VAS & Printing to Windows Printers - How!?

March 1, 2010, 1:42 am

≫ Next: QAS - Using Environment variable in GPO users.allow confilguration

We have an active directory network with a print server sharing printers.

We have linux,mac clients who need to print to these printers, in the past I have used an LPD server on the windows print server, however, I would like to rationalise and have all clients printing through windows/samba type printing.

However, on a client with cups 1.3.9 when I create an entry for a printer smb://windowsprintserver/sharename the client, does not print, instead, pops up an authentication box, which I would like to be the signed on authenticated user, rather than asking.

I attempted to enable kerberos on cups, and this has made things even worse with kern.log filling with entries like

kernel: [11509.141476] type=1502 audit(1267433423.817:6485): operation="file_lock" requested_mask="::k" denied_mask="::k" fsuid=0 name="/var/opt/quest/vas/vasd/vas_misc.vdb" pid=17283 profile="/usr/sbin/cupsd"

Has anbody a guide on using QAS to print to windows printers via smb (or any other method?)

↧

QAS - Using Environment variable in GPO users.allow confilguration

July 7, 2010, 7:49 am

≫ Next: quest-openssh.5.2.1.13

≪ Previous: VAS & Printing to Windows Printers - How!?

Hi,
We have QAS 3.5. I'm planning on using Macros to control access to Unix Systems using windows groups. This method is described in http://vintela.inside.quest.com/servlet/KbServlet/download/1354-102-1792/Group_Policy_with_VAS.pdf and in screencast here at http://screencast.com/t/d2PUs2R2

I'm seeing that the Unix host does not pick up the setting after the group policy is set (even after days). The local users.allow file does not show the Hostname-access group does not show up. Even after restarting vasd, users.allow file isn't updated.

The file is updated only after gpo update command (vgptool apply), is run. Is this normal behavior or am I missing something.

Thanks
Mano Mathan

↧

quest-openssh.5.2.1.13

February 1, 2011, 4:23 am

≫ Next: Error in Service Module

≪ Previous: QAS - Using Environment variable in GPO users.allow confilguration

Hello Quest support,

I've downloaded the latest version (5.2.1.13) of Quest openssh for AIX 5.3, available on:

http://rc.quest.com/topics/openssh/

After installing it on AIX 6.1 I cannot start the ssh daemon. It keeps failing and generating the following message on the AIX error log:

---------------------------------------------------------------------------

LABEL: SRC_SVKO

IDENTIFIER: BC3BE5A3

Date/Time: Tue Feb 1 09:27:41 CUT 2011

Sequence Number: 12988

Machine Id: 00C8CFA44C00

Node Id: ddasy040

Class: S

Type: PERM

WPAR: Global

Resource Name: SRC

Description

SOFTWARE PROGRAM ERROR

Probable Causes

APPLICATION PROGRAM

Failure Causes

SOFTWARE PROGRAM

Recommended Actions

MANUALLY RESTART SUBSYSTEM IF NEEDED

Detail Data

SYMPTOM CODE

65280

SOFTWARE ERROR CODE

-9017

ERROR CODE

DETECTING MODULE

'srchevn.c'@line:'376'

FAILING MODULE

sshd-quest

---------------------------------------------------------------------------

The version of the AIX that I'm using is:

$ oslevel -s

6100-05-03-1036

Any advice?

↧

Error in Service Module

October 3, 2011, 1:16 pm

≫ Next: S4U2Self/S4U2Proxy WebService call with MIT Kerberos

≪ Previous: quest-openssh.5.2.1.13

RHEL 6.1

Machine is joined to domain, AD account is able to login to other QAS machines.

Whenever I attempt to login from main screen I just get the error "Error in Service Module"

Any thoughts?

↧

S4U2Self/S4U2Proxy WebService call with MIT Kerberos

December 13, 2011, 6:13 am

≫ Next: connect Linux laptop to corporate wifi network

≪ Previous: Error in Service Module

↧

connect Linux laptop to corporate wifi network

July 19, 2012, 4:31 am

≫ Next: Configuring VSJ for multiple domains for a web/stand alone JAVA client.

≪ Previous: S4U2Self/S4U2Proxy WebService call with MIT Kerberos

I am trying to connect a RHEL6 Linux laptop to our corporate wifi network. The laptop has been joined to the domain through Quest (VAS). I believe the wifi network uses both Machine authentication and User authentication but I am not certain about this as the wifi network is designed for Windows laptops and details are scatty and difficult to find.

The windows laptops are able to connect to the wifi network and they seem to have the following settings for their wifi adapter to connect to the corporate wifi network:
Security type: WPA2-Enterprise
Encryption Type: AES
Microsoft Protected EAP(PEAP)
Authentication Method: EAP-MSCHAP v2
When connecting automaticly use my Windows Logon name and password (and domain if any).
802.1X settings: specify user or computer authentication
802.11 settings: Enable Pairwise Master Key (PMK)
RADIUS Server: citrix.SomeStringxxx
RootCA: Some Certification Authority xxxx

If the Windows laptops joined to the domain can connect automatically to the wifi then I would like the Linux laptops joined to the domain via Quest(VAS) also to be able to connect (authenticate against the RADIUS server and connect to the wifi) either automatically or manually if needs be. I am uncertain as to what to do on the Linux laptop to be able to connect to the wifi. Is there some Quest program that enables the same type of connection/authentication that the Windows laptops have i.e. Windows laptops seem to be able to connect (as in the Users credentials and the Machine credentials pass to the WAP) to the wifi network auto-magically without the user having to do anything. I think this is being done through Group Policy in some way on the Windows laptops when they are first joined up to the Domain and Group Policies are applied - the auto joining to the wifi is set-up then I believe.

If there is no Quest wifi program then is their some way to replicate all the Windows PEAP settings on the RHEL6 Linux laptop manually? I am not sure how PEAP works but I think it should be possible to connect the Linux laptop to the wifi - I suspect that there is only a limited range of parameters that can be passed to the WAP (then eventually the RADIUS server) such as hostname, a certifcate, some sort of public/private key pair, username, password for authentication to take place.

Any advice much appreciated on a Quest program or even on entering the right settings on NetworkManager on RHEL6 and importing/exporting a key, importing/exporting a certifcate from the windows laptops to the Linux laptops etc

Thank you and kind regards,
Tahir

↧

Configuring VSJ for multiple domains for a web/stand alone JAVA client.

February 7, 2012, 2:28 am

≫ Next: Samba/VAS Offline File Synchronization Problem

≪ Previous: connect Linux laptop to corporate wifi network

Back Ground:

We have an existing Kerberos utility (developed using sun GSS API), which can be used by either web application/a standalone java based application to accept service ticket for a specific service or delegate GSS credentials to fetch a service ticket for another service.

Requirement:

Since our utility was developed using sun GSS API, it only works if all the services exists in single domain as the sun GSS API cannot understand reference tickets generated for cross domain authentication.

We now have a plan to develop this utility that allows to communicate services exist in multiple domains, for this purpose we are planning to use VSJ. We still wanted the client remain the same(either web application or a standalone application) for this utility.

1. Is there a way to integrate VSJ with the existing Kerberos utility(just by providing the VSJ security provider), so that without changing the existing utility code the cross domain authentication is successful?

2. If step1 is not possible, What configuration steps/additional VSJ APIs need to be used to achieve cross functionality. If any specific guide/documentation/any pointers available please point me to the same.

Thanks,
Naga

↧

Samba/VAS Offline File Synchronization Problem

January 7, 2008, 1:54 pm

≫ Next: cross-forest authentication - failed to get ldap/ service ticket

≪ Previous: Configuring VSJ for multiple domains for a web/stand alone JAVA client.

Is the Windows Offline File feature supposed to work with the released Samba/VAS version?

I'm having a problem where even though I make files/dirs available offline, when I'm offline I can see the dirs, but not the actual files.

I'm running VAS 3.2.0.108 w/ Samba 3.0.25a-Quest-213

↧

cross-forest authentication - failed to get ldap/ service ticket

December 7, 2009, 6:26 am

≫ Next: NTLM SMB issue - Could not get valid NTLM challenge from ........

≪ Previous: Samba/VAS Offline File Synchronization Problem

Hi all,

I'm struggling with a weird problem, I hope you can help ...

We have two forests, which are trusted both ways:
A.DOM (4x DC's dc1/dc2/dc3/dc4.a.dom)
B.NET (4x DC's dc1/dc2/dc3/dc4.b.net)
UNIX User: xyz@a.dom
Linux Box: server.c.net (joined B.NET)

The user "xyz@a.dom" tries to login to a linux box "server.c.net", but fails ...

In /var/log/messages I found entries like these (vasd debug-level 3):
------------------------------------------------------------------
Dec 7 10:29:32 server.c.net vasd[22501]: _ldap_init_and_bind: Failed to get ldap/ service ticket. VAS_ERR_KRB5: Failed to obtain credentials. Client: SERVER$@B.NET, Service: ldap/dc2.a.dom@B.NET, Server: dc4.b.net Caused by: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (-1765328377): Server not found in Kerberos database Reason: Server (ldap/dc2.a.dom@B.NET) unknown
------------------------------------------------------------------
... and repeated for each A.DOM domain controller.

Of course this can't work. Why is vasd looking for ldap/dc2.a.dom@B.NET instead of ldap/dc2.a.dom@A.DOM. Did I miss anything in my vas.conf?

Here my vas.conf:
------------------------------------------------------------------
[libdefaults]
default_realm = B.NET
ticket_lifetime = 36000
default_keytab_name = /etc/opt/quest/vas/host.keytab
default_etypes = arcfour-hmac-md5
default_etypes_des = des-cbc-crc
default_tkt_enctypes = arcfour-hmac-md5
default_tgs_enctypes = arcfour-hmac-md5
forwardable = true
[domain_realm]
server.c.net = B.NET
[vasd]
debug-level = 3
workstation-mode = true
workstation-mode-group-do-member = true
alt-auth-realms = b.net,a.dom
cross-forest-domains = b.net,a.dom
[libvas]
use-server-referrals = true
use-tcp-only = true
enable-gssapi-acceptor-authz = true
[nss_vas]
lowercase-names = true
check-host-access = true
[vas_auth]
checkaccess-use-implicit = true
------------------------------------------------------------------

Any ideas what the problem could be?

Thanks a lot in advance!!!
Miguel

↧

NTLM SMB issue - Could not get valid NTLM challenge from ........

July 27, 2012, 10:36 am

≫ Next: Could not resolve KDC from DNS SRV record

≪ Previous: cross-forest authentication - failed to get ldap/ service ticket

I'm trying to debug an issue with NTLM failback, I have the filter configured correctly as per any other deployments.

I'm able to authenticate users correctly using Kerberos, but I have noticed in the logs an issue with NTLM.

This was discovered because of a Java Applet which is posting back to the server, the applet is not using kerberos but NTLM to authenticate the user.

The application server is Tomcat 5, using Quest VSJ "VSJ Standard Edition 3_3 Patch 3548"

From what can be seen within the server logs is that QuestSSO performs a DNS lookup and attempts to connect to all of the GCs which are returned.

Example:
- Starting Coyote HTTP/1.1 on http-80
- JK: ajp13 listening on /0.0.0.0:8009
- Jk running ID=0 time=0/47 config=null
- Host server1.domain.ltd/1.1.1.1:389 appears to be down
- Could not get valid NTLM challenge from server1.domain.ltd/1.1.1.1
Exception: com.wedgetail.idm.sso.ntlm.NtlmException: NTLM challenge was null
- Host server2.domain.ltd/1.1.1.2:389 appears to be down
- Could not get valid NTLM challenge from server2.domain.ltd/1.1.1.2
Exception: com.wedgetail.idm.sso.ntlm.NtlmException: NTLM challenge was null
- Host server3.domain.ltd/1.1.1.3:389 appears to be down
...
... etc

I have enabled the debug level and log4j configuration, but this is not showing any errors.

I have used PortQry.exe to scan the AD servers and they are accessible.

What can I do to move forward? Any ideas ?

↧

Could not resolve KDC from DNS SRV record

September 28, 2010, 1:35 pm

≫ Next: FATAL ERROR: Server unexpectedly closed network connection in using Plink

≪ Previous: NTLM SMB issue - Could not get valid NTLM challenge from ........

Using BusinessObjects with Tomcat 5.5 on Windows. We have it configured for Java AD SSO. The BusinessObjects product is using vsj 3.3. We are using a keytab file and when Tomcat starts we get the following error in Tomcat's stdout.log:

com.wedgetail.idm.sso.ConfigException: Could not validate keytab
[caused by: GSSException: Failure unspecified at GSS-API level
(Mechanism level: com.dstc.security.kerberos.KerberosConfigException:
Could not resolve KDC from DNS SRV record:
java.net.UnknownHostException:
au-elitepdc.domain.com)]

↧

FATAL ERROR: Server unexpectedly closed network connection in using Plink

November 14, 2008, 4:41 am

≫ Next: Configuring VSJ for multiple domains for a web/stand alone JAVA client.

≪ Previous: Could not resolve KDC from DNS SRV record

Hi,

Could any one please let me know why this error is occuring randomly while using Plink? Some days it works fine and suddenly it stops to work with this error message.

FATAL ERROR: Server unexpectedly closed network connection

I am using below command

"C:\Program Files\PuTTY\plink.exe" -load MyProfile -ssh -x -a -t -l userID HostName Command

Thanks,
Megha

↧

Configuring VSJ for multiple domains for a web/stand alone JAVA client.

February 7, 2012, 2:28 am

≫ Next: Segmentation fault when mod_auth_vas finds no matches

≪ Previous: FATAL ERROR: Server unexpectedly closed network connection in using Plink

Back Ground:

Requirement:

↧

Segmentation fault when mod_auth_vas finds no matches

June 1, 2012, 6:51 am

≫ Next: Not seeing correct AD group membership using vastool

≪ Previous: Configuring VSJ for multiple domains for a web/stand alone JAVA client.

Hello,

We are using mod_auth_vas.so 3.6.7 with Oracle HTTP Server which is effectively Apache 2.0. Recently, we have noticed that an Apache process is terminated with a segmentation fault in case of mod_auth_vas trying to match the requestor's name to the list of allowed user names and but not finding it there. The client's browser receives 401 in this case. Could you please help with it?

Please find an excerpt from the error log

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1581: [mod_auth_vas] authenticated user: 'Dmitry_Donetskov@EMEA.DELL.COM'

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1037: [mod_auth_vas] auth_vas_auth_checker: user=Dmitry_Donetskov@EMEA.DELL.COM authtype=VAS

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1055: [mod_auth_vas] requires->nelts = 3

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:541: [mod_auth_vas] match_user: name=ServiceSFDCWPSIT@emea.dell.com RUSER=Dmitry_Donetskov@EMEA.DELL.COM

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1422: [mod_auth_vas] rnote_get: reusing existing rnote

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:490: [mod_auth_vas] set_user_obj

[2012-06-01T14:14:38.8708+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:574: [mod_auth_vas] match_user: user does not match

[2012-06-01T14:14:38.8708+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:584: [mod_auth_vas] match_user: <CN=ServiceSFDCWPSIT,OU=Service Accounts,DC=emea,DC=dell,DC=com> <CN=dmitry_donetskov,OU=Users,OU=Moscow,DC=emea,DC=dell,DC=com> no-match

[2012-06-01T14:14:38.8709+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1100: [mod_auth_vas] require user "ServiceSFDCWPSIT@emea.dell.com" -> FAIL

...........

[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:584: [mod_auth_vas] match_user: <CN=Alexey_Lysak,OU=Users,OU=Non Dell,DC=emea,DC=dell,DC=com> <CN=dmitry_donetskov,OU=Users,OU=Moscow,DC=emea,DC=dell,DC=com> no-match

[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1100: [mod_auth_vas] require user "Alexey_Lysak@emea.dell.com" -> FAIL

[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1422: [mod_auth_vas] rnote_get: reusing existing rnote

[2012-06-01T14:14:39.4014+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_ssl.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_ssl.c:633: Connection to child 0 established (server ausvmqtcdevap19.us.dell.com:8044)

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:720: inside shmcb_retrieve_session

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:732: id[0]=4, masked index=4

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1197: entering shmcb_lookup_session_id

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:983: entering shmcb_expire_division

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1207: loop=0, count=1, curr_pos=0

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1211: idx->s_id2=47, id[1]=47, offset=0

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1228: at index 0, found possible session match

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1247: a match!

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:748: leaving shmcb_retrieve_session

[2012-06-01T14:14:39.4017+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:435: shmcb_retrieve had a hit

[2012-06-01T14:14:39.4017+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_engine_kernel.c:2304: Inter-Process Session Cache: request=GET status=FOUND id=042F8428065947E3DA8D7A7B77690889 (session reuse)

[2012-06-01T14:14:39.6975+01:00] [OHS] [NOTIFICATION:16] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 14727] [tid: 47292192636960] [user: oracle] [VirtualHost: main] mpm_common.c:475: child pid 27200 exit signal Segmentation fault (11), possible coredump in /u01/app/oracle/fusion/mw_1/Oracle_WT1/instances/instance1/config/OHS/ohs1

Message was edited by: dmitry_donetskov_265

↧

Not seeing correct AD group membership using vastool

May 22, 2013, 8:55 am

≫ Next: WinSSPI not supported on this platform

≪ Previous: Segmentation fault when mod_auth_vas finds no matches

We have an AD group 'foo'. User Abe is added to it using AD tools.

I cannot see this user in the group using vastool on Solaris. And of course the user cannot login.

$ vastool list groups | grep foo

foo:VAS:2010:john.doe@na.company.com,harry.who@na.company.com

I've executed vastool flush to no affect.

What am I doing wrong?

↧

WinSSPI not supported on this platform

May 24, 2013, 2:58 pm

≫ Next: Putty 0.62 session menu with Windows 7

≪ Previous: Not seeing correct AD group membership using vastool

I am new to Kerberos. When attempting to build a Kerberos credential, I call:

com.dstc.security.kerberos.winSSPI.WinSSPIGSSManager.getInstance();

For some people this causes:

Caused by: GSSException: Failure unspecified at GSS-API level

at com.dstc.security.kerberos.winSSPI.WinSSPIGSSManager.<init>(WinSSPIGSSManager.java:86)

at com.dstc.security.kerberos.winSSPI.WinSSPIGSSManager.getInstance(WinSSPIGSSManager.java:109)

... 33 more

Caused by: com.dstc.security.kerberos.winSSPI.SSPIException: WinSSPI not supported on this platform (Windows XP)

at com.dstc.security.kerberos.winSSPI.SSPI.initialize(SSPI.java:304)

at com.dstc.security.kerberos.winSSPI.WinSSPIGSSManager.<init>(WinSSPIGSSManager.java:84)

... 34 more

For others, it works fine. I have also seen "WinSSPI not supported on this platform (Windows 7)" on Windows 7 machines.

What does that error indicate? Where can I begin debugging?

↧

Putty 0.62 session menu with Windows 7

June 17, 2013, 8:18 am

≫ Next: Using Cached Kerberos Ticket to Authenticate SMB Share

≪ Previous: WinSSPI not supported on this platform

I've recently upgraded to Windows 7, and am enjoying the menu of open putty sessions displayed when I hover my mouse over the putty icon in my toolbar. HOWEVER, one aspect which bothers me is how the menu displays. Initially it displays a horizontal list of icons for each session, expanding the list up to 10 sessions, after which it tranforms that list to a vertical list of lines in a single window, one line for each session. My issue is that once the horizontal list exceeds 6 sessions, the session names contained in the icons get truncated from the right to the point that they are no longer unique, rendering them useless. Consequently, once I open a 7th session, I proceed to open another 4 simply to maintain the usability of my session menu. Does anyone know a way to customize either the point at which the menu transfers to a horizontal list, or the session name truncation so that it truncates from the left instead of the right?

↧

Using Cached Kerberos Ticket to Authenticate SMB Share

June 19, 2013, 7:57 am

≫ Next: VSJ and JBoss 7.1

≪ Previous: Putty 0.62 session menu with Windows 7

I am using Quest Authentication Services to integrate my Linux systems with our lab domain. I want to use the cached kerberos tickets to authenticate without providing a password when mounting an exported SMB share using the command 'mount -t cifs <device> <dir> -o sec=krb5'. My understanding is that when request-key is called by the kernel cifs.upcall is used to locate the cached kerberos ticket. The problem I am having is that when I directly call cifs.upcall with the uid of the user it does not return anything and it has an exit code of 1. If I look at /var/log/messages I see the following log message related to the call.

Jun 19 09:55:03 merlin cifs.upcall: keyctl_describe_alloc failed: Required key not available

Per the cifs.upcall man page I added the following two lines to request-key.conf

create cifs.spnego * * /usr/local/sbin/cifs.upcall %k

create dns_resolver * * /usr/local/sbin/cifs.upcall %k

↧

VSJ and JBoss 7.1

March 27, 2013, 8:51 am

≫ Next: SSO with native Solaris 10 sshd

≪ Previous: Using Cached Kerberos Ticket to Authenticate SMB Share

Our company has recently purchased the Standard edition of vsj and we have this running fine on WAS 8. I am trying to get this to run on JBoss 7.1 so we can run our application easily on our local development servers. Has anyone gotten this working with JBoss 7.1? I think I am very close, but an example standalone.xml file would be immensely helpful to know that I have set up my SSL correctly to be used with vsj.

Thanks,

Rob

↧

SSO with native Solaris 10 sshd

April 8, 2010, 10:55 am

≫ Next: Could not resolve KDC error

≪ Previous: VSJ and JBoss 7.1

Has anybody managed to propertly set this up?
I got everything working except SSO.

Any pointers to docs etc. would be apreciated.

Regards
erwin

↧