| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 2931.1 | Check Privs | AIMTEC::BUTLER_T | | Mon Jun 28 1993 17:01 | 15 |
| Manuela,
Till someone who can answere the wave 2 question:
did you double check the account and identifier?
the account also needs the following privis:
CMKRNL, DETACH, PRMMBX, WORLD.
Also SYSPRV if it is a non-system uic.
HTH,
Tim
|
| 2931.2 | All needed privs are available also OAFC$SYSMAN | ZUR01::TOLBA | | Mon Jun 28 1993 17:23 | 7 |
| Hello Tim,
The ALLIN1 Account from where I tried to start the FCS has all
these privileges as well as the Identifier OAFC$SYSMAN.
Regards,
Manuela
|
| 2931.3 | Try starting the FCS manually ! | KAOFS::R_OBAS | | Mon Jun 28 1993 17:57 | 27 |
| Hello Manuela,
I used the procedure from STARS below to trouble-shoot FCS problems and I
solved most of them with this procedure.
Good Luck....
**********************************************************************
How To Interactively Start The File Cabinet Server?
You may wish to interactively start up the server to diagnose a FCS problem.
In order to do this, from DCL define a command as follows:
$ FCS:=="$OAFC$SERVER"
And then use that command followed by the server configuration filename (which
is system specific in he form OA$DATA:nodename$SERVER73.DAT) eg.
$ FCS OA$DATA:NODE$SERVER73.DAT
where NODE will be your node name.
If you see the message "Startup for File Cabinet Server V1.x complete" then you
will need to stop the server by pressing CNTRL-Y. If there is a problem when
this command is invoked a more informative message is likely to be displayed
indicating the source of the problem. If this works, but you still cannot start
up the server in batch (using the menu option), the problem may be in running
the batch startup command procedure or in creating the detached process.
|
| 2931.4 | sounds like FCS is running just fine | CHRLIE::HUSTON | | Mon Jun 28 1993 18:18 | 25 |
|
From what you say, it looks as if the FCS is starting just fine.
You are getting an OAFC error back, this means that the FCS is running.
The status of stopped is what IOS displays if you make a system
management call to the FCS and you are not a system manager (don't
hold the OAFC$SYSMAN rights ID).
The log files will not say anythign since nothing is wrong, at
least according to the FCS.
When you start the FCS from IOS, it is a two step process:
1) Submit the startup to the batch queue (STA command)
2) When ever the user hit CR, call OafcShowServer to see if it is
up and get the process stats.
2 is where you are failing. You are getting a valid OAFC error back
which means the FCS is talking and running. It simply does not
believe that you have the OAFC$SYSMAN rights ID.
Please double check via AUTHORIZE that you have the id.
--Bob
|
| 2931.5 | One more thing... | CHRLIE::HUSTON | | Mon Jun 28 1993 18:20 | 16 |
|
Oh ya, the only thing the FCS uses DECnet for, directly at least,
is to read things like the SYS$CLUSTER_NODE and SYS$NODE logicals,
if these are messed up then on a system management connect (which
is what you are doing), the FCS will think you are a remote user and
will look for a proxy for you. The account you proxy into must then
hold the OAFC$SYSMAN rights ID.
The reason I mention this is that with DECnet phase V, node names
may look somewhat different that phase IV, and no, the FCS has not
been tested on phase V (at least to my knowledge).
The rest of the network communictaion in the FCS is done via DASL.
--Bob
|
| 2931.6 | | KERNEL::SMITHERSJ | Living on the culinary edge.... | Tue Jun 29 1993 10:11 | 11 |
| We had this problem on our field test Phase V machine. Try
going into NCL and check what the outgoing alias is set to. It
should be set to false.
NCL> set sess control application 73 outgoing alias false
However, as a previous reply says, it isn't supported on a Phase V
environment yet.
julia
uk csc
|
| 2931.7 | OUTGOING ALIAS SET TO FALSE - Problem solved! | ZUR01::TOLBA | | Tue Jun 29 1993 13:16 | 27 |
| Hi Julia,
Thanks a lot for your advise - the problem is SOLVED -
the outgoing alias was set to true.
After changed it to false the server got automatically status
running/enabled.
Do you know if our customers did get an official letter that ALL-IN-1 is
not supported under wave 2? In case you have such a statement for
customers could you please let me have a copy?
The note 1842.0 "ALL-IN-1 and DECnet/OSI (Wave 2) support"
says Company confidential - for internal distribution only.
Thanks all for your kind help and suggestions.
Regards,
Manuela
|
| 2931.8 | | KERNEL::SMITHERSJ | Living on the culinary edge.... | Tue Jun 29 1993 13:46 | 8 |
| Hi Manuela
Glad that solved your problem.
I don't know if/how customers were told of support for Phase V.
Perhaps someone else can help out?
julia
|
| 2931.9 | No official communication | AIMTEC::WICKS_A | U.S.A 2 England 0 - I was there! | Tue Jun 29 1993 16:52 | 12 |
| ALL-IN-1 Customers haven't been sent a letter explaining non support on
Wave 2 (aka Phase V) because as I remember it was considered at the time
to be a MAIL problem and not an ALL-IN-1 problem.
When customers ring in we at the U.S CSC tell them the truth but for
a letter to be sent to customers it has to come from Engineering or
MArketing - you might like to ask the ALL-IN-1 product manager for
such a statement.
Regards,
Andrew.D.Wicks
|
| 2931.10 | same error for users | KAOFS::M_BARNEY | Formerly Ms.Fett | Fri Jul 02 1993 16:26 | 26 |
|
My customer is getting the same authentication error with
users:
customer has created a number of identical test accounts. Some of these
seem to have a problem with drawer access while others don't. Those
that have; exhibit as follows:
- create an extra drawer that belong to them (not shared).
- when they try to copy a file between drawers, or do any cross drawer
activity they get the following message:
"invalid authentication information recieved by the file cabinet server"
Customer also noticed that the administrator account (which has VMS privs)
when looking at the server in the server menu sees it as up and running,
the manager account sees it as stopped.
What should we be checking here?
Monica
|
| 2931.11 | Need more, somethings missing... | CHRLIE::HUSTON | | Tue Jul 06 1993 15:31 | 40 |
|
Something is missing here.
Are you saying that a user is getting this error by doing the
following:
Enter ALL-IN-1
Create a drawer
copy something to that drawer
If so then this is looking more and more like a system setup problem
that we have seen in the past.
Have a system manager turn on FCS tracing (if you can do this, at this
point the invalid authentication error may stop you).
Then have the person create a drawer then copy to it, then format
the trace file and put it in here.
Also, get the following:
image id of OAFC$SERVER.EXE (anal/image sys$system:oafc$server.exe)
image id of oafc$client_shr.exe (anal/image sys$share:oafc$client_shr.exe)
Get me the EXACT translation of:
SYS$NODE
SYS$CLUSTER_NODE
From SYSGEN: SCSNODE
The username (VMS and A1) of a user who is having this problem
Does anyone have a logical for OA$DATA_SHARE defined (besides the
system version).
this really sounds like the FCS does not think it serves all the
drawers on the local system.
--Bob
|
| 2931.12 | information! | KAOFS::M_BARNEY | Formerly Ms.Fett | Wed Jul 07 1993 20:54 | 175 |
| Thank-you kindly for the note - I shall attempt to answer everything:
>> Are you saying that a user is getting this error by doing the
>> following:
>> Enter ALL-IN-1
>> Create a drawer
>> copy something to that drawer
Yes.
>> Have a system manager turn on FCS tracing (if you can do this, at this
>> point the invalid authentication error may stop you).
>> Then have the person create a drawer then copy to it, then format
>> the trace file and put it in here.
See the bottom of the note.
>> image id of OAFC$SERVER.EXE (anal/image sys$system:oafc$server.exe)
image name: "OAFC$SERVER"
image file identification: "OAFC V1.0"
link date/time: 12-JUN-1993 10:29:13.59
linker identification: "05-05"
>> image id of oafc$client_shr.exe (anal/image sys$share:oafc$client_shr.exe)
image name: "ALL-IN-1 FCS"
image file identification: "OAFC V1.0"
link date/time: 4-MAR-1992 00:38:46.12
linker identification: "05-05"
>> Get me the EXACT translation of:
>> SYS$NODE
>> SYS$CLUSTER_NODE
"SYS$NODE" [exec,crelog] = "PORTIA::" [terminal] [LNM$SYSTEM_TABLE]
%SHOW-S-NOTRAN, no translation for logical name SYS$CLUSTER_NODE
>> From SYSGEN: SCSNODE
SCSNODE "PORTIA " " " " " "ZZZZ" Ascii
>> The username (VMS and A1) of a user who is having this problem
VMS username = SAMPLE
ALLIN1 user = SAMPLE
(one of the dummy accounts set up.)
>> Does anyone have a logical for OA$DATA_SHARE defined (besides the
>> system version).
nobody has a definition for the logical OA$DATA_SHARE (other than
the system logical)
=========================
TRACE:
** The FC Tracing had to be turned on by the customer's account (LINLEY,
which has ALLIN1 administration privileges). The ALLIN1 account signed
into ALL-IN-1 as MANAGER could not turn on the tracing. It got the
"Invalid Authentication error".
SESSION ID: 7043024
OAFC FUNCTION: OafcSetServer
TRACE EVENT: Task Complete
EVENT TIME: 6-Jul-1993 11:32:50.67
STATUS: 55803913
STRING1 IS: LINLEy
SESSION ID: 7043024
OAFC FUNCTION: OafcShowServer
TRACE EVENT: Task Start
EVENT TIME: 6-Jul-1993 11:32:51.18
STRING1 IS: LINLEY
SESSION ID: 7043024
OAFC FUNCTION: OafcShowServer
TRACE EVENT: Task Complete
EVENT TIME: 6-Jul-1993 11:32:51.44
STATUS: 55803913
STRING1 IS: LINLEY
SESSION ID: 7052256
OAFC FUNCTION: OafcOpenCabinetW
TRACE EVENT: Task Start
EVENT TIME: 6-Jul-1993 11:35:29.92
SESSION ID: 7052256
OAFC FUNCTION: OafcOpenCabinetW
TRACE EVENT: Connection Rcv'd
EVENT TIME: 6-Jul-1993 11:35:30.25
FILE CABINET NAME: PORTIA.SAMPLE
STRING1 IS: PORTIA
STRING2 IS: SAMPLE
SESSION ID: 7052256
OAFC FUNCTION: OafcOpenCabinetW
TRACE EVENT: Connection Rejected
EVENT TIME: 6-Jul-1993 11:35:31.61
FILE CABINET NAME: PORTIA.SAMPLE
STRING1 IS: SAMPLE
SESSION ID: 7052256
OAFC FUNCTION: OafcOpenCabinetW
TRACE EVENT: Task Complete
EVENT TIME: 6-Jul-1993 11:35:31.78
FILE CABINET NAME: PORTIA.SAMPLE
STATUS: 55804130
STRING1 IS: SAMPLE
SESSION ID: 7052256
TRACE EVENT: Disconnect Done
EVENT TIME: 6-Jul-1993 11:35:31.82
FILE CABINET NAME: PORTIA.SAMPLE
SESSION ID: 7052256
OAFC FUNCTION: OafcOpenCabinetW
TRACE EVENT: Task Start
EVENT TIME: 6-Jul-1993 11:35:56.97
SESSION ID: 7052256
OAFC FUNCTION: OafcOpenCabinetW
TRACE EVENT: Connection Rcv'd
EVENT TIME: 6-Jul-1993 11:35:57.29
FILE CABINET NAME: PORTIA.SAMPLE
STRING1 IS: PORTIA
STRING2 IS: SAMPLE
SESSION ID: 7052256
OAFC FUNCTION: OafcOpenCabinetW
TRACE EVENT: Connection Rejected
EVENT TIME: 6-Jul-1993 11:35:57.39
FILE CABINET NAME: PORTIA.SAMPLE
STRING1 IS: SAMPLE
SESSION ID: 7052256
OAFC FUNCTION: OafcOpenCabinetW
TRACE EVENT: Task Complete
EVENT TIME: 6-Jul-1993 11:35:57.48
FILE CABINET NAME: PORTIA.SAMPLE
STATUS: 55804130
STRING1 IS: SAMPLE
SESSION ID: 7052256
TRACE EVENT: Disconnect Done
EVENT TIME: 6-Jul-1993 11:35:57.75
FILE CABINET NAME: PORTIA.SAMPLE
SESSION ID: 7043024
OAFC FUNCTION: OafcShowServer
TRACE EVENT: Task Start
EVENT TIME: 6-Jul-1993 11:37:35.06
STRING1 IS: LINLEY
SESSION ID: 7043024
OAFC FUNCTION: OafcShowServer
TRACE EVENT: Task Complete
EVENT TIME: 6-Jul-1993 11:37:35.14
STATUS: 5580913
STRING1 IS: LINLEY
SESSION ID: 7043024
OAFC FUNCTION: OafcShowServer
TRACE EVENT: Task Start
EVENT TIME: 6-Jul-1993 11:37:36.25
==================================
|
| 2931.13 | Still confused, but we'll get there | CHRLIE::HUSTON | | Thu Jul 08 1993 15:26 | 86 |
|
re .12
This is strange, but one thought, see later...
>> Are you saying that a user is getting this error by doing the
>> following:
>> Enter ALL-IN-1
>> Create a drawer
>> copy something to that drawer
>Yes.
Now I am confused, makes no sense from an FCS point of view, something
is still missing.
>** The FC Tracing had to be turned on by the customer's account (LINLEY,
>which has ALLIN1 administration privileges). The ALLIN1 account signed
>into ALL-IN-1 as MANAGER could not turn on the tracing. It got the
>"Invalid Authentication error".
Check for an intrusion record ($SHOW/INTRUSION need SECURITY privs)
from any of the users that are having problems.
The trace log that you show does not have anyting other than failed
connection attempts, what about the copy you mentioned.
>SESSION ID: 7052256
>OAFC FUNCTION: OafcOpenCabinetW
>TRACE EVENT: Task Start
>EVENT TIME: 6-Jul-1993 11:35:29.92
>
>SESSION ID: 7052256
>OAFC FUNCTION: OafcOpenCabinetW
>TRACE EVENT: Connection Rcv'd
>EVENT TIME: 6-Jul-1993 11:35:30.25
>FILE CABINET NAME: PORTIA.SAMPLE
>STRING1 IS: PORTIA
>STRING2 IS: SAMPLE
>
Says that VMS user SAMPLE is connecting from node PORTIA, user SAMPLE
and is trying to connect to his/her own account. All looks fine.
>SESSION ID: 7052256
>OAFC FUNCTION: OafcOpenCabinetW
>TRACE EVENT: Connection Rejected
>EVENT TIME: 6-Jul-1993 11:35:31.61
>FILE CABINET NAME: PORTIA.SAMPLE
>STRING1 IS: SAMPLE
>
>SESSION ID: 7052256
>OAFC FUNCTION: OafcOpenCabinetW
>TRACE EVENT: Task Complete
>EVENT TIME: 6-Jul-1993 11:35:31.78
>FILE CABINET NAME: PORTIA.SAMPLE
>STATUS: 55804130
>STRING1 IS: SAMPLE
>
Barf, something went wrong, this is what makes not sense. More later.
>SESSION ID: 7052256
>TRACE EVENT: Disconnect Done
>EVENT TIME: 6-Jul-1993 11:35:31.82
>FILE CABINET NAME: PORTIA.SAMPLE
>
The reason I say this makes no sense is that when you connect to
your own IOS cab, from your own VMS account, the FCS should not
even be attempting to authenticate you. This looks like the FCS does
not believe that PORTIA is its node name. If this is the case it
explains why users cannot get in. But if this is the case then NOBODY
could get in. Do you have the DSO installed? If so, setup some
remote access into PORTIA and try to come in from someplace else, see
what happens.
Also, can you check the intrusion database for any entries from the
users in question. Just SAMPLE should be good.
Can you also put in the UAF record for SAMPLE.
Also the VMS Rights ID's that SAMPLE holds, including SAMPLE itself.
--Bob
|
| 2931.14 | more info | KAOFS::M_BARNEY | Formerly Ms.Fett | Fri Jul 09 1993 17:33 | 64 |
| The customer has sent me the latest things you requested:
--------------------------------------------
UAF entry for SAMPLE account:
Username: SAMPLE Owner: Bob Test
Account: RECCENTR UIC: [52,347] ([RECCENTR_GRP,SAMPLE])
CLI: DCL Tables: DCLTABLES
Default: DEP$RECREATION_CENTRE_1:[SAMPLE]
LGICMD: LOGIN
Flags: Restricted
Primary days: Mon Tue Wed Thu Fri
Secondary days: Sat Sun
Primary 000000000011111111112222 Secondary 000000000011111111112222
Day Hours 012345678901234567890123 Day Hours 012345678901234567890123
Network: ##### Full access ###### ##### Full access ######
Batch: ##### Full access ###### ##### Full access ######
Local: ##### Full access ###### ##### Full access ######
Dialup: ----- No access ------ ----- No access ------
Remote: ##### Full access ###### ##### Full access ######
Expiration: (none) Pwdminimum: 6 Login Fails 0
Pwdlifetime: 180 00:00 Pwdchange: 28-JUN-1993 14:08
Last Login: 6-JUL-1993 11:56 (interactive), (none)(non-interactive)
Maxjobs: 0 Fillm: 60 Bytlm: 13408
Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0
Maxdetach: 0 BIOlm: 50 JTquota: 2048
Prclm: 6 DIOlm: 18 WSdef: 1024
Prio: 4 ASTlm: 24 WSquo 1474
Queprio 0 TQElm: 10 WSextent 4096
CPU: (none) Enqlm: 400 Pgflquo 20000
Authorized Privileges:
TMPMBX NETMBX
Default Privileges:
TMPMBX NETMBX
Identifier Value Attributes
GAS_INQUIRY %X80010028
PTS_USER %X80010023 RESOURCE
------------------------------------------------------------------
I had the SAMPLE account try to make a copy of a document from one drawer to
another (once) and try refiling a document from one drawer to another (twice)
for a total of three attempts. All attempts recieved Invalid Authentication
error.
I did a SHOW INTRUSION and got...
Intrusion Type Count Expiration Source
TERMINAL SUSPECT 3 15:29:51.13 XSV04/PORT_14:
TERMINAL SUSPECT 2 15:28:09.11 TSV45/PORT_85:
NETWORK SUSPECT 3 15:40:54.58 PORTIA::SAMPLE
TERM_USER SUSPECT 1 15:30:55.72 XSV03/PORT_12:BONSRS_CLK
TERMINAL SUSPECT 1 15:31:06.40 XSV03/PORT_12:
Note the three SAMPLE records.
------------------------------------------------------------------
Thanks for the help, Bob!
Monica
|
| 2931.15 | I haven't a clue | CHRLIE::HUSTON | | Mon Jul 12 1993 16:19 | 34 |
|
From the intrusion database, I would say that the FCS is definetly
checking the password for SAMPLE.
In order for this to happen one or more of the following has to be
true, you tell me which:
1) The drawer SAMPLE is accesssing is on a different cluster
2) SAMPLE is doing somethign like ALLIN1/USER=SAMPLE, from another
VMS account
3) Something is still missing in terms of information
4) There is a previously unseen bug in the FCS authentication code
Can you have them do the following:
Check the login fails count in the uaf record BEFORE trying to
access the drawer. Then do what ever to get the invalid authentication
back. Then check the login fails count again. Tell us if it has been
incremented.
Also according to the uaf record you showed, this user has NEVER been
able to connect via the FCS. The FCS will update the last login
non-interactive field and you have that as never.
What I am trying to get at is if the FCS thinks this is a direct
connect or proxy connect (brokered connect).
Could you also get any proxies for the user SAMPLE.
If this sounds like I am reaching for straws, you are right, as of now
I have no idea what is happening to cause this.
--bob
|
| 2931.16 | | KAOT01::M_MORIN | Lead, follow, or get out of the way! | Tue Jul 13 1993 21:29 | 45 |
| I've taken over for Monica and dialed-in to the customer site today:
>> 1) The drawer SAMPLE is accesssing is on a different cluster
No.
>> 2) SAMPLE is doing somethign like ALLIN1/USER=SAMPLE, from another
VMS account
No.
>> 3) Something is still missing in terms of information
Probably but what.
>> 4) There is a previously unseen bug in the FCS authentication code
??
>> Can you have them do the following:
>> Check the login fails count in the uaf record BEFORE trying to
>> access the drawer. Then do what ever to get the invalid authentication
>> back. Then check the login fails count again. Tell us if it has been
>> incremented.
It hasn't been incremented.
>> Also according to the uaf record you showed, this user has NEVER been
>> able to connect via the FCS. The FCS will update the last login
>> non-interactive field and you have that as never.
Last login non-interactive is still none.
>> What I am trying to get at is if the FCS thinks this is a direct
>> connect or proxy connect (brokered connect).
>> Could you also get any proxies for the user SAMPLE.
There are none.
I've tried to create a new local server but it came back with the same results.
/Mario
|
| 2931.17 | My wild guesses... | IOSG::CHINNICK | gone walkabout | Wed Jul 14 1993 12:15 | 34 |
| Hi Mario,
since Bob is still thinking about this one, I'd like to ask for a
little more info to tackle this problem.
Can you get the UAF details for an account which works and check if it
has any proxies etc. [An earlier note said that some sample accounts
worked and some didn't - I'd like to see what differences there are.]
Also, can you confirm whether this node (PORTIA) is in a cluster or not
- it isn't clear from our current discussions? Are the trials which
fail taking place on the same node that the FCS is running?
My suspicion is that we have a problem with the authentication code for
some environments and I'd like to establish the exact conditions we
have here.
Also Bob:
Wouldn't FCS return a different error in the event that remote/proxy
validation was being performed. It would return OafcSecNoProxyFound or
something similar?
I think that you might be on the right track with a brokered connect
because I deduce (from the code) that if it isn't a cluster you'll get
one. [I find this a little difficult to follow in the code though!] A
one node cluster is different to a standalone node of course.
SYS$CLUSTER_NODE doesn't exist which means that either this is not a
cluster or that there is not an alias for it.
Paul.
|
| 2931.18 | Write access to sysuaf.dat | CHRLIE::HUSTON | | Wed Jul 14 1993 18:21 | 64 |
|
There is definetly something wrong in some part of the authentication
but where, I cannot yet figure out. The authentication in the server
is actually pretty simple and localized to one place. Problme is that
the answers we are getting are not helping narrow anything down.
For instance: There are intrusion records, so the FCS is definelty
rejecting some type of connection, but the log fails count is never
bumped which should always be bumped on failed direct connect.
The only surpising thing I say in the uaf record, was the flags
field, but the FCS could care less about this flag.
> My suspicion is that we have a problem with the authentication code for
> some environments and I'd like to establish the exact conditions we
> have here.
I totally agree with this, problem is we haven't yet come up with the
right questions to figure out that environment. Hard to do since we
don't really know what we are looking for.
> Wouldn't FCS return a different error in the event that remote/proxy
> validation was being performed. It would return OafcSecNoProxyFound or
> something similar?
There are a couple of things it can return, what you say is the most
common.
I don't really think it is a broker, mostly becuase if no proxy exists
then the broker is authentication as OAFC$DEFAULT.
This almost seems like the FCS does not have write access to the
sysuaf file.
Can someone get the output from $dir/security sys$system:sysuaf.dat
from the system in question?
>
> I think that you might be on the right track with a brokered connect
> because I deduce (from the code) that if it isn't a cluster you'll get
> one. [I find this a little difficult to follow in the code though!] A
> one node cluster is different to a standalone node of course.
I don't follow your question, can you explain more (reference the code
if you want, I still have access to it). Thoug via mail may be
better for that than this conference.
> SYS$CLUSTER_NODE doesn't exist which means that either this is not a
> cluster or that there is not an alias for it.
If push comes to shove, I may be willing to log into the customer site
and put a debug server up and see what is going on. I have done this
once before and it is a royal pain in the butt, because I have to get
source files there and re-link the FCS and if I can't convince them
to tell everyone to stay out of the FCS, another FCS with a differenct
object number needs to be setup, etc, etc etc, plus the problems of
giving me a priv'd account on a customer system, lots of reasons not
to do it, but if we can't figure it out and everyone is willing, I
would be willing to do it. Where is the customer?
--Bob
|
| 2931.19 | | KAOT01::M_MORIN | Lead, follow, or get out of the way! | Thu Jul 15 1993 00:58 | 65 |
| Here's the UAF record for an account which works, and the SYSUAF security:
Username: NOPRIV Owner: Technical Nopriv
Account: CONSLTNT UIC: [146,71] ([CONSLTNT_GRP,NOPRI
V])
CLI: DCL Tables: DCLTABLES
Default: DEP$CONSULTANT_1:[NOPRIV]
LGICMD: LOGIN
Flags: DisCtlY DefCLI Restricted DisWelcome DisNewMail DisMail DisReport
Primary days: Mon Tue Wed Thu Fri
Secondary days: Sat Sun
Primary 000000000011111111112222 Secondary 000000000011111111112222
Day Hours 012345678901234567890123 Day Hours 012345678901234567890123
Network: ##### Full access ###### ##### Full access ######
Batch: ##### Full access ###### ##### Full access ######
Local: ##### Full access ###### ##### Full access ######
Dialup: ----- No access ------ ----- No access ------
Remote: ##### Full access ###### ##### Full access ######
Expiration: (none) Pwdminimum: 6 Login Fails: 0
Pwdlifetime: 90 00:00 Pwdchange: 2-JUL-1993 09:15
Last Login: 14-JUL-1993 08:49 (interactive), 8-JUL-1993 11:40 (non-interactive)
Maxjobs: 0 Fillm: 50 Bytlm: 13408
Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0
Maxdetach: 0 BIOlm: 50 JTquota: 4000
Prclm: 6 DIOlm: 18 WSdef: 1024
Prio: 4 ASTlm: 10 WSquo: 1474
Queprio: 0 TQElm: 10 WSextent: 4096
CPU: (none) Enqlm: 600 Pgflquo: 15000
Authorized Privileges:
TMPMBX NETMBX
Default Privileges:
TMPMBX NETMBX
Identifier Value Attributes
IS_ACCESS %X800100DC RESOURCE
PCFS$USER %X80010145
GAS_INQUIRY %X80010028
$ dir/sec sysuaf/dat
Directory DSK$DATA_11:[SYSEXE]
SYSUAF.DAT;2 29-MAR-1992 00:01:52.79 [SYSTEM] (RWE,RWE,RWE
,)
SYSUAF.DAT;1 19-JAN-1992 08:48:54.90 [SYSTEM] (RWE,RWE,RWE
,)
Total of 2 files.
This is a cluster with ALL-IN-1 running on only 1 node (PORTIA). Node BRUTUS
is also part of the cluster and is the backup system for ALL-IN-1 if PORTIA is
down. ALL-IN-1 doesn't normally come up on it. We did notice that there was
a FCS server on BRUTUS which we stopped and deleted but the problem was still
around.
There are no proxies for accounts SAMPLE or NOPRIV.
Dialing-in is possible. I do it from here in Hull. Customer is in British
Columbia, Canada, 3-hour time-zone difference from here, 8 hours behind you
if you're in the U.K. Let me know off-line if you wish to do that, customer is
game.
/Mario
|
| 2931.20 | Check SYSUAF logical | CHRLIE::HUSTON | | Thu Jul 15 1993 15:40 | 39 |
|
One more question, thought of it last night (gotta due something
when you can't sleep during this heat wave)
Does PORTIA have a SYSUAF logical?
REason I ask, is the more I think about this, the more I think the FCS
is having some sort of problem with the sysuaf.dat file.
It would explain the invalid authentication. The password is not
checked in your case, but the UAF record for the user is read. If
the FCS cannot read it, then it will return
OafcSecInvalidAuthentication
which is what you are seeing.
I know there is a bug in the FCS that is along the lines of: If the
SYSUAF logical does not include the .DAT extension then the FCS will
not understand it.
You say that the dir spec for SYSUAF.DAT is: DSK$DATA_11:[SYSEXE],
I believe the default location for it is SYS$COMMON:[SYSEXE].
from the look of your directory command, you are using the logical.
Please make sure that:
1) The SYSUAF logical is an exec mode system logical
2) It includes the .dat.
The FCS will try to open via logical, if this fails, it tries
sys$system:sysuaf.dat. If you are using the logical, but the FCS is
not respecting it, and you have another one in sys$system, this would
explain everything.
Can you check on this?
British Columbia huh? Always did want to go there :-)
--bob
|
| 2931.21 | SYSUAF access could be failing | IOSG::CHINNICK | gone walkabout | Thu Jul 15 1993 17:04 | 44 |
|
Hi Mario (& Bob),
This was the conclusion I drew from looking at the code...
The authentication code would update the CIA database when the UAF
record is not available.
The only problem with the hypothesis is that I don't think the server
will start if SYSUAF is not accessible.
However, there are other problems which could arise with SYSUAF which
could give I/O failures. The most likely at present might be record
locks.
I'd be interested to know if this server is being run up under the
default object number? Also, is the problem with these accounts 100%
repeatable? And is there much of a delay during the connect sequence
before the authentication error is being returned?
If this is reproducible, it should be possible to link a debug copy of
OAFC$SERVER and check it on the customer system while running FCS
interactively:
$ SET DEFAULT OA$BUILD_SHARE:
$ LINK == "LINK/DEBUG"
$ @OAFC$SERVER_LINK
$ OAFC == "OA$BUILD_SHARE:OAFC$SERVER OA$DATA:OAFC$SERVER_CONFIG.DAT"
$ OAFC
. . .
DBG> SET MODULE/ALL
DBG> SET TRACE/RETURN OafcSecGetUAFRecord DO (EXAM %R0)
DBG> GO;GO
When connecting, this will return successful status normally. If it
returns failure (55804130) then it means that the SYSUAF access has
failed.
If this is the case, then we just need to determine the reason why it's
failing. This is harder to do without a proper debug image.
Paul.
|
| 2931.22 | Bingo. | KAOT01::M_MORIN | Lead, follow, or get out of the way! | Thu Jul 15 1993 18:20 | 9 |
| Bob and Paul,
SYSUAF pointed to a file without the .dat and there was an old SYSUAF in
SYS$SYSTEM.
Your help and dedication to this was greatly appreciated.
/Mario
|
| 2931.23 | It's about time... | CHRLIE::HUSTON | | Thu Jul 15 1993 19:54 | 7 |
|
yeah!!!!!!!!
About time we got to the bottom of this one... :-)
--Bob
|
| 2931.24 | Yeah - uses SYS$SYSTEM as an alternative | IOSG::CHINNICK | gone walkabout | Fri Jul 16 1993 10:35 | 15 |
|
Yep...
This is real nasty behaviour...
FCS tries to open SYSUAF and if the logical doesn't work then it just
substitutes an alternate filename SYS$SYSTEM:SYSUAF.DAT.
The V3.0 version (no patches) fails if SYSUAF isn't defined properly
but the V3.0-1 version has this alternate filename behaviour.
I think we should just change this to apply the alternate name as
defaults.
Paul.
|
| 2931.25 | THere is an existing bug about it... | CHRLIE::HUSTON | | Fri Jul 16 1993 15:33 | 13 |
|
There is a bug in the THR system someplace that pretty much covers
this.
The bug is that if the SYSUAF logical does not contain the .DAT, the
FCS does not provide a default extension, supposedly easy to do
with RMS, but it was never done.
The rest is as Paul says, if the logical fails, we give a default
name to try.
--Bob
|
| 2931.26 | | IOSG::STANDAGE | | Fri Jul 16 1993 16:11 | 5 |
|
Yup...it's bugged.
Kevin.
|
| 2931.27 | He's alive | CHRLIE::HUSTON | | Fri Jul 16 1993 18:21 | 5 |
|
Kevin, your alive! You were mysteriously quiet during this discussion!
--bob
|
| 2931.28 | | KAOT01::M_MORIN | Lead, follow, or get out of the way! | Fri Jul 16 1993 19:35 | 8 |
|
Wait, wait, don't tell me.
I have to fill out an SPR to get it fixed?
:-)
/Mario
|
| 2931.29 | We'll let you off just this once! :-) | IOSG::CHINNICK | gone walkabout | Mon Jul 19 1993 10:32 | 10 |
|
Well, Mario...
Normally we'd expect an SPR, but since you're such a great guy...
Take the 5 minutes off that you would have spent filing that SPR! ;-)
Enjoy,
Paul.
|