Configuring VSJ for multiple domains for a web/stand alone JAVA client.

February 7, 2012, 2:28 am

≪ Previous: Building mod_auth_vas-3,5,3.308 on AIX v5.3 fails

Back Ground:

We have an existing Kerberos utility (developed using sun GSS API), which can be used by either web application/a standalone java based application to accept service ticket for a specific service or delegate GSS credentials to fetch a service ticket for another service.

Requirement:

Since our utility was developed using sun GSS API, it only works if all the services exists in single domain as the sun GSS API cannot understand reference tickets generated for cross domain authentication.

We now have a plan to develop this utility that allows to communicate services exist in multiple domains, for this purpose we are planning to use VSJ. We still wanted the client remain the same(either web application or a standalone application) for this utility.

1. Is there a way to integrate VSJ with the existing Kerberos utility(just by providing the VSJ security provider), so that without changing the existing utility code the cross domain authentication is successful?

2. If step1 is not possible, What configuration steps/additional VSJ APIs need to be used to achieve cross functionality. If any specific guide/documentation/any pointers available please point me to the same.

Thanks,
Naga

↧

Use of VSJ behind load balancer

November 9, 2006, 1:14 am

≫ Next: Overwritten pam.conf and Sudo users

≪ Previous: Configuring VSJ for multiple domains for a web/stand alone JAVA client.

Hi everyone.

What is the correct use of SPN, keytab, idm.princ etc when using VSJ on a server, where the server is accessed throug a load balancer through a different URL?

example:
Url to app server:
http://machine1.domain.loc/app
URL to application through load balancer
http://web.appz.loc/app

Is it even possible to accive SSO for both method of accessing the application at the same time? Or do I have to change the configuration between use of load balancer and direct access?

regards
Andreas

↧

Overwritten pam.conf and Sudo users

April 11, 2007, 7:27 am

≫ Next: Expired accounts still show in 'vastool list users-allowed'

≪ Previous: Use of VSJ behind load balancer

I had two customer questions:

1. The customer asked that in the past when they apply Sun Solaris O/S patches, sometimes the pam.conf file gets overwritten.

In the case where VAS is installed and an O/S patch overwrites the pam.conf, would it be best to unjoin the Unix server from the domain and then rejoin? Or is there a better work around if this occurs?

2. The question came up during the discussion around VAS and Sudo.

What happens when a user (who has Sudo command granted to it via VAS) if the user is removed (i.e. deprovisioned). What happens to the Sudo file?

I checked on my VM image, the RSOP still has my dropped user and the /etc/sudoers file still has the user in the entry. Is it best to remover the user from VAS Sudo, and let group policy propagation do the rest? I removed the user from the VAS Sudo and ran ./vgptool apply and /etc/sudoers file was updated. Is this the best approach to manage the Sudo privilege for VAS users?

-------------------------------------------------------

1) I think that a simple ‘vastool configure pam –g’ should do it just fine (the –g adds the get_nonvas_pass option which is needed on Solaris/HP-UX) – the join will also do this automatically for you. Also don’t forget to add in any extra PAM options which were previously configured.

2) If a user who is configured in the sudoers file is removed sudo should continue to work just fine for everyone else. Another user with the same name could be created, but you’d need admin/root privileges to do that anyway. Personally, I’d use VGP to handle the sudo configuration/removal of the user from sudo – especially if it was on multiple machines. VGP assumes the information that is being configured into the sudo file is correct since it doesn’t know what aliases, etc may have been setup. VGP does verify that it’s a valid entry that won’t break sudo.

↧

Expired accounts still show in 'vastool list users-allowed'

December 20, 2007, 1:14 pm

≫ Next: FATAL ERROR: Server unexpectedly closed network connection in using Plink

≪ Previous: Overwritten pam.conf and Sudo users

Does anyone know how to make it so VAS doesn't show expired accounts in 'vastool list users-allowed'? I know that the user can't log on even though it shows up there, but it causes a problem for audit.

Thanks!

↧

FATAL ERROR: Server unexpectedly closed network connection in using Plink

November 14, 2008, 4:41 am

≫ Next: FAILURE: 608 Pam not configured for VAS

≪ Previous: Expired accounts still show in 'vastool list users-allowed'

Hi,

Could any one please let me know why this error is occuring randomly while using Plink? Some days it works fine and suddenly it stops to work with this error message.

FATAL ERROR: Server unexpectedly closed network connection

I am using below command

"C:\Program Files\PuTTY\plink.exe" -load MyProfile -ssh -x -a -t -l userID HostName Command

Thanks,
Megha

↧

FAILURE: 608 Pam not configured for VAS

December 8, 2009, 8:21 am

≫ Next: QAS uidnumber generation

≪ Previous: FATAL ERROR: Server unexpectedly closed network connection in using Plink

Hi,

We managed to integrate RHEL5's SAMBA with Q|VAS on a server, "all" was good, however, last Thursday (Dec 3, 2009) there have been errors logged in /var/log/messages, please see the errors below. Has anyone seen this problem?

Thanks for your help/comments.

Linux podcast.dom.tld 2.6.18-92.1.13.el5 #1 SMP Thu Sep 4 03:51:21 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux

# ./vas_status.sh
Host:   <Linux x86_64>
Date:   <Tue Dec 8 10:53:10 EST 2009>
VAS:    <3.3.2.101>
Domain: <ad.dom.tld>
FAILURE: 608 Pam <system-auth-ac><auth> not configured for VAS.
FAILURE: 608 Pam <system-auth-ac><password> not configured for VAS.
FAILURE: 608 Pam <system-auth-ac><session> not configured for VAS.
FAILURE: 608 Pam <vmware-guestd><account> not configured for VAS.
FAILURE: 608 Pam <vmware-guestd><auth> not configured for VAS.
Result: <Test(s) failed> (45 seconds)

SAMBA version: 3.0.33-3.7.el5

/var/log/messages:
--------------------
Dec 3 10:16:09 podcast vasd[31522]: Failed to change the host password, err = VAS_ERR_FAILURE: Unspecified failure    Caused by:    SYSERR-11: Resource temporarily unavailable
Dec 3 10:16:46 podcast vasd[31522]: Failed to change the host password, err = VAS_ERR_FAILURE: Unspecified failure    Caused by:    SYSERR-11: Resource temporarily unavailable
[...]
Dec 3 10:23:29 podcast vasd[31522]: Failed to change the host password, err = VAS_ERR_FAILURE: Unspecified failure    Caused by:    SYSERR-11: Resource temporarily unavailable
Dec 3 10:24:06 podcast vasd[31522]: Failed to change the host password, err = VAS_ERR_FAILURE: Unspecified failure    Caused by:    SYSERR-11: Resource temporarily unavailable
Dec 3 10:25:19 podcast last message repeated 2 times
[...]
Dec 4 00:42:13 podcast vasd[31522]: Failed to change the host password, err = VAS_ERR_FAILURE: Unspecified failure    Caused by:    SYSERR-11: Resource temporarily unavailable
Dec 4 00:42:50 podcast vasd[31522]: Failed to change the host password, err = VAS_ERR_FAILURE: Unspecified failure    Caused by:    SYSERR-11: Resource temporarily unavailable
[...]
Dec 8 10:45:41 podcast vasd[31522]: Failed to change the host password, err = VAS_ERR_FAILURE: Unspecified failure    Caused by:    SYSERR-11: Resource temporarily unavailable
Dec 8 10:46:18 podcast vasd[31522]: Failed to change the host password, err = VAS_ERR_FAILURE: Unspecified failure    Caused by:    SYSERR-11: Resource temporarily unavailable

↧

QAS uidnumber generation

November 27, 2013, 10:56 am

≫ Next: VSJ could not authorize the request

≪ Previous: FAILURE: 608 Pam not configured for VAS

We use ActiveRoles and Authentication Services to administer UNIX user attributes and our UNIX admins are having troubles with uidnumber re-use. For example a uidnumber assigned to a previous user that is no longer in AD, is being reassigned to a new user. Apparently this reuse is occurring fairly soon after the previous user has left.

Our original uidnumber space was imported from a separately managed UNIX environment, where the uidnumbers were previously assigned. QAS was not used to generated these original uidnumbers. Within QAS we have the minimum uidnumber set to 1000 and the max to 64000

How do the different methods of generating a unique ID work? Are they always starting at the minimum value and working up to find an available uidnumber to assign to a new user? Can it be configured to start at the last assigned uidnumber and work up, until it gets to the max possible uidnumber before starting again at the minimum value?

↧

VSJ could not authorize the request

January 9, 2014, 8:33 am

≫ Next: VAS GSSAPI Error 851968 (gss_init_sec_context)

≪ Previous: QAS uidnumber generation

When deploying the code to the test environment, the application fails with the following error. I am not too sure what else need to be changed from the configuration to make it works.

The code works fine on the development environment.

2014-01-09 09:41:08 DEBUG [CommonsSsoLogger - debug] - Session ID: b6a4c82bc71daace11bd88205a4a86ccc2fed8098f462d51039ba3ac3423d331

Request: /rootpj/login-action.vsj

Remote: 101.203.67.93

Principal: rootpjqsjsvc@DM.FAIRPLAYNET.COM

Message: Method = GET, doAuthentication = true, isUnsolicited = false

2014-01-09 09:41:08 DEBUG [CommonsSsoLogger - debug] - Session ID: b6a4c82bc71daace11bd88205a4a86ccc2fed8098f462d51039ba3ac3423d331

Request: /rootpj/login-action.vsj

Remote: 101.203.67.93

Principal: rootpjqsjsvc@DM.FAIRPLAYNET.COM

Message: Attempting to negotiate using SPNEGO

2014-01-09 09:41:08 DEBUG [CommonsLogWrapper - debug] - GSS: Acceptor supports: KRB5

2014-01-09 09:41:08 DEBUG [CommonsLogWrapper - debug] - Ticket service name is: HTTP/ms03012.mss.fairplaynet.com@DMTEST.FAIRPLAYNET.COM

2014-01-09 09:41:08 DEBUG [CommonsLogWrapper - debug] - GSS name is: rootpjqsjsvc@DM.FAIRPLAYNET.COM

2014-01-09 09:41:08 DEBUG [CommonsLogWrapper - debug] - Using keytab entry for: rootpjqsjsvc@DM.FAIRPLAYNET.COM

2014-01-09 09:41:08 DEBUG [CommonsLogWrapper - debug] - ** decrypting ticket .. **

with key

Principal: rootpjqsjsvc@DM.FAIRPLAYNET.COM

Type: 1

TimeStamp: Thu Jan 09 09:40:55 EST 2014

KVNO: -1

Key: [23, af 97 1a 61 10 f9 44 f8 10 7e eb cc 92 6f fd 99 ]

2014-01-09 09:41:08 DEBUG [CommonsLogWrapper - debug] - Could not decrypt service ticket with Key type 23, KVNO 5, Principal "HTTP

/ms03012.mss.fairplaynet.com@DMTEST.FAIRPLAYNET.COM" using key:

Principal: [1] rootpjqsjsvc@DM.FAIRPLAYNET.COM

TimeStamp: Thu Jan 09 09:40:55 EST 2014

KVNO: -1

EncType: 23

Key: 16 bytes, fingerprint = [c2 e6 1 d 13 13 1a ec 3e 83 3c 41 63 c7 9f f8]

Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different

; this may or may not be a problem]

[Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?]

com.dstc.security.kerberos.CryptoException: Integrity check failure

at com.dstc.security.kerberos.RC4KerberosCipher.decrypt(RC4KerberosCipher.java:107)

at com.dstc.security.kerberos.TicketImpl.decrypt(TicketImpl.java:113)

at com.dstc.security.kerberos.Kerberos.decryptTicket(Kerberos.java:1566)

at com.dstc.security.kerberos.gssapi.ServerHandShaker.decryptU2STicket(ServerHandShaker.java:462)

at com.dstc.security.kerberos.gssapi.ServerHandShaker.authenticateClient(ServerHandShaker.java:241)

at com.dstc.security.kerberos.gssapi.ServerHandShaker.handle(ServerHandShaker.java:186)

at com.dstc.security.kerberos.gssapi.GSSContext.acceptSecContext(GSSContext.java:349)

at com.dstc.security.kerberos.gssapi.GSSContext.acceptSecContext(GSSContext.java:323)

at com.wedgetail.idm.spnego.server.SpnegoServer.handle(SpnegoServer.java:158)

at com.wedgetail.idm.sso.AbstractAuthenticator.processSpnego(AbstractAuthenticator.java:1794)

at com.wedgetail.idm.sso.MechChecker.authenticate(MechChecker.java:231)

at com.wedgetail.idm.sso.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:1444)

at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthenticationOnly(AbstractAuthenticator.java:1330)

at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthentication(AbstractAuthenticator.java:1139)

at com.fairplaynet.rootpj.questAuth.SsoAndFormsAuthFilter.processLoginAction(SsoAndFormsAuthFilter.java:102)

at com.fairplaynet.rootpj.questAuth.FormsAuthFilter.filter(FormsAuthFilter.java:337)

at com.fairplaynet.rootpj.questAuth.FormsAuthFilter.doFilter(FormsAuthFilter.java:309)

at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:644)

at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:391)

at com.evermind.server.http.HttpRequestHandler.handleNotFound(HttpRequestHandler.java:1087)

at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:948)

at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:458)

at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:313)

at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:199)

at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)

at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)

at java.lang.Thread.run(Thread.java:595)

2014-01-09 09:41:08 ERROR [CommonsSsoLogger - error] - Provider protocol error: com.wedgetail.idm.spnego.server.SpnegoException: GSSException

: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket

with Key type 23, KVNO 5, Principal "HTTP/ms03012.mss.fairplaynet.com@DMTEST.FAIRPLAYNET.COM" using key:

Principal: [1] rootpjqsjsvc@DM.FAIRPLAYNET.COM

TimeStamp: Thu Jan 09 09:40:55 EST 2014

KVNO: -1

EncType: 23

Key: 16 bytes, fingerprint = [c2 e6 1 d 13 13 1a ec 3e 83 3c 41 63 c7 9f f8]

Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different

; this may or may not be a problem]

[Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?]

)

2014-01-09 09:41:08 ERROR [CommonsSsoLogger - error] - Session ID: b6a4c82bc71daace11bd88205a4a86ccc2fed8098f462d51039ba3ac3423d331

Request: /rootpj/login-action.vsj

Remote: 101.203.67.93

Principal: rootpjqsjsvc@DM.FAIRPLAYNET.COM

Message: Could not authorize request: com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException

: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Could not decrypt

service ticket with Key type 23, KVNO 5, Principal "HTTP/ms03012.mss.fairplaynet.com@DMTEST.FAIRPLAYNET.COM" using key:

Principal: [1] rootpjqsjsvc@DM.FAIRPLAYNET.COM

TimeStamp: Thu Jan 09 09:40:55 EST 2014

KVNO: -1

EncType: 23

Key: 16 bytes, fingerprint = [c2 e6 1 d 13 13 1a ec 3e 83 3c 41 63 c7 9f f8]

Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different

; this may or may not be a problem]

[Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?]

)

↧

VAS GSSAPI Error 851968 (gss_init_sec_context)

March 28, 2011, 6:50 am

≫ Next: override file not overriding

≪ Previous: VSJ could not authorize the request

We are getting the major error code 851968 (& minor code 0) while using the GSS API flavor of the VAS API's on Linux x64.

Our Linux machine is has vas installed (including vasdev) and is joined to our AD domain. We are able to compile and execute the two samples provided with the SDK sucessfully and are now trying to get the GSS API style token from the VAS API's. The sequence of calls leading to init security context are as follows:

vas_ctx_alloc
vas_id_alloc
vas_id_establish_cred_password
vas_gss_initialize
vas_gss_acquire_cred
gss_import_name
gss_init_sec_context

Is there something we're missing?

↧

override file not overriding

May 27, 2009, 11:25 am

≫ Next: Samba errors with Win2008 R2

≪ Previous: VAS GSSAPI Error 851968 (gss_init_sec_context)

I am trying to place an override file on one system for the group admin but when I log in I am still given the default home & shell.

vas.conf:

[vasd]

timesync-interval = 0

workstation-mode = false

# Override mode options

user-override-file = /etc/opt/quest/uimw/user-override

override-check-interval = 20

#user-override-dir = /etc/opt/quest/uimw

From override file:

admin:::::/home/SSH.home:/bin/bash

↧

Samba errors with Win2008 R2

December 11, 2009, 2:00 pm

≫ Next: QAS - Using Environment variable in GPO users.allow confilguration

≪ Previous: override file not overriding

Hi,

Using RHEL 5.2 64-bit, VAS 3.3.2-142+Samba 3.0.33-3.7.el5; Win 2008 R2. Can you help me?

# vastool status

VAS is currently joined to:                      localdom.com
Join command found in:                           /etc/opt/quest/vas/lastjoin
Verifying timesync with domain controller:       YES
Time delta: 0 seconds
Are valid VAS licenses installed?                YES
Checking to see if VAS daemon is running:        YES
Checking for valid computer account (SAMNAME)
PODCAST1$@LOCALDOM.COM                     YES
Checking for valid computer account (SPN)
host/podcast1.localdom.com@LOCALDOM.COM       YES
Checking to see if VAS is in connected state:    YES
Verifying VAS is configured for name service:    YES
Verifying VAS is configured for auth service:    YES
Verifying VAS configuration file is correct:     YES
Verifying sanity of users allow file:            YES
Verifying sanity of users deny file:             YES
Verifying sanity of group-override file:         YES
Verifying sanity of user-override file:          YES

Samba log:

[2009/12/08 11:33:53, 1] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
cli_pipe_validate_current_pdu: RPC fault code DCERPC fault 0x00000721 received from remote machine DC03.localdom.com pipe \NETLOGON fnum 0x4001!
[2009/12/08 11:37:57, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0x4001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/08 11:42:57, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0x4001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/08 11:52:57, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0x4001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[...]
[2009/12/11 14:09:54, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 14:19:54, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 14:29:54, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 14:40:23, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 14:50:23, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 15:00:23, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 15:10:23, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 15:20:23, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 15:25:26, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
rpc_api_pipe: Remote machine DC01.localdom.com pipe \NETLOGON fnum 0xc00freturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 15:28:41, 0] rpc_client/cli_pipe.c:cli_pipe_verify_schannel(354)
cli_pipe_verify_schannel: auth_len 56.
[2009/12/11 15:38:42, 1] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
cli_pipe_validate_current_pdu: RPC fault code DCERPC fault 0x00000721 received from remote machine DC03.localdom.com pipe \NETLOGON fnum 0xc001!
[2009/12/11 15:48:42, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0xc001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 15:58:42, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0xc001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 16:08:42, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0xc001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 16:18:42, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0xc001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
[2009/12/11 16:28:42, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
rpc_api_pipe: Remote machine DC03.localdom.com pipe \NETLOGON fnum 0xc001returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED

Thank you.

↧

QAS - Using Environment variable in GPO users.allow confilguration

July 7, 2010, 7:49 am

≫ Next: quest-openssh.5.2.1.13

≪ Previous: Samba errors with Win2008 R2

Hi,
We have QAS 3.5. I'm planning on using Macros to control access to Unix Systems using windows groups. This method is described in http://vintela.inside.quest.com/servlet/KbServlet/download/1354-102-1792/Group_Policy_with_VAS.pdf and in screencast here at http://screencast.com/t/d2PUs2R2

I'm seeing that the Unix host does not pick up the setting after the group policy is set (even after days). The local users.allow file does not show the Hostname-access group does not show up. Even after restarting vasd, users.allow file isn't updated.

The file is updated only after gpo update command (vgptool apply), is run. Is this normal behavior or am I missing something.

Thanks
Mano Mathan

↧

quest-openssh.5.2.1.13

February 1, 2011, 4:23 am

≫ Next: NTLM SMB issue - Could not get valid NTLM challenge from ........

≪ Previous: QAS - Using Environment variable in GPO users.allow confilguration

Hello Quest support,

I've downloaded the latest version (5.2.1.13) of Quest openssh for AIX 5.3, available on:

http://rc.quest.com/topics/openssh/

After installing it on AIX 6.1 I cannot start the ssh daemon. It keeps failing and generating the following message on the AIX error log:

---------------------------------------------------------------------------

LABEL: SRC_SVKO

IDENTIFIER: BC3BE5A3

Date/Time: Tue Feb 1 09:27:41 CUT 2011

Sequence Number: 12988

Machine Id: 00C8CFA44C00

Node Id: ddasy040

Class: S

Type: PERM

WPAR: Global

Resource Name: SRC

Description

SOFTWARE PROGRAM ERROR

Probable Causes

APPLICATION PROGRAM

Failure Causes

SOFTWARE PROGRAM

Recommended Actions

MANUALLY RESTART SUBSYSTEM IF NEEDED

Detail Data

SYMPTOM CODE

65280

SOFTWARE ERROR CODE

-9017

ERROR CODE

DETECTING MODULE

'srchevn.c'@line:'376'

FAILING MODULE

sshd-quest

---------------------------------------------------------------------------

The version of the AIX that I'm using is:

$ oslevel -s

6100-05-03-1036

Any advice?

↧

NTLM SMB issue - Could not get valid NTLM challenge from ........

July 27, 2012, 10:36 am

≫ Next: problem of vastool user checklogin

≪ Previous: quest-openssh.5.2.1.13

I'm trying to debug an issue with NTLM failback, I have the filter configured correctly as per any other deployments.

I'm able to authenticate users correctly using Kerberos, but I have noticed in the logs an issue with NTLM.

This was discovered because of a Java Applet which is posting back to the server, the applet is not using kerberos but NTLM to authenticate the user.

The application server is Tomcat 5, using Quest VSJ "VSJ Standard Edition 3_3 Patch 3548"

From what can be seen within the server logs is that QuestSSO performs a DNS lookup and attempts to connect to all of the GCs which are returned.

Example:
- Starting Coyote HTTP/1.1 on http-80
- JK: ajp13 listening on /0.0.0.0:8009
- Jk running ID=0 time=0/47 config=null
- Host server1.domain.ltd/1.1.1.1:389 appears to be down
- Could not get valid NTLM challenge from server1.domain.ltd/1.1.1.1
Exception: com.wedgetail.idm.sso.ntlm.NtlmException: NTLM challenge was null
- Host server2.domain.ltd/1.1.1.2:389 appears to be down
- Could not get valid NTLM challenge from server2.domain.ltd/1.1.1.2
Exception: com.wedgetail.idm.sso.ntlm.NtlmException: NTLM challenge was null
- Host server3.domain.ltd/1.1.1.3:389 appears to be down
...
... etc

I have enabled the debug level and log4j configuration, but this is not showing any errors.

I have used PortQry.exe to scan the AD servers and they are accessible.

What can I do to move forward? Any ideas ?

↧

problem of vastool user checklogin

March 16, 2009, 3:24 am

≫ Next: Problems with Samba after changing Root Password - Please Help

≪ Previous: NTLM SMB issue - Could not get valid NTLM challenge from ........

Hi experts!

I am newbie for VAS.

After installation of VAS 3.5 on both server(windows server 2003) and client(redhat5.2) according to the manual,

I failed to login the linux client using a Unix enabled domain user :test

I try to run some troubleshooting commands, and get some information as below:

[root@redhat-head ~]# /opt/quest/bin/vastool user checklogin test
WARNING: NSS lookup (getpwnam) for user test failed, this will almost
certainly mean that you will be unable to log in with a username of test.
This should be fixed before worrying about any other failures.
##I checked /etc/nsswith.conf, and found everything is ok.

[root@redhat-head ~]# /opt/quest/bin/vastool nss getpwnam test
ERROR: Could not look up user for name: test, error = 2.

[root@redhat-head ~]# /opt/quest/bin/vastool info domain
test.com

[root@redhat-head ~]#/opt/quest/bin/vastool -u host/ attrs test uidnumber gidnumber unixhomedirectory loginshell userprincipalname DistinguishedName
ginshell userprincipalname DistinguishedName
distinguishedName: CN=test,OU=Unix,DC=pera-test,DC=com
userPrincipalName: test@test.com
uidNumber: 1000
gidNumber: 1000
unixHomeDirectory: /home/test
loginShell: /bin/bash

I can't find where the problem is.

Any advise?

Thank in advance!

↧

Problems with Samba after changing Root Password - Please Help

March 21, 2007, 7:04 am

≫ Next: Intermittent NTLM 403 Error

≪ Previous: problem of vastool user checklogin

I have an installation of VAS that is running on RedHat EL 4.0. The vas portion is working ok, and with out any problems so far.

I also have the Vintela version of Samba running on the system (Version 3.0.23c-Quest-154). The root password on the server was changed in February, and since the change I have been receiving the following error from Winbind.

[2007/03/21 09:31:30, 0] /data/rc/u/davidl/samba/samba/source/libads/kerberos.c:ads_kinit_password(208)
kerberos_kinit_password STORM$@CAMPUS.MCGILL.CA failed: Preauthentication failed
[2007/03/21 09:31:30, 0] /data/rc/u/davidl/samba/samba/source/libads/kerberos.c:ads_kinit_password(208)
kerberos_kinit_password STORM$@CAMPUS.MCGILL.CA failed: Preauthentication failed
[2007/03/21 09:31:30, 0] /data/rc/u/davidl/samba/samba/source/utils/net_ads.c:ads_startup(281)
ads_connect: Preauthentication failed

I have run the following commands trying to trouble shoot this trying to figure out why this stopped working after I changed the password:

/opt/quest/bin/net ads testjoin --> Produces the above results

/opt/quest/bin/net rpc testjoin --> Unable to find a suitable server
Join to domain 'CAMPUS' is not valid

I ran this command to make sure that the passwords were in sync vastool -u host/ passwd -r | net -f -i changesecretpw

I am not seeing any errors in my smb.conf file, so I am at a lost what to do.

↧

Intermittent NTLM 403 Error

March 22, 2007, 8:51 am

≫ Next: Stuck with kerberos authentication to Sharepoint

≪ Previous: Problems with Samba after changing Root Password - Please Help

Typically, we see
HTTP Status 403 - This server does not allow NTLM, but the client attempted NTLM anyway.
as a client configuration issue. However, the client can successfully connect most of the time and sees this only intermittently.

Ideas ?

↧

Stuck with kerberos authentication to Sharepoint

October 10, 2012, 3:03 pm

≫ Next: VASD Errors

≪ Previous: Intermittent NTLM 403 Error

I have to connect to MS IIS server using SPNEGO token with Kerberos ticket inside, exactly as Internet Explorer does it.

If I use java GSSManager.initiateContext() it does request tickets with incorrect KDCOptions, dates and some other params I cannot control.

I tried com.dstc.security lib, and was able to get tickets axactly as Internet Explorer with couple of lines:

prepare required KDCOptions;
Credential tgt = kerberos.requestTicketGrantingTicket(new KerberosPassword(password.getBytes()), kdo, new Date(), d, new InetAddress[] {InetAddress.getByName("somename")}, null);
Credential srvt = kerberos.requestServiceTicket(TGT, new PrincipalName(2, "HTTP/server.domain.net"), REALM, kdo);

But how can I use these credentials or tickets inside to create SPNEGO token same as I can get with GSSManager.initiateContext()?

↧

VASD Errors

November 8, 2013, 10:20 am

≫ Next: Wrong ticket encryption for W2K clients only causes VSJ to fail

≪ Previous: Stuck with kerberos authentication to Sharepoint

When running vas_status.sh, I am getting this alot with version 4.1.20185:

FAILURE: 721 In-consistent access control ALLOW cache

What does this mean and is it fatal?

Would it also be possible to get a doc on the error numbers and their meaning? I understand if this may not be a GA doc...

Thanks, Scott

↧

Wrong ticket encryption for W2K clients only causes VSJ to fail

August 5, 2007, 10:54 am

≫ Next: 2 Apache instances running with different Service Account

≪ Previous: VASD Errors

Hi,

I am facing the following problem.

The Windows service account used for Vintela SSO is set up using "Use DES encryption for this account". The keytab is created with ktpass ... -crypto DES-CBC-MD5 encryption.

Everything is working when I login to the web application from a Windows 2003 server machine. On the Windows 2003 server machine part of the klist tickets command is as follows (Kerberos ticket encryption of type DES-CBC-MD5 as expected):

   Server: HTTP/server.eu.xxx.com@EU.XXX.COM
      KerbTicket Encryption Type: Kerberos DES-CBC-MD5
      End Time: 8/3/2007 21:38:37
      Renew Time: 8/10/2007 11:38:37

But on the Windows 2000 clients the ticket is encrypted with RC4-HMAC-NT:

   Server: HTTP/server@EU.XXX.COM
      KerbTicket Encryption Type: Kerberos RSADSI RC4-HMAC(NT)
      End Time: 8/3/2007 21:42:55
      Renew Time: 8/10/2007 11:42:55

The wrong obtained ticket causes SSO to fail.

Tomcat output is:

HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Successfully matched service principal "HTTP/SERVER.EU.XXX.COM@EU.XXX.COM but not key type (23) + KVNO (2) in this entry: Principal: HTTP/SERVER.EU.XXX.COM@EU.XXX.COM Type: 1 TimeStamp: Wed Dec 31 19:00:00 EST 1969 KVNO: -1 Key: [3, 67 ec a8 a8 75 e0 ab 3e ] )

So the encryption type of the client ticket (which is of type 23=RC4-HMAC-NT) does not match the entry in the keytab (type 3=DES-CBC-MD5).

Why does the Windows 2000 machine get a different encrypted ticket? Also, there is a difference in the SPN returned in the output of the klist tickets above.

Any help would be greatly appreciated.

Thanks,

Ron

↧