2 Apache instances running with different Service Account

September 19, 2013, 2:28 pm

≪ Previous: Wrong ticket encryption for W2K clients only causes VSJ to fail

Hi all,

I;m having trouble with on of 2 Apache instances. The VHOST seems to take well the HTTP.keytab and Server Principal configuration at the startup of the Apache Service.

But when the first web request, it seems like it's not accepting the HTTP.keytab location defined at the beginning and it's trying to look on default location.

I'm using the AuthVasKeytabFile directive for defining the location of the file.

[Thu Sep 19 11:05:17 2013] [debug] mod_auth_vas.c(2312): [client 1.1.1.1] [mod_auth_vas] auth_vas_check_user_id: auth_type=VAS

[Thu Sep 19 11:05:17 2013] [debug] mod_auth_vas.c(2342): [client 1.1.1.1] [mod_auth_vas] sending initial negotiate headers

[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(2312): [client 1.1.1.1] [mod_auth_vas] auth_vas_check_user_id: auth_type=VAS

[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(2359): [client 1.1.1.1] [mod_auth_vas] Got: 'Authorization: Negotiate [...]'

[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(1457): [client 1.1.1.1] [mod_auth_vas] do_gss_spnego_accept: line='YIIIUQYGKwYBBQUCoIIIRTCCCEGgMDAu...'

[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(1469): [client 1.1.1.1] [mod_auth_vas] do_gss_spnego_accept: server keytab: /nfs/path/HTTP.keytab

[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(1470): [client 1.1.1.1] [mod_auth_vas] do_gss_spnego_accept: server principal: HTTP/myhost.com

[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(1416): [client 1.1.1.1] [mod_auth_vas] rnote_get: creating rnote

[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(1498): [client 1.1.1.1] [mod_auth_vas] calling vas_gss_spnego_accept, base64 token_size=2844

[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(1513): [client 1.1.1.1] [mod_auth_vas] do_gss_spnego_accept: server keytab /nfs/path/HTTP.keytab

[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(1367): [client 1.1.1.1] [mod_auth_vas] initialize_user

[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(1395): [client 1.1.1.1] [mod_auth_vas] initialize_user: Remote user principal name is user@mydomain.com

[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(2922): [client 1.1.1.1] [mod_auth_vas] set_remote_user: setting REMOTE_USER for user@mydomain.com

[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(2936): [client 1.1.1.1] [mod_auth_vas] set_remote_user: setting REMOTE_USER variable using ldap-attr sAMAccountName name mapping

[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(492): [client 1.1.1.1] [mod_auth_vas] set_user_obj

[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(2655): [client 1.1.1.1] [mod_auth_vas] set_remote_user_attr: Using VAS cache for lookup of sAMAccountName attribute

[Thu Sep 19 11:05:18 2013] [info] [client 1.1.1.1] [mod_auth_vas] Remote user set from user@mydomain.com to user (attribute sAMAccountName)

[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(2944): [client 1.1.1.1] [mod_auth_vas] set_remote_user: Mapped user to juancgox using ldap-attr sAMAccountName name mapping

[Thu Sep 19 11:05:18 2013] [error] [client 1.1.1.1] [mod_auth_vas] do_gss_spnego_accept: auth_vas_user_use_gss_result failed: VAS_ERR_CRED_NEEDED: Unable to find a keytab entry in /etc/opt/quest/vas/HTTP.keytabfor HTTP/myhost.com

[Thu Sep 19 11:05:18 2013] [error] [client 1.1.1.1] [mod_auth_vas] auth_vas_user_use_gss_result: unknown routine error

[Thu Sep 19 11:05:18 2013] [error] [client 1.1.1.1] [mod_auth_vas] auth_vas_user_use_gss_result: Success

[Thu Sep 19 11:05:18 2013] [debug] mod_auth_vas.c(1339): [client 1.1.1.1] [mod_auth_vas] auth_vas_cleanup_request

Thanks in advance for your help,

Regards,

Obed N Munoz

↧

QAS and NTLMV2

October 24, 2013, 10:08 am

≫ Next: VAS User Group Membership Issues

≪ Previous: 2 Apache instances running with different Service Account

We're getting ready to switch over to NTLMv2 exclusively in the AD world ... are there any negatie implications for a mixed deployment of mostly QAS 4X - with a few 3X stragglers in the mix?

↧

VAS User Group Membership Issues

October 25, 2013, 11:06 am

≫ Next: vasd Refresh Times

≪ Previous: QAS and NTLMV2

Hello everybody,

I have been working on this issue for awhile now, and I am having no luck.

I am having an issue with Quest (VAS) authentication as user groups.

I am having an issue where a user can log into a RedHat server with no issues, but they cannot access a specific directory owned by a group (Permission Denied).

As root, I do a vastool flush on the server, and then I "su -" to the user. At that point I can access the directory with no issues.

I do an "ID" command, and I see the user is a member of about 11 groups.

Now for the fun part.......

I tell the user it is fixed, and then they LOGIN.

Of course, they can't access the directory. I log into the server and "su -" to the user and sure enough, the user can't access the directory.

I run the "ID" command again, and this time the user is showing as a member of a much larger number of groups.

I assume the directory access could be due to the user being a member of too many groups (even though one of the groups is the group they need).

I have tried to flush several times. I have even unjoined/rejoined the server. Still the same behavior ----- I do a flush as root and access is okay until the user logs in.

Then the number of groups the user is a member of increases and access is denied.

I assume that VAS calls the AD information differently durning the login process versus root doing a "su -" to the user.

Has anyone seen this issue before?

I've tried about everything, so any help would be appreciated.

Thanks,

Chuck

↧

vasd Refresh Times

October 31, 2013, 2:04 pm

≫ Next: vastool flush - Loading user cache error

≪ Previous: VAS User Group Membership Issues

What is the default time for vasd to refresh cache locally? V4.1

↧

vastool flush - Loading user cache error

November 1, 2013, 9:10 am

≫ Next: v4.1 or 4.0.3

≪ Previous: vasd Refresh Times

Does anyone have a list of the Loading User cache errors?

I did a vastool flush and received the following error:

Loading users cache: ..... Error while loading user cache: 16

I found some of the other error numbers on goole (12,14,22), but I couldn't find 16

↧

v4.1 or 4.0.3

November 5, 2013, 7:26 am

≫ Next: Unlock AD Entry via Vastool & Keytab

≪ Previous: vastool flush - Loading user cache error

I have a quick question. I would like to upgrade our UNIX components to QAS v4.1 from 3.5.2.12. While the company is considering upgrading to 4.1, we are currently at 4.0.3 in AD. If i go ahead to do this upgrade, will there be any issues with AD?

↧

Unlock AD Entry via Vastool & Keytab

January 6, 2009, 12:27 pm

≫ Next: Using VAS Apache Module on Multiple Apache instances

≪ Previous: v4.1 or 4.0.3

I have a number of lightly used systems which periodically get locked out of Active Directory (I'm not certain the cause, perhaps they're not changing their password quick enough). Anyways, I was wondering if there's a way to unlock them using vastool amd the keytab which created them (since it has access to that object in the OU).

The specific error I'm seeing is:
<<<<<
# vastool flush
Flushing auth cache: OK
Could not load caches- Authentication failed, error = VAS_ERR_NOT_FOUND: Not found
   Caused by:
   VAS_ERR_KRB5: Failed to obtain credentials. Keytab: , Client: IAE2-LZ$@ENT.X.CORP, Service: krbtgt/ENT.X.CORP@ENT.X.CORP
   Caused by:
   KRB5KDC_ERR_CLIENT_REVOKED (-1765328366): Clients credentials have been revoked

It appears that the computer object has not yet replicated to the Global Catalog.
vasd will stay in disconnected mode until this replication takes place.
You do not need to rejoin this computer.
>>>>>

An unjoin/rejoin does resolve the problem, or unlocking them in AD via some Windows admin tools. However I was hoping for a more graceful solution than unjoin/join which I can run from the command line.

Message was edited by: nicholas.andrade_123127335115

↧

Using VAS Apache Module on Multiple Apache instances

May 31, 2013, 8:10 am

≫ Next: VASD Errors

≪ Previous: Unlock AD Entry via Vastool & Keytab

Hi all,

- I have a Web Server configured with 2 Apache Instances, each instance running as different user and port.

- I configured the VAS module for Active Directory Authentication on both instances

- So, now, the problem, is that in one instance the VAS authentication is working really good, and in the otherone,

we're having problems. It's always requesting Credentials when you try to access any websites hosted on this second instances.

The strange thing is that in the first instance, every website is working correctly and it's taking credentials automatically from browser.

Have anyone seen this kind of behavior?

Thanks in advance,

Obed N Munoz

↧

VASD Errors

November 8, 2013, 10:20 am

≫ Next: Not seeing correct AD group membership using vastool

≪ Previous: Using VAS Apache Module on Multiple Apache instances

When running vas_status.sh, I am getting this alot with version 4.1.20185:

FAILURE: 721 In-consistent access control ALLOW cache

What does this mean and is it fatal?

Would it also be possible to get a doc on the error numbers and their meaning? I understand if this may not be a GA doc...

Thanks, Scott

↧

Not seeing correct AD group membership using vastool

May 22, 2013, 8:55 am

≫ Next: Single Sign-On for Java 7 Not working

≪ Previous: VASD Errors

We have an AD group 'foo'. User Abe is added to it using AD tools.

I cannot see this user in the group using vastool on Solaris. And of course the user cannot login.

$ vastool list groups | grep foo

foo:VAS:2010:john.doe@na.company.com,harry.who@na.company.com

I've executed vastool flush to no affect.

What am I doing wrong?

↧

Single Sign-On for Java 7 Not working

August 26, 2013, 5:36 am

≫ Next: VASD Errors

≪ Previous: Not seeing correct AD group membership using vastool

Hi,

We have been using winSSPI.dll on client side from 3.2 package. This dll is not working anymore in JDK 7.

The exception trace as follows :

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: [init]: OS name = 'Windows 7', version = '6.1'

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: [init]: isKerberosOS = true, isSessionKeySupported = true

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: initialize: calling native method ...

[winSSPI.dll] initialize

[winSSPI.dll] initialize: done

[INFO] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: initialize: Successfully initialized Windows SSPI

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: acquireCredentialsHandle: calling native method ...

[winSSPI.dll] acquireCredentialsHandle

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: loadCredential: result = 0

Attempting initContext with principal: HTTP/appsec001.gaia.net.intra

initContext failed with principal: HTTP/appsec001.gaia.net.intra error: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

Attempting initContext with principal: HOST/appsec001.gaia.net.intra

initContext failed with principal: HOST/appsec001.gaia.net.intra error: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

initContext failed with all attempted principals

java.security.PrivilegedActionException: javax.security.auth.login.LoginException: LoginException: java.security.PrivilegedActionException: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:373)

at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)

at weblogic.security.Security.runAs(Security.java:61)

at security.role.TestKerberosEJBCall.main(TestKerberosEJBCall.java:32)

Caused by: javax.security.auth.login.LoginException: LoginException: java.security.PrivilegedActionException: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

at com.quest.vsj.weblogic.login.EjbClientKerberosLoginModule.login(EjbClientKerberosLoginModule.java:107)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:606)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)

at javax.security.auth.login.LoginContext.login(LoginContext.java:594)

at security.role.TestKerberosEJBCall$1.run(TestKerberosEJBCall.java:35)

at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)

... 3 more

Any ideas if any newer version or patch is supporting both JDK 7 64 & 32 bit ?

Thanks in advance.

↧

VASD Errors

November 8, 2013, 10:20 am

≫ Next: Kerberos SSO with 1 way Trust

≪ Previous: Single Sign-On for Java 7 Not working

When running vas_status.sh, I am getting this alot with version 4.1.20185:

FAILURE: 721 In-consistent access control ALLOW cache

What does this mean and is it fatal?

Would it also be possible to get a doc on the error numbers and their meaning? I understand if this may not be a GA doc...

Thanks, Scott

↧

Kerberos SSO with 1 way Trust

October 25, 2012, 4:17 am

≫ Next: using vastool to perform LDAP queries

≪ Previous: VASD Errors

I had configured a Kerberos SSO with 1way trust between two domain... But on logging in i am getting the following exception...

[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: resetting state...
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: principal = 'HTTP/mdk1waytrustd3.wtmdk1waydom3.com'
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: realm = 'WTMDK1WAYDOM3.COM'
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: Found name servers using JNDI
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: mdk1waytrustd2.wtmdk1waydom2.com (10.31.70.183)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: mdk1waytrustd1.wtmdk1waydom1.com (10.31.69.52)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: MDK1WAYTRUSTD3.WTMDK1WAYDOM3.COM (10.31.70.184)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: mdk1waytrustd4.wtmdk1waydom4.com (10.31.71.34)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: corpinba8.corp.emc.com (10.30.48.37)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: corpgefr3.corp.emc.com (152.62.196.10)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: The old JCSI Kerberos code for the Windows LSA is now disabled by default;
if you really want it (rather than the new WinSSPI code) you must set
-Djcsi.kerberos.lsa.enable=true
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: Creating LSA credential cache
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: Could not locate default cache: com.dstc.security.kerberos.KerberosException: Could not create credential store com.dstc.security.kerberos.KerberosException: Native in-memory credential cache not supported on this platform (Windows Server 2008 R2)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: login succeeded
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: loaded InputStream based keytab at time 1351158964992 m/secs, 5 entries
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: binding principal to subject
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: binding credentials to subject

Can some one can help me in resolving this???

Regards,
Sumith

↧

using vastool to perform LDAP queries

March 31, 2010, 3:00 pm

≫ Next: QAS uidnumber generation

≪ Previous: Kerberos SSO with 1 way Trust

Pardon me if there is another subject related to this question already./

I am a recent QAS/VAS customer, and am performing discovery and preperation to convert all AIX/Linux boxes in our environment to leverage AD with QAS.

We have about 1200 users across several hundred servers, and i have created a de-duplicated list of all users across all UNIX boxes.

I want to know if theres a way with vastool or some other tool to query the Domain Controller and find out which users are "disabled" in AD. And also find out which users are do not have a match in AD.

Some users will have the same unix username as they do SAM account name in AD, some will not, this will help me to find out which ones i need to have special cases for, and which are valid users that i need to Unix enable in AD. Identifying the Disabled users would allow me remove potentially hundreds of users from my master user list and also clean them off locally on all the UNIX boxes.

I'm not very experienced but it seems like some form of "vastool search" might be able to provide such information?

↧

QAS uidnumber generation

November 27, 2013, 10:56 am

≫ Next: vas library upgrade caused sshd to dump core

≪ Previous: using vastool to perform LDAP queries

We use ActiveRoles and Authentication Services to administer UNIX user attributes and our UNIX admins are having troubles with uidnumber re-use. For example a uidnumber assigned to a previous user that is no longer in AD, is being reassigned to a new user. Apparently this reuse is occurring fairly soon after the previous user has left.

Our original uidnumber space was imported from a separately managed UNIX environment, where the uidnumbers were previously assigned. QAS was not used to generated these original uidnumbers. Within QAS we have the minimum uidnumber set to 1000 and the max to 64000

How do the different methods of generating a unique ID work? Are they always starting at the minimum value and working up to find an available uidnumber to assign to a new user? Can it be configured to start at the last assigned uidnumber and work up, until it gets to the max possible uidnumber before starting again at the minimum value?

↧

vas library upgrade caused sshd to dump core

April 12, 2007, 1:41 pm

≫ Next: HTTP Status 500 - com.wedgetail.idm.sso.ntlm.NtlmException: NTLM token is T

≪ Previous: QAS uidnumber generation

We build our ssh package using vintela supplied source package. (we do apply a small patch on top of the vas patch to openssh, but I don't think this is related here). Our sshd package was built against the 3.0.3.17 library (statically linked against libvas.a). and it was working fine with 3.0.3.17.

Now we upgraded vas to 3.1.2 from 3.0.3.17. and sshd started core dumping
when a user tries to authenticate.. I recompiled ssh against the 3.1.2 version of libvas and it's working fine again..

it seems if we continue to build our own ssh package, then we would have to recompile whenever we upgrade vas.. is anyone else build their own ssh as well?
I would also like to hear what vas developer think about this??
thanks.

↧

HTTP Status 500 - com.wedgetail.idm.sso.ntlm.NtlmException: NTLM token is T

April 12, 2010, 9:37 am

≫ Next: Kerberos Error: Message Stream modified

≪ Previous: vas library upgrade caused sshd to dump core

removed

Message was edited by: MarkBarc

↧

Kerberos Error: Message Stream modified

June 22, 2010, 9:43 pm

≫ Next: Local/Remote user issue with db2_sys-auth

≪ Previous: HTTP Status 500 - com.wedgetail.idm.sso.ntlm.NtlmException: NTLM token is T

Hi,
I'm using SSO with BOXIR2 that use VSJ,
the SSO is working fine until someday SSO is stop with below error messages:
So how to fix this kinda error?

5609 http-8080-Processor25 ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
5609 http-8080-Processor25 ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication - GSSException Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
5609 http-8080-Processor25 WARN com.crystaldecisions.sdk.occa.security.internal.LogonService - doUserLogon(): failed to logon, logoninfo=user:xxx%xxx,method:GSSCredential,auth=secWinAD,aps=xxx.xx.com
com.crystaldecisions.sdk.exception.SDKException$SecurityError: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department.
cause:GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
detail:The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department.
The exception originally thrown was GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.b.a(Unknown Source)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.d.a(Unknown Source)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.d.continueLogin(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.a(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.a(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.t.userLogon(Unknown Source)
at com.crystaldecisions.sdk.occa.security.internal.l.userLogon(Unknown Source)
at com.crystaldecisions.sdk.framework.internal.d.logon(Unknown Source)
at com.crystaldecisions.ePortfolio.framework.logon.LogonAction.singleSignOn(LogonAction.java:406)
at com.crystaldecisions.ePortfolio.framework.logon.LogonAction.autoWrapExceptionPerform(LogonAction.java:525)
at com.crystaldecisions.ePortfolio.framework.common.AutoWrapExceptionAction.process(AutoWrapExceptionAction.java:62)
at com.crystaldecisions.webapp.struts.framework.AbstractEnterpriseAction.perform(AbstractEnterpriseAction.java:38)
at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586)

↧

Local/Remote user issue with db2_sys-auth

July 2, 2008, 1:05 pm

≫ Next: 2 Apache instances running with different Service Account

≪ Previous: Kerberos Error: Message Stream modified

If I connect to DB2 without specifying "user <username>", I can connect to DB2 successfully. If I connect with "user <username>", I am getting "PASSWORD EXPIRED". See below:

/home/sg54377>db2 connect to hcdev9 user sg54377
Enter current password for sg54377:
SQL30082N Security processing failed with reason "1" ("PASSWORD EXPIRED").
SQLSTATE=08001

/home/sg54377>db2 connect to hcdev9

Database Connection Information

Database server        = DB2/AIX64 9.1.4
SQL authorization ID   = SG54377
Local database alias   = HCDEV9

/home/sg54377>db2level
DB21085I Instance "db2inst1" uses "64" bits and DB2 code release "SQL09014"
with level identifier "01050107".
Informational tokens are "DB2 v9.1.0.4", "s071028", "U811792", and Fix Pack
"4".
Product is installed at "/opt/IBM/db2/V9.1".
I am running this on AIX 5.3 - 5300-06-01-0000

Here is the snippet of the above connection from my syslog:

Jul 2 15:31:13 cor089yd135 auth|security:notice sys-auth_2.0.0.5 - db2inst1[868578]: vas_db2_plugin_check_password: password expired for user <sg54377>
Jul 2 15:31:13 cor089yd135 auth|security:notice sys-auth_2.0.0.5 - db2inst1[868578]: vas_db2_plugin_check_password: password expired for user <sg54377>
Jul 2 15:33:26 cor089yd135 auth|security:info sshd[884890]: Accepted publickey for root from 172.29.100.100 port 55358 ssh2
Jul 2 15:33:26 cor089yd135 auth|security:info sshd[884890]: Accepted publickey for root from 172.29.100.100 port 55358 ssh2
Jul 2 15:36:02 cor089yd135 auth|security:info sys-auth_2.0.0.5 - db2inst1[491756]: vasaix: Authentication <succeeded> for <Active Directory> user: <sg54377> account: SG54377@us.company.corp service: <AIX LAM> reason: <N/A>
Jul 2 15:36:02 cor089yd135 auth|security:info sys-auth_2.0.0.5 - db2inst1[491756]: vasaix: Authentication <succeeded> for <Active Directory> user: <sg54377> account: <SG54377@us.company.corp> service: <AIX LAM> reason: <N/A>
Jul 2 15:36:02 cor089yd135 auth|security:notice sys-auth_2.0.0.5 - db2inst1[868578]: vas_db2_plugin_check_password: password expired for user <sg54377>
Jul 2 15:36:02 cor089yd135 auth|security:notice sys-auth_2.0.0.5 - db2inst1[868578]: vas_db2_plugin_check_password: password expired for user <sg54377>
Jul 2 15:38:11 cor089yd135 auth|security:info tsm: vasaix: Authentication <succeeded> for <Active Directory> user: <sg54377> account: <SG54377@us.company.corp> service: <AIX LAM> reason: <N/A>
Jul 2 15:38:11 cor089yd135 auth|security:info tsm: vasaix: Authentication <succeeded> for <Active Directory> user: <sg54377> account: <SG54377@us.company.corp> service: <AIX LAM> reason: <N/A>
Jul 2 15:38:41 cor089yd135 auth|security:notice su: from root to sg54377 at /dev/pts/3
Jul 2 15:38:41 cor089yd135 auth|security:notice su: from root to sg54377 at /dev/pts/3
Jul 2 15:38:49 cor089yd135 auth|security:notice sys-auth_2.0.0.5 - db2inst1[868578]: vas_db2_plugin_check_password: successful authentication for user <sg54377>
Jul 2 15:38:49 cor089yd135 auth|security:notice sys-auth_2.0.0.5 - db2inst1[868578]: vas_db2_plugin_check_password: successful authentication for user <sg54377>
Jul 2 15:38:49 cor089yd135 auth|security:debug sys-auth_2.0.0.5 - db2inst1[868578]: ldap_request failure
Jul 2 15:38:49 cor089yd135 auth|security:debug sys-auth_2.0.0.5 - db2inst1[868578]: ldap_request failure
Jul 2 15:38:49 cor089yd135 auth|security:debug last message repeated 2 times
Jul 2 15:38:49 cor089yd135 auth|security:debug last message repeated 2 times
Jul 2 15:38:49 cor089yd135 auth|security:notice sys-auth_2.0.0.5 - db2inst1[786628]: vas_db2_plugin_check_password: successful authentication for user <sg54377>
Jul 2 15:38:49 cor089yd135 auth|security:notice sys-auth_2.0.0.5 - db2inst1[786628]: vas_db2_plugin_check_password: successful authentication for user <sg54377>
Jul 2 15:45:06 cor089yd135 auth|security:info sys-auth_2.0.0.5 - db2inst1[463056]: vasaix: Authentication <succeeded> for <Active Directory> user: <sg54377> account: <SG54377@us.company.corp> service: <AIX LAM> reason: <N/A>
Jul 2 15:45:06 cor089yd135 auth|security:info sys-auth_2.0.0.5 - db2inst1[463056]: vasaix: Authentication <succeeded> for <Active Directory> user: <sg54377> account: <SG54377@us.company.corp> service: <AIX LAM> reason: <N/A>
Jul 2 15:45:06 cor089yd135 auth|security:notice sys-auth_2.0.0.5 - db2inst1[868578]: vas_db2_plugin_check_password: password expired for user <sg54377>
Jul 2 15:45:06 cor089yd135 auth|security:notice sys-auth_2.0.0.5 - db2inst1[868578]: vas_db2_plugin_check_password: password expired for user <sg54377>
Jul 2 15:45:36 cor089yd135 auth|security:notice sys-auth_2.0.0.5 - db2inst1[868578]: vas_db2_plugin_check_password: successful authentication for user <sg54377>
Jul 2 15:45:36 cor089yd135 auth|security:notice sys-auth_2.0.0.5 - db2inst1[868578]: vas_db2_plugin_check_password: successful authentication for user <sg54377>
Jul 2 15:45:36 cor089yd135 auth|security:debug sys-auth_2.0.0.5 - db2inst1[868578]: ldap_request failure
Jul 2 15:45:36 cor089yd135 auth|security:debug sys-auth_2.0.0.5 - db2inst1[868578]: ldap_request failure
Jul 2 15:45:36 cor089yd135 auth|security:debug last message repeated 2 times
Jul 2 15:45:36 cor089yd135 auth|security:debug last message repeated 2 times
Jul 2 15:45:36 cor089yd135 auth|security:notice sys-auth_2.0.0.5 - db2inst1[786628]: vas_db2_plugin_check_password: successful authentication for user <sg54377>
Jul 2 15:45:36 cor089yd135 auth|security:notice sys-auth_2.0.0.5 - db2inst1[786628]: vas_db2_plugin_check_password: successful authentication for user <sg54377>

Where do I go with this?

Thank you in advance.

↧

2 Apache instances running with different Service Account

September 19, 2013, 2:28 pm

≫ Next: QAS and NTLMV2

≪ Previous: Local/Remote user issue with db2_sys-auth