Quantcast
Channel: Software Communities : Popular Discussions - All Things Unix
Viewing all 1046 articles
Browse latest View live

GSSException when launching ejb fatclient example from VSJ-WebLogic-Edition

October 6, 2011, 6:01 am
$
0
0
Hi,

I downloaded the vsj-weblogic-3.2 (VSJ-WebLogic-Edition-3.2_Patch-3550). I get the exception below. I saw on a forum that the 3.3 version fix this problem. Is it so? Is the 3.3 version available?

http://allthingsunix.inside.quest.com/thread.jspa?threadID=10055&tstart=0&messageID=30443

Best regards,
Omer

Caused by: javax.security.auth.login.LoginException: LoginException: java.security.PrivilegedActionException: GSSException: com.dstc.security.kerberos.provider.Krb5U2S configured by JCSIKrb5 for GSS-API Mechanism Factory cannot be created
at com.quest.vsj.weblogic.login.EjbClientKerberosLoginModule.login(EjbClientKerberosLoginModule.java:107)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
at com.decsso.client.VSJWebLogicEditionSSOTester$1.run(VSJWebLogicEditionSSOTester.java:50)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
... 3 more
Search

Configuring VSJ for multiple domains for a web/stand alone JAVA client.

February 7, 2012, 2:28 am
$
0
0

Back Ground:

We have an existing Kerberos utility (developed using sun GSS API), which can be used by either web application/a standalone java based application to accept service ticket for a specific service or delegate GSS credentials to fetch a service ticket for another service.

 

Requirement:

Since our utility was developed using sun GSS API,  it only works  if all the services exists in single domain as the sun GSS API cannot understand reference tickets generated for cross domain authentication.

We now have a plan to develop this utility that allows to communicate services exist in multiple domains, for this purpose we are planning to use VSJ. We still wanted the client remain the same(either web application or a standalone application) for this utility.

1. Is there a way to integrate VSJ with the existing  Kerberos utility(just by providing the VSJ security provider), so that without changing the existing utility code the cross domain authentication is successful?

2. If step1 is not possible, What configuration steps/additional VSJ APIs need to be used to achieve cross functionality. If any specific guide/documentation/any pointers available please point me to the same.

Thanks,
Naga


Problems Compiling MAV on AIX 6.1/XLC/IBMIHS 7.0.0.23

October 12, 2012, 5:22 am
$
0
0
Greetings all.

I am trying to compile MAV 3.6.7 on AIX 6.1/XLC/IBMIHS 7.0.0.23.  I tried using the precompiled 3.6.4 module, but Apache doesn't like that.  Here is the output from the configure script:

checking vas_gss.h usability... no
checking vas_gss.h presence... yes
configure: WARNING: vas_gss.h: present but cannot be compiled
configure: WARNING: vas_gss.h:     check for missing prerequisite headers?
configure: WARNING: vas_gss.h: see the Autoconf documentation
configure: WARNING: vas_gss.h:     section "Present But Cannot Be Compiled"
configure: WARNING: vas_gss.h: proceeding with the compiler's result
configure: WARNING:     ## -------------------------------------- ##
configure: WARNING:     ## Report this to David.Leonard@xxxyy.abc ##
configure: WARNING:     ## -------------------------------------- ##
checking for vas_gss.h... no
checking gssapi.h usability... no
checking gssapi.h presence... yes
configure: WARNING: gssapi.h: present but cannot be compiled
configure: WARNING: gssapi.h:     check for missing prerequisite headers?
configure: WARNING: gssapi.h: see the Autoconf documentation
configure: WARNING: gssapi.h:     section "Present But Cannot Be Compiled"
configure: WARNING: gssapi.h: proceeding with the compiler's result
configure: WARNING:     ## -------------------------------------- ##
configure: WARNING:     ## Report this to David.Leonard@xxxyy.abc ##
configure: WARNING:     ## -------------------------------------- ##
checking for gssapi.h... no
checking gssapi_krb5.h usability... no
checking gssapi_krb5.h presence... yes
configure: WARNING: gssapi_krb5.h: present but cannot be compiled
configure: WARNING: gssapi_krb5.h:     check for missing prerequisite headers?
configure: WARNING: gssapi_krb5.h: see the Autoconf documentation
configure: WARNING: gssapi_krb5.h:     section "Present But Cannot Be Compiled"
configure: WARNING: gssapi_krb5.h: proceeding with the compiler's result
configure: WARNING:     ## -------------------------------------- ##
configure: WARNING:     ## Report this to David.Leonard@xxxyy.abc ##
configure: WARNING:     ## -------------------------------------- ##
checking for gssapi_krb5.h... no

The configure script finishes, without error, but the compile fails with this:

/usr/include/unistd.h:924: error: expected ')' before '[' token
/usr/include/unistd.h:925: error: expected declaration specifiers or '...' before 'rid_t'
get.c: In function 'err_gss':
get.c:626: error: expected declaration specifiers before 'OM_uint32'
get.c:629: error: 'OM_uint32' undeclared (first use in this function)
get.c:629: error: (Each undeclared identifier is reported only once
get.c:629: error: for each function it appears in.)
get.c:629: error: expected ';' before 'ctx'
get.c:630: error: 'gss_buffer_desc' undeclared (first use in this function)
get.c:630: error: expected ';' before 'buf'
get.c:631: error: expected ';' before 'emajor'
get.c:635: error: 'emajor' undeclared (first use in this function)
get.c:635: error: 'eminor' undeclared (first use in this function)
get.c:635: error: 'GSS_C_GSS_CODE' undeclared (first use in this function)
get.c:636: error: 'GSS_C_NO_OID' undeclared (first use in this function)
get.c:636: error: 'ctx' undeclared (first use in this function)
get.c:636: error: 'buf' undeclared (first use in this function)
get.c:643: error: 'GSS_C_MECH_CODE' undeclared (first use in this function)
get.c: In function 'get_nego':
get.c:670: error: 'gss_name_t' undeclared (first use in this function)
get.c:670: error: expected ';' before 'target_name'
get.c:671: error: 'OM_uint32' undeclared (first use in this function)
get.c:671: error: expected ';' before 'major'
get.c:672: error: 'gss_ctx_id_t' undeclared (first use in this function)
get.c:672: error: expected ';' before 'gssctx'
get.c:716: error: 'gssctx' undeclared (first use in this function)
get.c:716: error: 'GSS_C_NO_CONTEXT' undeclared (first use in this function)
get.c:745: error: expected ';' before 'ret'
get.c:764: error: 'gss_buffer_desc' undeclared (first use in this function)
get.c:764: error: expected ';' before 'inbuf'
get.c:767: error: 'namebuf' undeclared (first use in this function)
get.c:769: error: 'major' undeclared (first use in this function)
get.c:769: error: 'minor' undeclared (first use in this function)
get.c:770: error: 'GSS_KRB5_NT_PRINCIPAL_NAME' undeclared (first use in this function)
get.c:770: error: 'target_name' undeclared (first use in this function)
get.c:779: error: 'inbuf' undeclared (first use in this function)
get.c:783: error: 'outbuf' undeclared (first use in this function)
get.c:786: error: 'GSS_C_NO_CREDENTIAL' undeclared (first use in this function)
get.c:789: error: 'GSS_C_NO_OID' undeclared (first use in this function)
get.c:791: error: 'GSS_C_INDEFINITE' undeclared (first use in this function)
get.c:792: error: 'GSS_C_NO_CHANNEL_BINDINGS' undeclared (first use in this function)
get.c:813: error: expected ';' before 'inbuf'
get.c:819: error: 'ret' undeclared (first use in this function)
get.c:823: error: 'VAS_GSS_SPNEGO_ENCODING_BASE64' undeclared (first use in this function)
get.c:824: error: 'GSS_C_NO_BUFFER' undeclared (first use in this function)
make[4]: *** [get.o] Error 1
make[4]: Leaving directory `/mnt/mod_auth_vas-3.6.7/test/http-get'
make[3]: *** [all] Error 2
make[3]: Leaving directory `/mnt/mod_auth_vas-3.6.7/test/http-get'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/mnt/mod_auth_vas-3.6.7/test'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/mnt/mod_auth_vas-3.6.7'
make: *** [all] Error 2

I am using QAS 3.5.2.89.

My last round of compiling MAV was on AIX 5.3/XLC/IBMIHS 6.x, when I had to put a patch in for timeout problems.

Message was edited by: phscott

Kerberos SSO with 1 way Trust

October 25, 2012, 4:17 am
$
0
0
I had configured a Kerberos SSO with 1way trust between two domain... But on logging in i am getting the following exception...

[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: resetting state...
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: principal = 'HTTP/mdk1waytrustd3.wtmdk1waydom3.com'
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: realm = 'WTMDK1WAYDOM3.COM'
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: Found name servers using JNDI
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: mdk1waytrustd2.wtmdk1waydom2.com (10.31.70.183)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: mdk1waytrustd1.wtmdk1waydom1.com (10.31.69.52)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: MDK1WAYTRUSTD3.WTMDK1WAYDOM3.COM (10.31.70.184)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: mdk1waytrustd4.wtmdk1waydom4.com (10.31.71.34)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: corpinba8.corp.emc.com (10.30.48.37)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: corpgefr3.corp.emc.com (152.62.196.10)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: The old JCSI Kerberos code for the Windows LSA is now disabled by default;
if you really want it (rather than the new WinSSPI code) you must set
-Djcsi.kerberos.lsa.enable=true
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: Creating LSA credential cache
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: Could not locate default cache: com.dstc.security.kerberos.KerberosException: Could not create credential store com.dstc.security.kerberos.KerberosException: Native in-memory credential cache not supported on this platform (Windows Server 2008 R2)
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: login succeeded
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: loaded InputStream based keytab at time 1351158964992 m/secs, 5 entries
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: binding principal to subject
[DEBUG] Thu Oct 25 02:56:04 PDT 2012 jcsi.kerberos: binding credentials to subject


Can some one can help me in resolving this???

Regards,
Sumith

Account Validation Failed - Rejecting User

August 14, 2007, 7:55 am
$
0
0
I have installed the quest-samba-3.0.25a_q213 rpm's under fedora core 7, followed the installation instructions running and ran the /opt/quest/bin/vas-samba-config , all worked fine.

# /opt/quest/bin/vas-samba-config
Checking for VAS...
Stopping Samba services...
Checking /etc/opt/quest/samba/smb.conf...
/etc/opt/quest/samba/smb.conf: No changes required
Checking /etc/opt/quest/vas/vas.conf...
/etc/opt/quest/vas/vas.conf: No changes required

  Samba can support NTLM (non-Kerberos) authentication for users,
  but this requires that the local host password be renewed (set to
  a new random string) during installation. Renewing the host
  password is a normal operation that is performed periodically
  by vasd.

Reset the local host key now for NTLM support? [yes]:

Detecting domain SID...
Renewing the computer account password...
Modified trust account password in secrets database
Join is OK
Starting Samba services...
Starting vasidmapd service:                                [  OK  ]
Starting nmbd-quest service:                               [  OK  ]
Starting smbd-quest service:                               [  OK  ]
Starting winbindd-quest service:                           [  OK  ]


Then tried a few things from the 'testing the samba server is properly confgured'

/opt/quest/bin/net rpc testjoin
Join to '###' is OK

/opt/quest/bin/net/ads testjoin
Join is OK

now, all going fine you might say, however ....

when I try and do the smbclient, all I get is smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User mikec!

I have tried the following

su - mikec
kinit mikec@MY.REALM
/opt/quest/bin/smbclient //leaf.mydomain/mikec -UMYDOMAIN/mikec

cli_session_setup_blob: recieve failed (NT_STATUS_LOGON_FAILURE)
session setup failed: NT_STATUS_LOGON_FAILURE

The error that keeps cropping up in /var/log/messages is

smbd[5910]:   smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User mikec!

can anyone shed any light?

regards
Mike

Error in Service Module

October 3, 2011, 1:16 pm
$
0
0

RHEL 6.1

Machine is joined to domain, AD account is able to login to other QAS machines.

Whenever I attempt to login from main screen I just get the error "Error in Service Module"

Any thoughts?

Crash when authenticating

November 15, 2012, 1:37 pm
$
0
0
I'm seeing the following crash during authentication:

glibc detected *** /usr/java/jdk1.6.0_25/bin/java: free(): invalid pointer: 0x0000000041e33450 ***
======= Backtrace: =========
/lib64/libc.so.60x3b66275916
/opt/quest/lib64/libvas.so.4(vas_string_zerofree+0x4b)0x7ffd9cc615f0
/lib64/security/pam_vas3.so(pam_vas_do_conversation+0x210)0x7ffd9ce01c7d
/lib64/security/pam_vas3.so(pam_vas_am_prompt_for_cred+0x2ff)0x7ffd9cdfc85b
/lib64/security/pam_vas3.so(pam_sm_authenticate+0xb30)0x7ffd9cdf772a
/lib64/libpam.so.00x3b69202cee
/lib64/libpam.so.0(pam_authenticate+0x40)0x3b69202600

Any ideas as to what may be causing it? The pam config looks like:


#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_vas3.so create_homedir get_nonvas_pass store_creds
auth requisite pam_vas3.so echo_return
auth sufficient pam_unix.so nullok try_first_pass use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account sufficient pam_vas3.so
account requisite pam_vas3.so echo_return
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password sufficient pam_vas3.so
password requisite pam_vas3.so echo_return
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session required pam_vas3.so create_homedir
session requisite pam_vas3.so echo_return
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

Clock skew error

September 15, 2011, 10:18 am
$
0
0

[on behalf fo Rodney]
  Hi Team,

 

  We're using VSJ 3.3 in a web application (on Tomcat). During SSO with AD, users sometimes are not able to login and the error found in Tomcat STDOUT is :

 

  {ERROR} av.AuthenticatorValidatorBase Thread [http-8080-Processor24];  Rejected AP-REQ because timestamp (1314873940000) is 324056 ms old (max skew = 300000)

  ++++ KRB-AP-REQ Message ++++

  encryption type: 23 (DECRYPTED OK)

  ap options: mutual-required

  Ticket:

    encryption type: 23

    service principal:HTTP/service-account@domain.com

  client:username@domain.com

  subkey: [23,  4 be cc e0 b9 ef b0 a8 68 9f 2e 93 c8 31 3a 9 ]

  client time: Thu Sep 01 03:45:40 PDT 2011

  cusec: 394

  sequence number: 1253074037

  ++++++++++++++++++++++++++++

 

  We have confirmed that the DC and the app server time is in sync when the issue occurs.

 

  Any ideas?

 

  Thanks in advance!

  Rodney

Search

Problem QAS 4.0.3 and Ubuntu 12.04

March 16, 2012, 7:37 am
$
0
0
Hi,

I'm testing Ubuntu's beta version 12.04. Installing QAS 4.0.3  works correctly, but when the computer restarts, PC crashes when vasd service starts.


When testing at another terminal (Ctrl + Alt + F2), I can not log on with a local user or a domain user.

This problem only happens with version 12.04, with previous versions there is no problem. So I think it is a bug in the QAS.

Anyone kow how to fix it?


Thanks.

Stuck with kerberos authentication to Sharepoint

October 10, 2012, 3:03 pm
$
0
0
I have to connect to MS IIS server using SPNEGO token with Kerberos ticket inside, exactly as Internet Explorer does it.

If I use java GSSManager.initiateContext() it does request tickets with incorrect KDCOptions, dates and some other params I cannot control.

I tried com.dstc.security lib, and was able to get tickets axactly as Internet Explorer with couple of lines:

prepare required KDCOptions;
Credential tgt = kerberos.requestTicketGrantingTicket(new KerberosPassword(password.getBytes()), kdo, new Date(), d, new InetAddress[] {InetAddress.getByName("somename")}, null);
Credential srvt = kerberos.requestServiceTicket(TGT, new PrincipalName(2, "HTTP/server.domain.net"), REALM, kdo);

But how can I use these credentials or tickets inside to create SPNEGO token same as I can get with GSSManager.initiateContext()?

Wrong ticket encryption for W2K clients only causes VSJ to fail

August 5, 2007, 10:54 am
$
0
0

Hi,

I am facing the following problem.

The Windows service account used for Vintela SSO is set up using "Use DES encryption for this account". The keytab is created with ktpass ... -crypto DES-CBC-MD5 encryption.

Everything is working when I login to the web application from a Windows 2003 server machine. On the Windows 2003 server machine part of the klist tickets command is as follows (Kerberos ticket encryption of type DES-CBC-MD5 as expected):

   Server: HTTP/server.eu.xxx.com@EU.XXX.COM
      KerbTicket Encryption Type: Kerberos DES-CBC-MD5
      End Time: 8/3/2007 21:38:37
      Renew Time: 8/10/2007 11:38:37

But on the Windows 2000 clients the ticket is encrypted with RC4-HMAC-NT:

   Server: HTTP/server@EU.XXX.COM
      KerbTicket Encryption Type: Kerberos RSADSI RC4-HMAC(NT)
      End Time: 8/3/2007 21:42:55
      Renew Time: 8/10/2007 11:42:55

The wrong obtained ticket causes SSO to fail.

Tomcat output is:

HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Successfully matched service principal "HTTP/SERVER.EU.XXX.COM@EU.XXX.COM but not key type (23) + KVNO (2) in this entry: Principal: HTTP/SERVER.EU.XXX.COM@EU.XXX.COM Type: 1 TimeStamp: Wed Dec 31 19:00:00 EST 1969 KVNO: -1 Key: [3, 67 ec a8 a8 75 e0 ab 3e ] )

So the encryption type of the client ticket (which is of type 23=RC4-HMAC-NT) does not match the entry in the keytab (type 3=DES-CBC-MD5).

Why does the Windows 2000 machine get a different encrypted ticket? Also, there is a difference in the SPN returned in the output of the klist tickets above.

Any help would be greatly appreciated.

Thanks,

Ron

HTTP Status 500 - com.wedgetail.idm.sso.ntlm.NtlmException: NTLM token is T

April 12, 2010, 9:37 am
$
0
0

removed


Message was edited by: MarkBarc

vasd won't stop

May 18, 2011, 4:06 pm
$
0
0

On a couple AIX 5.3 servers (running DB2), the vasd daemons cannot be stopped by using "/etc/rc.d/init.d/vasd stop".  Instead, I have to "kill" the processes in order for them to stop.

vasd reports "disconnected".  Users are unable to login when vasd is in this state.  The logs show login attempts such as:

May 18 16:49:31 server05 auth|security:info sshd2[254108]: pam_vas: Authentication <succeeded disconnected> for <Mapped> user: <user1> account: <user1@mydomain.com> service: <ssh> reason: <N/A> Access Control Identifier(UPN):<user1@mydomain.com>
May 18 16:49:31 server05 auth|security:info sshd2[254108]: pam_vas: Authentication <succeeded disconnected> for <Mapped> user: <user1> account: <user1@mydomain.com> service: <ssh> reason: <N/A> Access Control Identifier(UPN):<user1@mydomain.com>
May 18 16:49:31 server05 auth|security:info sshd2[254108]: pam_vas: Authentication <failed passwordless> for <Mapped> user: <user1> account: <user1@mydomain.com> service: <ssh> reason: <Password is expired.> Access Control Identifier(UPN):<user1@mydomain.com>
May 18 16:49:31 server05 auth|security:info sshd2[254108]: pam_vas: Authentication <failed passwordless> for <Mapped> user: <user1> account: <user1@mydomain.com> service: <ssh> reason: <Password is expired.> Access Control Identifier(UPN):<user1@mydomain.com>

However, i know user1's password is not expired since the user can successfully login to server04 (also AIX and configured identically).  Here is some more info from an affected server:

1) Prompt:
$ ssh server05

DISCONNECTED MODE: enter password:
Current password foruser1@mydomain.com:
New password:

2) vastool status
# vastool status

VAS is currently joined to:                      mydomain.com
Join command found in:                           /etc/opt/quest/vas/lastjoin
Verifying timesync with domain controller:       YES
  Time delta: 0 seconds
Are valid VAS licenses installed?                YES
Checking to see if VAS daemon is running:        YES
Checking for valid computer account (SAMNAME)
 SERVER05$@MYDOMAIN.COM                    YES
Checking for valid computer account (SPN)
 host/server05.mydomain.com@MYDOMAIN.COYES
Checking to see if VAS is in connected state:    NO
Verifying VAS is configured for name service:    NO
Verifying VAS is configured for auth service:    YES
Verifying VAS configuration file is correct:     YES
Verifying sanity of users allow file:            YES
Verifying sanity of users deny file:             YES
Verifying sanity of group-override file:         YES
Verifying sanity of user-override file:          YES

3) ipc file exists
# ls /var/opt/quest/vas/vasd/.vasd_ipc_sock
/var/opt/quest/vas/vasd/.vasd_ipc_sock

4) host auth works
# /opt/quest/bin/vastool -u host/ auth -S host/
SERVER05$@MYDOMAIN.COMwas successfully authenticated toSERVER05$@MYDOMAIN.COM.

Anyone seen this before or have any ideas what might be triggering this condition?

Thanks.

Samba configuration with Quest

July 7, 2011, 10:26 am
$
0
0
Hi,

We are in the process of migrating to QAS. And I have a few questions about Samba configuration.

Q1

Firstly, on running vas-samba-config -f

lrwxrwxrwx 1 root root 27 Jun 13 12:26 /etc/krb5.conf -> /etc/opt/quest/vas/vas.conf

Should I continue to update this file? [no]:

Now we have this linked to allow other kerberized apps to work OpenSSH for example. Should we be adding to the central config any options this would normally want to put into this file in order to allow samba to work properly. For example should we add :

"password-change-script = /opt/quest/libexec/vas-set-samba-password"

, to be pushed out to vas.conf from group policy? Or should I copy in a krb5.conf that is vas.conf and let the script play with it? Will it still work with openSSH?

I notice if I do let it play with this file it hard codes kdc's, what happens if these machines are changed?

What is best practice with krb5.conf ?

Q2

I get,

* NOTE: Winbind not found

AD authentication will still be available to Samba, but access
control entries and file ownership will appear to be for local
users instead of domain users. To correct this, please install
and start winbind and then re-run this script.

Is winbindd supposed to be running? Or just installed? How does it fit in? Doesn't seem to make much difference with my present level of functionally

Q3

When samba is up and running and I go into the permissions. I see my users listed as "Unix Users\blah" "Unix Group\foo"?

Is this correct or should they now be listed as domain users. If I try to add a domain user in, it comes up properly in the list (as a domain account not Unix\Users) but disappears when applied. and an error gets logged:

Jul 7 17:49:55 testvas smbd[4885]: create_canon_ace_lists: unable to map SID S-1-5-21-790525478-2049760794-839522125-6178 to uid or gid.

, so I presume something is wrong with my samba setup. I'd assumed with the vasidmapd the list would appear as domain users and I'd be able to edit the ACL (ACL's work with set and getfacl on the command line). My smb.conf looks like:

[global]
workgroup = IONEU
max log size = 1000000
preserve case = yes
short preserve case = yes
security = ads
realm = IONEU.IONGEO.COM
encrypt passwords = yes
load printers = no
local master = no
client use spnego = yes
log level = 1
map to guest = Bad User
guest account = cifsguest
hide dot files = yes
nt acl support = yes


;--- begin options added by vas-samba-config (20110707) ---
domain master = no
domain logons = no
machine password timeout = 0
obey pam restrictions = yes
kerberos method = dedicated keytab
dedicated keytab file = /etc/opt/quest/vas/host.keytab
;--- end options added by vas-samba-config (20110707) ---


;--- begin options added by vas-samba-config (20110707) ---
winbind nested groups = no
ldap admin dn = CN=VasIdmapAdmin
idmap backend = ldap:ldap://localhost
idmap uid = 1-2147483647
idmap gid = 1-2147483647
idmap cache time = 300
;--- end options added by vas-samba-config (20110707) ---

[homes]
writeable = yes
guest ok = no

; Local disk configurations

Thanks

using samba-quest in a cluster (using a virtual IP)

July 9, 2007, 5:16 am
$
0
0
We would like to run Samba in a clustered environment and bind Samba to a virtual IP rather than the IP of the local host. This then means the VIP can move from one host to another for fault tolerance, etc. However, the VAS authenication breaks, I assume because samba is bound to and using the VIP for outbound connects, rather than the host IP address. The error we are seeing in syslog is:

Jul  9 13:00:38 duk1srv0134 smbd[20533]: [2007/07/09 13:00:38, 0] source/rpc_client/cli_pipe.c:get_schannel_session_key(2449)
Jul  9 13:00:38 duk1srv0134 smbd[20533]:   get_schannel_session_key: could not fetch trust account password for domain 'DHDOM1'
Jul  9 13:00:38 duk1srv0134 smbd[20533]: [2007/07/09 13:00:38, 0] source/rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2679)
Jul  9 13:00:38 duk1srv0134 smbd[20533]:   cli_rpc_pipe_open_schannel: failed to get schannel session key from server DUK2SRV0111.DUNNHUMBY.CO.UK for domain DHDOM1.
Jul  9 13:00:38 duk1srv0134 smbd[20533]: [2007/07/09 13:00:38, 0] source/auth/auth_domain.c:connect_to_domain_password_server(119)
Jul  9 13:00:38 duk1srv0134 smbd[20533]:   connect_to_domain_password_server: unable to open the domain client session to machine DUK2SRV0111.DUNNHUMBY.CO.UK. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Jul  9 13:00:38 duk1srv0134 smbd[20533]: [2007/07/09 13:00:38, 0] source/rpc_client/cli_pipe.c:get_schannel_session_key(2449)

I set the following in the smb.conf to force binding to an IP:

   bind interfaces only = yes
   interfaces = eth0 10.87.220.15/16

Maybe I need to raise a support request for this; I will spend some more time on looking for a solution to this before doing so, though.
Search

QAS and FileVault on OS X

January 8, 2013, 9:14 am
$
0
0
Is there a way to use FileVault on OS X Mountain Lion with QAS? I mean so that the AD user can be selected during boot for the FileVault authentication.

Thanks,

Nils

Support for apache httpd 2.4?

March 1, 2012, 4:18 am
$
0
0
Do you know if mod_auth_vas will work with Apache httpd 2.4? Or if there is any intention to support this, and if so what time frame this version is likely to be supported in?

Thanks,
Paul

"Require unix-group XXX" doesn't work with primary group id

February 21, 2008, 8:41 am
$
0
0
Greetings,

CentOS 4.5 x86_64, Apache 2.0.5.2, mod_auth_vas (uh...the snapshot that fixes the SVN slowness, as well as the latest official releases), VAS 3.1.1.

I am using "Require unix-group testgrp" on a location on one of our web servers. I noticed that if the user's primary group ID is set to "testgrp" but they are NOT in the corresponding AD group, mod_auth_vas denies the user as not being apart of the "testgrp" group. From the viewpoint of the OS itself (id, finger), the user is apart of the testgrp and has testgrp in its supplemental list. As soon as I add the user to the correct AD group, the user is allowed in (again, even though that user's primary GID is testgrp). Does mod_auth_vas not check the primary GID?

One more thing to note: our Unix groups were created in AD as "UNIX-Group-XXX" to keep the Unix names separate from the already existing Windows names. We use group mapping to assign the actual short name of the group. Just in case it matters...

Brendon

VAS login failed

July 15, 2008, 1:37 am
$
0
0

Hello everyone,

One of my solaris server quite often can't login. Even I had run "vastool flush", user still can't login via VAS. Some time it had prompt error when flushing

vasd stopped
Flushing auth cache: OK
Could not load caches- Authentication failed, error = VAS_ERR_NOT_FOUND: Not fou                                                                             nd
   Caused by:
   VAS_ERR_KRB5: Failed to obtain credentials. Keytab: , Client: CRS-CCH-APS-003
 $@UAS.LOCAL, Service: krbtgt/UAS.LOCAL@UAS.LOCAL,
Server: cs-2k3-vas002.uas.local
   Caused by:
   KRB5KDC_ERR_PREAUTH_FAILED (-1765328360): Preauthentication failed

It appears that the computer object has not yet replicated to the Global Catalog                                                                             .
vasd will stay in disconnected mode until this replication takes place.
You do not need to rejoin this computer.

fork_ns_ipc_handler_process: Could not load NS caches - Authentication failed,error = VAS_ERR_NOT_FOUND: Not found
   Caused by:
   VAS_ERR_KRB5: Failed to obtain credentials. Keytab: , Client: CRS-CCH-APS-003                                                                             $@UAS.LOCAL, Service: krbtgt/UAS.LOCAL@UAS.LOCAL, Server: cs-2k3-vas-002.uas.local
   Caused by:
   KRB5KDC_ERR_PREAUTH_FAILED (-1765328360): Preauthentication failed

Waiting for computer object to be replicated throughout the domain.
The NS IPC handler will be in disconnected mode until the replication takes place.


Only thing I can do is to rejoin the AD.

I checked the message log, following error also found.

vasd[10847]: [ID 608781 daemon.error] password_policy_interval: Failed to locally initialize context and id, will not be able to update password policy. result=2

Did there is anything going wrong??

Regd: Constrained delegation not working with a standalon JAVA code.

November 3, 2011, 9:25 pm
$
0
0
Hi,

I'm trying to use VSJ and written a standalone application to implement constrained delegation.Can any one of you please find the below mentioned active directory configurations and standalone Java Program which performs the Kerberos operations for constrained delegation and let me know what exactly went wrong.

Active Directory Configuration:
=====================
I have created two user accounts user1 and user2 and mapped these users with services in active directory 1.CS/service1@dev2008.COM 2.CS/service2@dev2008.COM. The first service (CS/service1@dev2008.COM) is configured such that it is only allowed to delegate to second service (CS/service2@dev2008.COM) i.e a constrained delegation is enforced on the first service.

Satndalone Java Program And Problem Noticed:
=================================
Generated TGT (ex: kinit -f user1@dev2008.COM password) for user1 on my dev machine and written standalone Java app which performs the below kerbersoe operations.
1. Fetches the user1 TGT from the cache.
2.Using user1 TGT,  the Java app tries to get a service ticket through delegation to the service mapped to user1 (i.e 1.CS/service1@dev2008.COM).
3.Get the delegated credentials using service ticket (by accepting the service ticket on service1 (CS/service1@dev2008.COM) I get the delegated credentials).
4.Use the delegated credentials and try to fetch a service ticket to service2(2.CS/service2@dev2008.COM).This works fine.

However when I try to fetch a service ticket for some other service on the AD (the service not part of the spns mentioned under the constrained delegation of service1), I can still be able to get a service ticket.

Is there a specific API or configuration in VSJ which need to be  called or enabled, to make  constrained delegation work. i.e the st can be generated only for service2. or Am I done anything wrong?

I have tried using idm.allowS4U to true in vsj.properties file, but I'm not sure whether this file getting picked-up, even though the properties file is put in the classpath and also tried to point the file location through -Didm.propertyFileURL="C:\common\vsj.properties". (not sure how much for it is helpful).

Thanks,
Naga



Message was edited by: Naga
Viewing all 1046 articles
Browse latest View live
Search