "su -" to the user.

 

Has anyone seen this issue before?

I've tried about everything, so any help would be appreciated.

 

Thanks,

Chuck

Search

vasd Refresh Times

October 31, 2013, 2:04 pm
$
0
0

What is the default time for vasd to refresh cache locally? V4.1

v4.1 or 4.0.3

November 5, 2013, 7:26 am
$
0
0

I have a quick question. I would like to upgrade our UNIX components to QAS v4.1 from 3.5.2.12. While the company is considering upgrading to 4.1, we are currently at 4.0.3 in AD. If i go ahead to do this upgrade, will there be any issues with AD?

VASD Errors

November 8, 2013, 10:20 am
$
0
0

When running vas_status.sh,  I am getting this alot with version 4.1.20185:

FAILURE: 721 In-consistent access control ALLOW cache

 

What does this mean and is it fatal?

Would it also be possible to get a doc on the error numbers and their meaning?  I understand if this may not be a GA doc...

 

Thanks, Scott

vastool flush - Loading user cache error

November 1, 2013, 9:10 am
$
0
0

Does anyone have a list of the Loading User cache errors?

 

I did a vastool flush and received the following error:

 

     Loading users cache: ..... Error while loading user cache: 16

 

I found some of the other error numbers on goole (12,14,22), but I couldn't find 16

Building mod_auth_vas-3,5,3.308 on AIX v5.3 fails

January 29, 2008, 8:48 am
$
0
0

I am working to build the mod_auth_vas module with IBM's IHS 2.0.47.0 version of Apache.  I am using IBM's C compiler as this is the default of the IHS version.  The configure succeeds, but the link fails with the following.

Making all in .
make[1]: Entering directory `/home/wpz1599/mod_auth_vas-3.5.3.308'
for f in mod_auth_vas.c compat.h; do \
  cmp ./$f ./$f 2>/dev/null || \
    cp ./$f . ; \
done
/apps/IHS/bin/apxs -c -S CC='/usr/vac/bin/xlc_r' \
        -DHAVE_UNIX_SUEXEC -DMODAUTHVAS_DIAGNOSTIC -DMODAUTHVAS_VERBOSE \
        -DMODAUTHVAS_VERSION='\"3.5.3.308\"' \
        -Wc,-g -Wc,+DAportable \
        -Wc,-I/opt/quest/include \
        -Wl,-bexpall \
        -Wl,-bnolibpath -Wl,-blibpath:/opt/quest/lib:/usr/lib:/lib -Wl,-L/opt/quest/lib -Wl,-lvas -Wl,-L/opt/quest/lib/support -Wl,-lgcc_s \
        -o mod_auth_vas.so \
        -n auth_vas \
        mod_auth_vas.c
/apps/IHS/build/libtool --silent --mode=compile /usr/vac/bin/xlc_r -prefer-pic -O2 -qmaxmem=8192  -U__STR__ -D_THREAD_SAFE -D_USE_IRS -qHALT=E -I/apps/IHS/include  -I/apps/IHS/include   -I/apps/IHS/include  -g +DAportable -I/opt/quest/include -DHAVE_UNIX_SUEXEC -DMODAUTHVAS_DIAGNOSTIC -DMODAUTHVAS_VERBOSE -DMODAUTHVAS_VERSION=\"3.5.3.308\"  -c -o mod_auth_vas.lo mod_auth_vas.c && touch mod_auth_vas.slo
/usr/vac/bin/xlc_r: 1501-228 input file +DAportable not found
"mod_auth_vas.c", line 280.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
"mod_auth_vas.c", line 284.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
"mod_auth_vas.c", line 288.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
"mod_auth_vas.c", line 292.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
"mod_auth_vas.c", line 296.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
"mod_auth_vas.c", line 300.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
"mod_auth_vas.c", line 304.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
"mod_auth_vas.c", line 308.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
"mod_auth_vas.c", line 312.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
"mod_auth_vas.c", line 316.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
/apps/IHS/build/libtool --silent --mode=link /usr/vac/bin/xlc_r -o mod_auth_vas.so -g +DAportable -I/opt/quest/include -DHAVE_UNIX_SUEXEC -DMODAUTHVAS_DIAGNOSTIC -DMODAUTHVAS_VERBOSE -DMODAUTHVAS_VERSION=\"3.5.3.308\"  -bexpall -bnolibpath -blibpath:/opt/quest/lib:/usr/lib:/lib -L/opt/quest/lib -lvas -L/opt/quest/lib/support -lgcc_s -rpath /apps/IHS/modules -module -avoid-version  -Wl,-brtl  mod_auth_vas.lo
/usr/vac/bin/xlc_r: 1501-228 input file +DAportable not found
ld: 0711-317 ERROR: Undefined symbol: .main
ld: 0711-317 ERROR: Undefined symbol: .ap_log_perror
ld: 0711-317 ERROR: Undefined symbol: .ap_log_assert
ld: 0711-317 ERROR: Undefined symbol: .apr_sockaddr_info_get
ld: 0711-317 ERROR: Undefined symbol: .ap_log_rerror
ld: 0711-317 ERROR: Undefined symbol: .apr_table_do
ld: 0711-317 ERROR: Undefined symbol: .apr_ipsubnet_create
ld: 0711-317 ERROR: Undefined symbol: .apr_ipsubnet_test
ld: 0711-317 ERROR: Undefined symbol: .apr_thread_mutex_unlock
ld: 0711-317 ERROR: Undefined symbol: .apr_thread_mutex_lock
ld: 0711-317 ERROR: Undefined symbol: .apr_uid_get
ld: 0711-317 ERROR: Undefined symbol: .apr_uid_name_get
ld: 0711-317 ERROR: Undefined symbol: ap_set_flag_slot
ld: 0711-317 ERROR: Undefined symbol: ap_set_string_slot
ld: 0711-317 ERROR: Undefined symbol: .apr_pstrdup
ld: 0711-317 ERROR: Undefined symbol: .apr_psprintf
ld: 0711-317 ERROR: Undefined symbol: .ap_hook_post_config
ld: 0711-317 ERROR: Undefined symbol: .ap_hook_child_init
ld: 0711-317 ERROR: Undefined symbol: .ap_hook_auth_checker
ld: 0711-317 ERROR: Undefined symbol: .ap_hook_check_user_id
ld: 0711-317 ERROR: Undefined symbol: .ap_hook_get_suexec_identity
ld: 0711-317 ERROR: Undefined symbol: .ap_hook_fixups
ld: 0711-317 ERROR: Undefined symbol: .apr_thread_mutex_create
ld: 0711-317 ERROR: Undefined symbol: .ap_log_error
ld: 0711-317 ERROR: Undefined symbol: .ap_add_version_component
ld: 0711-317 ERROR: Undefined symbol: .apr_palloc
ld: 0711-317 ERROR: Undefined symbol: apr_pool_cleanup_null
ld: 0711-317 ERROR: Undefined symbol: .apr_pool_cleanup_register
ld: 0711-317 ERROR: Undefined symbol: .apr_table_setn
ld: 0711-317 ERROR: Undefined symbol: .ap_auth_type
ld: 0711-317 ERROR: Undefined symbol: .ap_requires
ld: 0711-317 ERROR: Undefined symbol: .apr_table_get
ld: 0711-317 ERROR: Undefined symbol: .ap_getword_white
ld: 0711-317 ERROR: Undefined symbol: .apr_base64_decode_len
ld: 0711-317 ERROR: Undefined symbol: .apr_base64_decode
ld: 0711-317 ERROR: Undefined symbol: .apr_table_add
ld: 0711-317 ERROR: Undefined symbol: .apr_pstrmemdup
ld: 0711-317 ERROR: Undefined symbol: .ap_custom_response
ld: 0711-317 ERROR: Undefined symbol: .ap_psignature
ld: 0711-317 ERROR: Undefined symbol: .apr_pstrcat
ld: 0711-317 ERROR: Undefined symbol: .apr_table_set
ld: 0711-317 ERROR: Undefined symbol: .ap_getword_conf
ld: 0711-317 ERROR: Undefined symbol: .apr_table_make
ld: 0711-317 ERROR: Undefined symbol: .ap_set_string_slot
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.
apxs:Error: Command failed with rc=524288
.
make[1]: *** [mod_auth_vas.so] Error 1
make[1]: Leaving directory `/home/wpz1599/mod_auth_vas-3.5.3.308'
make: *** [all-recursive] Error 1


I can fix the .apr_ prefixed symbols, but cannot locate the .ap_ prefixed symbols.

Has anyone else encountered this issue?

Viewing all 1046 articles
Browse latest View live
Search