Alternate way to supply vsj properties

March 4, 2013, 7:48 pm

≫ Next: Problems Compiling MAV on AIX 6.1/XLC/IBMIHS 7.0.0.23

We are trying to use the vsj servlet filter in one of the vendor supplied web application, where we can not include vsj-federation.properties file as part of the deployments.
Is there alternate way of providing "fsProxy", "applicationUrl" and "fsCertificate" properties to the filter?

↧

Problems Compiling MAV on AIX 6.1/XLC/IBMIHS 7.0.0.23

October 12, 2012, 5:22 am

≫ Next: Using VAS Apache Module on Multiple Apache instances

≪ Previous: Alternate way to supply vsj properties

Greetings all.

I am trying to compile MAV 3.6.7 on AIX 6.1/XLC/IBMIHS 7.0.0.23.  I tried using the precompiled 3.6.4 module, but Apache doesn't like that. Here is the output from the configure script:

checking vas_gss.h usability... no
checking vas_gss.h presence... yes
configure: WARNING: vas_gss.h: present but cannot be compiled
configure: WARNING: vas_gss.h:     check for missing prerequisite headers?
configure: WARNING: vas_gss.h: see the Autoconf documentation
configure: WARNING: vas_gss.h:     section "Present But Cannot Be Compiled"
configure: WARNING: vas_gss.h: proceeding with the compiler's result
configure: WARNING:     ## -------------------------------------- ##
configure: WARNING:     ## Report this to David.Leonard@xxxyy.abc ##
configure: WARNING:     ## -------------------------------------- ##
checking for vas_gss.h... no
checking gssapi.h usability... no
checking gssapi.h presence... yes
configure: WARNING: gssapi.h: present but cannot be compiled
configure: WARNING: gssapi.h:     check for missing prerequisite headers?
configure: WARNING: gssapi.h: see the Autoconf documentation
configure: WARNING: gssapi.h:     section "Present But Cannot Be Compiled"
configure: WARNING: gssapi.h: proceeding with the compiler's result
configure: WARNING:     ## -------------------------------------- ##
configure: WARNING:     ## Report this to David.Leonard@xxxyy.abc ##
configure: WARNING:     ## -------------------------------------- ##
checking for gssapi.h... no
checking gssapi_krb5.h usability... no
checking gssapi_krb5.h presence... yes
configure: WARNING: gssapi_krb5.h: present but cannot be compiled
configure: WARNING: gssapi_krb5.h:     check for missing prerequisite headers?
configure: WARNING: gssapi_krb5.h: see the Autoconf documentation
configure: WARNING: gssapi_krb5.h:     section "Present But Cannot Be Compiled"
configure: WARNING: gssapi_krb5.h: proceeding with the compiler's result
configure: WARNING:     ## -------------------------------------- ##
configure: WARNING:     ## Report this to David.Leonard@xxxyy.abc ##
configure: WARNING:     ## -------------------------------------- ##
checking for gssapi_krb5.h... no

The configure script finishes, without error, but the compile fails with this:

/usr/include/unistd.h:924: error: expected ')' before '[' token
/usr/include/unistd.h:925: error: expected declaration specifiers or '...' before 'rid_t'
get.c: In function 'err_gss':
get.c:626: error: expected declaration specifiers before 'OM_uint32'
get.c:629: error: 'OM_uint32' undeclared (first use in this function)
get.c:629: error: (Each undeclared identifier is reported only once
get.c:629: error: for each function it appears in.)
get.c:629: error: expected ';' before 'ctx'
get.c:630: error: 'gss_buffer_desc' undeclared (first use in this function)
get.c:630: error: expected ';' before 'buf'
get.c:631: error: expected ';' before 'emajor'
get.c:635: error: 'emajor' undeclared (first use in this function)
get.c:635: error: 'eminor' undeclared (first use in this function)
get.c:635: error: 'GSS_C_GSS_CODE' undeclared (first use in this function)
get.c:636: error: 'GSS_C_NO_OID' undeclared (first use in this function)
get.c:636: error: 'ctx' undeclared (first use in this function)
get.c:636: error: 'buf' undeclared (first use in this function)
get.c:643: error: 'GSS_C_MECH_CODE' undeclared (first use in this function)
get.c: In function 'get_nego':
get.c:670: error: 'gss_name_t' undeclared (first use in this function)
get.c:670: error: expected ';' before 'target_name'
get.c:671: error: 'OM_uint32' undeclared (first use in this function)
get.c:671: error: expected ';' before 'major'
get.c:672: error: 'gss_ctx_id_t' undeclared (first use in this function)
get.c:672: error: expected ';' before 'gssctx'
get.c:716: error: 'gssctx' undeclared (first use in this function)
get.c:716: error: 'GSS_C_NO_CONTEXT' undeclared (first use in this function)
get.c:745: error: expected ';' before 'ret'
get.c:764: error: 'gss_buffer_desc' undeclared (first use in this function)
get.c:764: error: expected ';' before 'inbuf'
get.c:767: error: 'namebuf' undeclared (first use in this function)
get.c:769: error: 'major' undeclared (first use in this function)
get.c:769: error: 'minor' undeclared (first use in this function)
get.c:770: error: 'GSS_KRB5_NT_PRINCIPAL_NAME' undeclared (first use in this function)
get.c:770: error: 'target_name' undeclared (first use in this function)
get.c:779: error: 'inbuf' undeclared (first use in this function)
get.c:783: error: 'outbuf' undeclared (first use in this function)
get.c:786: error: 'GSS_C_NO_CREDENTIAL' undeclared (first use in this function)
get.c:789: error: 'GSS_C_NO_OID' undeclared (first use in this function)
get.c:791: error: 'GSS_C_INDEFINITE' undeclared (first use in this function)
get.c:792: error: 'GSS_C_NO_CHANNEL_BINDINGS' undeclared (first use in this function)
get.c:813: error: expected ';' before 'inbuf'
get.c:819: error: 'ret' undeclared (first use in this function)
get.c:823: error: 'VAS_GSS_SPNEGO_ENCODING_BASE64' undeclared (first use in this function)
get.c:824: error: 'GSS_C_NO_BUFFER' undeclared (first use in this function)
make[4]: *** [get.o] Error 1
make[4]: Leaving directory `/mnt/mod_auth_vas-3.6.7/test/http-get'
make[3]: *** [all] Error 2
make[3]: Leaving directory `/mnt/mod_auth_vas-3.6.7/test/http-get'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/mnt/mod_auth_vas-3.6.7/test'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/mnt/mod_auth_vas-3.6.7'
make: *** [all] Error 2

I am using QAS 3.5.2.89.

My last round of compiling MAV was on AIX 5.3/XLC/IBMIHS 6.x, when I had to put a patch in for timeout problems.

Message was edited by: phscott

↧

Using VAS Apache Module on Multiple Apache instances

May 31, 2013, 8:10 am

≫ Next: Using Cached Kerberos Ticket to Authenticate SMB Share

≪ Previous: Problems Compiling MAV on AIX 6.1/XLC/IBMIHS 7.0.0.23

Hi all,

- I have a Web Server configured with 2 Apache Instances, each instance running as different user and port.

- I configured the VAS module for Active Directory Authentication on both instances

- So, now, the problem, is that in one instance the VAS authentication is working really good, and in the otherone,

we're having problems. It's always requesting Credentials when you try to access any websites hosted on this second instances.

The strange thing is that in the first instance, every website is working correctly and it's taking credentials automatically from browser.

Have anyone seen this kind of behavior?

Thanks in advance,

Obed N Munoz

↧

Using Cached Kerberos Ticket to Authenticate SMB Share

June 19, 2013, 7:57 am

≫ Next: Unable to copy GPT.INI

≪ Previous: Using VAS Apache Module on Multiple Apache instances

I am using Quest Authentication Services to integrate my Linux systems with our lab domain. I want to use the cached kerberos tickets to authenticate without providing a password when mounting an exported SMB share using the command 'mount -t cifs <device> <dir> -o sec=krb5'. My understanding is that when request-key is called by the kernel cifs.upcall is used to locate the cached kerberos ticket. The problem I am having is that when I directly call cifs.upcall with the uid of the user it does not return anything and it has an exit code of 1. If I look at /var/log/messages I see the following log message related to the call.

Jun 19 09:55:03 merlin cifs.upcall: keyctl_describe_alloc failed: Required key not available

Per the cifs.upcall man page I added the following two lines to request-key.conf

create cifs.spnego * * /usr/local/sbin/cifs.upcall %k

create dns_resolver * * /usr/local/sbin/cifs.upcall %k

↧

Unable to copy GPT.INI

July 7, 2009, 1:27 pm

≫ Next: Getting a kerberose exception: Could not locate KDC for Kerberos Realm.

≪ Previous: Using Cached Kerberos Ticket to Authenticate SMB Share

Server unable to get updated group policy:

# vgptool apply

VGP Apply Policy - CallType: REFRESH

ERROR: Unable to open GPT.INI created from network file
   Unable to copy file from CIFS:\\FQDN\TO\DC
    Could not connect to any server: NT_STATUS_CONNECTION_REFUSED
Caused By:
Unsupported negotiate response capabilities: NT_STATUS_NOT_SUPPORTED

Tried updating the host password:
# vastool -u host/ passwd -rk /etc/opt/quest/vas/host.keytab host/
<server> setting password for <server>...
Saving new key in keytab file: /etc/opt/quest/vas/host.keytab
ERROR: VAS_ERR_ACCESS: <server> does not have permission to set the password for<server>. The account may be locked.
   Caused by:
   KPASSWD_ACCESSDENIED: Access denied
ERROR: Could not modify password

Ran vas_status.sh:

# /usr/local/sec/vas_status.sh
Host:   <HP-UX B.11.23 9000/800>
Date:   <Tue Jul 7 16:01:05 EDT 2009>
VAS:    <3.3.2.88>
Domain: <my.domain.com>
FAILURE: /etc/nsswitch.conf does not appear to be configured to use VAS.
FAILURE: Missing NSS path </usr/lib/hpux32/libnss_vas3.so.1>
WARNING: Process <9119><vasgpd> is too large <12380>
Result: <Test(s) failed> (08 seconds)

We intentionally keep VAS out of nsswitch until we've removed the local users. Has anyone seen this behavior before, and if so, how to resolve?

Thanks in advance.

↧

Getting a kerberose exception: Could not locate KDC for Kerberos Realm.

October 26, 2011, 3:51 am

≫ Next: AD group converted to SID hitting on VAS fatal error

≪ Previous: Unable to copy GPT.INI

Hi
Im new to quest SSO(VSJ).Im facing the below exception when I tried to run a stand alone java program which uses the quest SSO api.Also can some one please help me out on how to pass vsj.properties file to a stand alone JAVA program.This issue is not seen when I use sun implementation for kerberose.

Caused by: com.dstc.security.kerberos.KerberosConfigException: Could not locate KDC for Kerberos Realm "QA2008.COM"
    at com.dstc.security.kerberos.DefaultConfig.getKdcs(DefaultConfig.java:323)
    at com.dstc.security.kerberos.DefaultConfig.getKdcs(DefaultConfig.java:224)
    at com.dstc.security.kerberos.impl.DefaultKdcResolver.getKdc(DefaultKdcResolver.java:58)
    at com.dstc.security.kerberos.DefaultKerberosMessageHandler.send(DefaultKerberosMessageHandler.java:84)
    at com.dstc.security.kerberos.Kerberos.sendRequestToKDC(Kerberos.java:1832)
    at com.dstc.security.kerberos.Kerberos.getKrbTGSRepFromKDC(Kerberos.java:1357)
    at com.dstc.security.kerberos.Kerberos.requestServiceTicket(Kerberos.java:1314)
    at com.dstc.security.kerberos.Kerberos.requestServiceTicket(Kerberos.java:1338)
    at com.dstc.security.kerberos.gssapi.DefaultCredentialManager.requestServiceTicket(DefaultCredentialManager.java:194)
    at com.dstc.security.kerberos.gssapi.ClientHandShaker.getServiceTicket(ClientHandShaker.java:715)
    at com.dstc.security.kerberos.gssapi.ClientHandShaker.huntServiceTicket(ClientHandShaker.java:295)
    at com.dstc.security.kerberos.gssapi.ClientHandShaker.handle(ClientHandShaker.java:193)
    at com.dstc.security.kerberos.gssapi.GSSContext.initSecContext(GSSContext.java:301)

↧

AD group converted to SID hitting on VAS fatal error

April 19, 2012, 8:57 pm

≫ Next: Quest openssh 4.6p1 problem with Sol 10 kernel patch 120011-14

≪ Previous: Getting a kerberose exception: Could not locate KDC for Kerberos Realm.

Hi,

Here is my AD group converted to ObjectSid in .htacces:

AuthType VASRequire group S-1-4-65-1004XXX348-13XXXX898-XXXX001333-XXXX89

I am in this group but getting denied access with following error:

[Fri Apr 20 11:15:53 2012] [error] [client 172.30.XXX.X] match_group: fatal vas error: No error message available, referer: http://mantis.example.com/auth/

I have to resolve this issue, ASAP

.. please help

↧

Quest openssh 4.6p1 problem with Sol 10 kernel patch 120011-14

September 27, 2007, 7:33 am

≫ Next: Stuck with kerberos authentication to Sharepoint

≪ Previous: AD group converted to SID hitting on VAS fatal error

Hi

Ive been trying to get sshd to work with securid on my solaris 10 server but no luck. It works on older patch lever server without a problem but sshd will core dump on that particular box

Solaris 10 08/07 was used for the install
Solaris recommended patch cluster downloaded on Sept 1

on older system libmd5_psr.so.1 was present. now the library is onl libmd_psr.so.1

copying the older library file and changing the ld_library_path got rsa authentication to work.

I tried installing 4.7p1 but the pkgadd doesnt generate the keys and I get cannot execute when I try to generate the key or to start sshd

HELP PLEASE:-)

Alain

↧

Stuck with kerberos authentication to Sharepoint

October 10, 2012, 3:03 pm

≫ Next: HTTP Status 500 - com.wedgetail.idm.sso.ntlm.NtlmException: NTLM token is T

≪ Previous: Quest openssh 4.6p1 problem with Sol 10 kernel patch 120011-14

I have to connect to MS IIS server using SPNEGO token with Kerberos ticket inside, exactly as Internet Explorer does it.

If I use java GSSManager.initiateContext() it does request tickets with incorrect KDCOptions, dates and some other params I cannot control.

I tried com.dstc.security lib, and was able to get tickets axactly as Internet Explorer with couple of lines:

prepare required KDCOptions;
Credential tgt = kerberos.requestTicketGrantingTicket(new KerberosPassword(password.getBytes()), kdo, new Date(), d, new InetAddress[] {InetAddress.getByName("somename")}, null);
Credential srvt = kerberos.requestServiceTicket(TGT, new PrincipalName(2, "HTTP/server.domain.net"), REALM, kdo);

But how can I use these credentials or tickets inside to create SPNEGO token same as I can get with GSSManager.initiateContext()?

↧

HTTP Status 500 - com.wedgetail.idm.sso.ntlm.NtlmException: NTLM token is T

April 12, 2010, 9:37 am

≫ Next: Unprotect the URI using VAS

≪ Previous: Stuck with kerberos authentication to Sharepoint

removed

Message was edited by: MarkBarc

↧

Unprotect the URI using VAS

June 1, 2010, 6:15 pm

≫ Next: quest-openssh.5.2.1.13

≪ Previous: HTTP Status 500 - com.wedgetail.idm.sso.ntlm.NtlmException: NTLM token is T

Can anyone help me I am new to VAS product. I have to protect only a specific uri's, which has multiple directory and dynamic contents.

I know we can protect the directory & users with VAS. I couldn’t find any document and FAQ to protect particular URI's similar to siteminder.

↧

quest-openssh.5.2.1.13

February 1, 2011, 4:23 am

≫ Next: Segmentation fault when mod_auth_vas finds no matches

≪ Previous: Unprotect the URI using VAS

Hello Quest support,

I've downloaded the latest version (5.2.1.13) of Quest openssh for AIX 5.3, available on:

http://rc.quest.com/topics/openssh/

After installing it on AIX 6.1 I cannot start the ssh daemon. It keeps failing and generating the following message on the AIX error log:

---------------------------------------------------------------------------

LABEL: SRC_SVKO

IDENTIFIER: BC3BE5A3

Date/Time: Tue Feb 1 09:27:41 CUT 2011

Sequence Number: 12988

Machine Id: 00C8CFA44C00

Node Id: ddasy040

Class: S

Type: PERM

WPAR: Global

Resource Name: SRC

Description

SOFTWARE PROGRAM ERROR

Probable Causes

APPLICATION PROGRAM

Failure Causes

SOFTWARE PROGRAM

Recommended Actions

MANUALLY RESTART SUBSYSTEM IF NEEDED

Detail Data

SYMPTOM CODE

65280

SOFTWARE ERROR CODE

-9017

ERROR CODE

DETECTING MODULE

'srchevn.c'@line:'376'

FAILING MODULE

sshd-quest

---------------------------------------------------------------------------

The version of the AIX that I'm using is:

$ oslevel -s

6100-05-03-1036

Any advice?

↧

Segmentation fault when mod_auth_vas finds no matches

June 1, 2012, 6:51 am

≫ Next: Not seeing correct AD group membership using vastool

≪ Previous: quest-openssh.5.2.1.13

Hello,

We are using mod_auth_vas.so 3.6.7 with Oracle HTTP Server which is effectively Apache 2.0. Recently, we have noticed that an Apache process is terminated with a segmentation fault in case of mod_auth_vas trying to match the requestor's name to the list of allowed user names and but not finding it there. The client's browser receives 401 in this case. Could you please help with it?

Please find an excerpt from the error log

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1581: [mod_auth_vas] authenticated user: 'Dmitry_Donetskov@EMEA.DELL.COM'

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1037: [mod_auth_vas] auth_vas_auth_checker: user=Dmitry_Donetskov@EMEA.DELL.COM authtype=VAS

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1055: [mod_auth_vas] requires->nelts = 3

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:541: [mod_auth_vas] match_user: name=ServiceSFDCWPSIT@emea.dell.com RUSER=Dmitry_Donetskov@EMEA.DELL.COM

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1422: [mod_auth_vas] rnote_get: reusing existing rnote

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:490: [mod_auth_vas] set_user_obj

[2012-06-01T14:14:38.8708+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:574: [mod_auth_vas] match_user: user does not match

[2012-06-01T14:14:38.8708+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:584: [mod_auth_vas] match_user: <CN=ServiceSFDCWPSIT,OU=Service Accounts,DC=emea,DC=dell,DC=com> <CN=dmitry_donetskov,OU=Users,OU=Moscow,DC=emea,DC=dell,DC=com> no-match

[2012-06-01T14:14:38.8709+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1100: [mod_auth_vas] require user "ServiceSFDCWPSIT@emea.dell.com" -> FAIL

...........

[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:584: [mod_auth_vas] match_user: <CN=Alexey_Lysak,OU=Users,OU=Non Dell,DC=emea,DC=dell,DC=com> <CN=dmitry_donetskov,OU=Users,OU=Moscow,DC=emea,DC=dell,DC=com> no-match

[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1100: [mod_auth_vas] require user "Alexey_Lysak@emea.dell.com" -> FAIL

[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1422: [mod_auth_vas] rnote_get: reusing existing rnote

[2012-06-01T14:14:39.4014+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_ssl.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_ssl.c:633: Connection to child 0 established (server ausvmqtcdevap19.us.dell.com:8044)

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:720: inside shmcb_retrieve_session

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:732: id[0]=4, masked index=4

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1197: entering shmcb_lookup_session_id

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:983: entering shmcb_expire_division

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1207: loop=0, count=1, curr_pos=0

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1211: idx->s_id2=47, id[1]=47, offset=0

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1228: at index 0, found possible session match

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1247: a match!

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:748: leaving shmcb_retrieve_session

[2012-06-01T14:14:39.4017+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:435: shmcb_retrieve had a hit

[2012-06-01T14:14:39.4017+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_engine_kernel.c:2304: Inter-Process Session Cache: request=GET status=FOUND id=042F8428065947E3DA8D7A7B77690889 (session reuse)

[2012-06-01T14:14:39.6975+01:00] [OHS] [NOTIFICATION:16] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 14727] [tid: 47292192636960] [user: oracle] [VirtualHost: main] mpm_common.c:475: child pid 27200 exit signal Segmentation fault (11), possible coredump in /u01/app/oracle/fusion/mw_1/Oracle_WT1/instances/instance1/config/OHS/ohs1

Message was edited by: dmitry_donetskov_265

↧

Not seeing correct AD group membership using vastool

May 22, 2013, 8:55 am

≫ Next: AIX versions

≪ Previous: Segmentation fault when mod_auth_vas finds no matches

We have an AD group 'foo'. User Abe is added to it using AD tools.

I cannot see this user in the group using vastool on Solaris. And of course the user cannot login.

$ vastool list groups | grep foo

foo:VAS:2010:john.doe@na.company.com,harry.who@na.company.com

I've executed vastool flush to no affect.

What am I doing wrong?

↧

AIX versions

June 6, 2012, 12:47 pm

≫ Next: VAS_ERR_DNS: Unable to look up any DNS SRV records for domain

≪ Previous: Not seeing correct AD group membership using vastool

I was trying to find info on OpenSSH for AIX 6.1 and 7.1.
Not sure if current version supports/available.
please give info
thx

↧

VAS_ERR_DNS: Unable to look up any DNS SRV records for domain

September 22, 2008, 4:10 pm

≫ Next: GSSException when launching ejb fatclient example from VSJ-WebLogic-Edition

≪ Previous: AIX versions

Hi, I am running AIX5.3 with VAS agent 3.3.1.83. I get an error when running the join command to join the server to AD domain...

It takes a long time to check if the computer is already joined to a domain....and then gives the VAS_ERR_DNS error.

Any one run into this?

"
Checking whether computer is already joined to a domain ... no
ERROR: Could not join to the domain
VAS_ERR_DNS: Unable to look up any DNS SRV records for domain <domain-name>
"

Thanks,
Konti

↧

GSSException when launching ejb fatclient example from VSJ-WebLogic-Edition

October 6, 2011, 6:01 am

≫ Next: Dual Authentication using Linux

≪ Previous: VAS_ERR_DNS: Unable to look up any DNS SRV records for domain

Hi,

I downloaded the vsj-weblogic-3.2 (VSJ-WebLogic-Edition-3.2_Patch-3550). I get the exception below. I saw on a forum that the 3.3 version fix this problem. Is it so? Is the 3.3 version available?

http://allthingsunix.inside.quest.com/thread.jspa?threadID=10055&tstart=0&messageID=30443

Best regards,
Omer

Caused by: javax.security.auth.login.LoginException: LoginException: java.security.PrivilegedActionException: GSSException: com.dstc.security.kerberos.provider.Krb5U2S configured by JCSIKrb5 for GSS-API Mechanism Factory cannot be created
at com.quest.vsj.weblogic.login.EjbClientKerberosLoginModule.login(EjbClientKerberosLoginModule.java:107)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
at com.decsso.client.VSJWebLogicEditionSSOTester$1.run(VSJWebLogicEditionSSOTester.java:50)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
... 3 more

↧

Dual Authentication using Linux

January 8, 2009, 11:28 pm

≫ Next: Sudo issue with NIS (QAS) groups in Ubuntu 12.04

≪ Previous: GSSException when launching ejb fatclient example from VSJ-WebLogic-Edition

Dual Authentication working with VAS or else an explanation as to why it is not possible.

Our understanding of dual authentication derives from the remarks on p. 56 of the Vintella Authentication Services 3.3.2 Solutions Guide, in the section Mapped User Mode. These remarks refer to PAM and state

"Though not the default configuration, you can configure a system to allow
mapped local accounts to be able to authenticate with either their old system
account password or the password of the Active Directory account to which they
are mapped. To do this, modify your system's PAM configuration. You will see
the pam_vas3 module configured near the top of the PAM stack. The module
configuration should consist of two lines: auth sufficient pam_vas3.so create_homedir get_nonvas_pass auth requisite pam_vas3.so echo_return

To allow authentication with both passwords, remove the second line." On customer systems (Red Hat Enterprise Linux AS 4) this does not work. PAM logging shows no evidence that the local user password is looked up. We login only via ssh (Quest OpenSSH version 4.7p1_q1.217). At present all logins are from a linux jump host to the desired host. Does this require any special configuration? PAM configs suggest that authentication is passed to system-auth. While dual authentication is not part of our long term solution it has been requested by users as a prerequisite for migration and our failure to get it working is holding us up. Thanks

↧

Sudo issue with NIS (QAS) groups in Ubuntu 12.04

April 17, 2012, 12:20 am

≫ Next: Getting a kerberose exception: Could not locate KDC for Kerberos Realm.

≪ Previous: Dual Authentication using Linux

Hi,

We're running QAS 3.5.2.80 on the Ubuntu 12.04 beta and we're running into an issue with sudo. Our setup is a full NIS proxy setup where each host is its own proxy. Everything else works just fine, logging in, name resolution, group resolution, etc, etc.
But, in sudo we get an issue with accesses tied to normal groups. If we use netgroups or regular usernames it works fine, but normal gruops... just don't work.
id -a shows all the right memberships, "groups" shows all the right stuff, "ypcat" on the NIS maps works perfect. sudo works fine too, as long as you are using rules based on netgroups or usernames.

Has anyone seen this before? Or even have any clue as to how to debug this issue?

↧

Getting a kerberose exception: Could not locate KDC for Kerberos Realm.

October 26, 2011, 3:51 am

≫ Next: Kerberos SSO with 1 way Trust

≪ Previous: Sudo issue with NIS (QAS) groups in Ubuntu 12.04

↧