[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference help::decnet-osi_for_vms

Title:	DECnet/OSI for OpenVMS

Moderator:	TUXEDO::FONSECA

Created:	Thu Feb 21 1991
Last Modified:	Fri Jun 06 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	3990
Total number of notes:	19027

3979.0. "login failure with mail session application." by GADWAL::W_MCGAW () Thu May 29 1997 14:19

Hi,

I am running OpenVMS AXP V7.1 and DECnet/OSI V7.1.  If I try sending mail
to myself on the same node using the nodename::user format, it fails with a
login information invalid.  Below is a log with reply/ena=sec and
additional information about the node, session control application and the
mail$server account.

Any ideas on this would be appreciated.

Thank you,
Walt McGaw
Digital Network Services Unit
USCSC/CS


$ reply/ena=sec
$
%%%%%%%%%%%  OPCOM  29-MAY-1997 12:03:38.94  %%%%%%%%%%%
    Operator _PENNYM$RTA1: has been enabled, username SYSTEM
%%%%%%%%%%%  OPCOM  29-MAY-1997 12:03:38.95  %%%%%%%%%%%
    Operator status for operator _PENNYM$RTA1:
    SECURITY
$ mail

MAIL> send
To:	pennym::w_mcgaw
%%%%%%%%%%%  OPCOM  29-MAY-1997 12:03:46.87  %%%%%%%%%%%
Message from user AUDIT$SERVER on PENNYM
Security alarm (SECURITY) on PENNYM, system id: 63512
Auditable event:          DECnet logical link created
Event time:               29-MAY-1997 12:03:46.86
PID:                      000001B9
Process name:             MAIL_14010059
Process owner:            [1,3]
Image name:               SYS$COMMON:[SYSEXE]MAIL_SERVER.EXE
Remote node id:           204489232
Remote node fullname:     PENNYM
Remote username:          SYSTEM
DECnet logical link ID:   335609945
DECnet object name:       MAIL
Status:                   %SYSTEM-S-NORMAL, normal successful completion

%%%%%%%%%%%  OPCOM  29-MAY-1997 12:03:47.16  %%%%%%%%%%%
Message from user AUDIT$SERVER on PENNYM
Security alarm (SECURITY) and security audit (SECURITY) on PENNYM, system
id: 63
512
Auditable event:          Network login failure
Event time:               29-MAY-1997 12:03:47.15
PID:                      000001B9
Process name:             MAIL_14010059
Username:                 MAIL$SERVER
Remote node fullname:     LOCAL:.PENNYM
Remote username:          SYSTEM
Status:                   %LOGIN-F-INVPWD, invalid password

%MAIL-E-LOGLINK, error creating network link to node PENNYM
%%%%%%%%%%%  OPCOM  29-MAY-1997 12:03:47.42  %%%%%%%%%%%
Message from user AUDIT$SERVER on PENNYM
Security alarm (SECURITY) on PENNYM, system id: 63512
Auditable event:          DECnet logical link created
Event time:               29-MAY-1997 12:03:47.41
PID:                      000001B8
Process owner:            [1,3]
DECnet logical link ID:   335609944
Status:                   %NET-F-BADUSER, the access control information is
inva
lid

MAIL> exit
$ reply/disable


NCL>show session control application mail all

Node 0 Session Control Application MAIL
at 1997-05-29-12:03:16.477-06:00Iinf

Identifiers

    Name                              = MAIL

Status

    Process Identifiers               = 
       {
       }
    UID                               = 5DCABC11-D814-11D0-A4AD-08002B9613DD

Characteristics

    Client                            = <Default value>
    Addresses                         = 
       {
          name = MAIL ,
          number = 27
       }
    Outgoing Proxy                    = False
    Incoming Proxy                    = False
    Outgoing Alias                    = False
    Incoming Alias                    = True
    Node Synonym                      = True
    Image Name                        = SYS$SYSTEM:MAIL_SERVER.EXE
    User Name                         = "MAIL$SERVER"
    Incoming OSI TSEL                 = <Default value>
    Network Priority                  = 0

Counters

    Creation Time                     = 1997-05-29-11:11:57.826-06:00Iinf

NCL>exit
$ set def sys$system:
$ run authorize
UAF> show mail$server

Username: MAIL$SERVER                      Owner:  MAIL$SERVER Default
Account:  DECNETV                          UIC:    [376,374] ([DECNET,MAIL$SERVER])
CLI:      DCL                              Tables: DCLTABLES
Default:  SYS$SPECIFIC:[MAIL$SERVER]
LGICMD:   NLA0:
Flags:  Restricted
Primary days:   Mon Tue Wed Thu Fri        
Secondary days:                     Sat Sun
Primary   000000000011111111112222  Secondary 000000000011111111112222
Day Hours 012345678901234567890123  Day Hours 012345678901234567890123
Network:  ##### Full access ######            ##### Full access ######
Batch:    -----  No access  ------            -----  No access  ------
Local:    -----  No access  ------            -----  No access  ------
Dialup:   -----  No access  ------            -----  No access  ------
Remote:   -----  No access  ------            -----  No access  ------
Expiration:            (none)    Pwdminimum:  6   Login Fails:     3
Pwdlifetime:         90 00:00    Pwdchange:      (pre-expired) 
Last Login:            (none) (interactive),            (none) (non-interactive)
Maxjobs:         0  Fillm:       100  Bytlm:        64000
Maxacctjobs:     0  Shrfillm:      0  Pbytlm:           0
Maxdetach:       0  BIOlm:       150  JTquota:       4096
Prclm:           8  DIOlm:       150  WSdef:         2000
Prio:            4  ASTlm:       250  WSquo:         4000
Queprio:         0  TQElm:        10  WSextent:     16384
CPU:        (none)  Enqlm:      2000  Pgflquo:      50000
Authorized Privileges: 
  NETMBX       TMPMBX
Default Privileges: 
  NETMBX       TMPMBX
UAF> exit
%UAF-I-NOMODS, no modifications made to system authorization file
%UAF-I-NAFNOMODS, no modifications made to network proxy database
%UAF-I-RDBNOMODS, no modifications made to rights database
$
$
$ mc ncl
NCL>show address

Node 0 
at 1997-05-29-12:04:06.077-06:00Iinf

Identifiers

    Address                           = 
       {
          (
          [ DNA_CMIP-MICE ] ,
          [ DNA_SessionControlV3 , number = 19 ] ,
          [ DNA_OSItransportV1 , 'DEC0'H ] ,
          [ DNA_OSInetwork , 49::00-3E:AA-00-04-00-18-F8:21 (LOCAL:.PENNYM) ]
          ) ,
          (
          [ DNA_CMIP-MICE ] ,
          [ DNA_SessionControlV2 , number = 19 ] ,
          [ DNA_OSItransportV1 , 'DEC0'H ] ,
          [ DNA_IP , 16.66.48.12 ]
          ) ,
          (
          [ DNA_CMIP-MICE ] ,
          [ DNA_SessionControlV3 , number = 19 ] ,
          [ DNA_NSP ] ,
          [ DNA_OSInetwork , 49::00-3E:AA-00-04-00-18-F8:20 (LOCAL:.PENNYM) ]
          )
       }

NCL>show routing phaseiv address

Node 0 Routing
at 1997-05-29-12:04:15.010-06:00Iinf

Characteristics

    PhaseIV Address                   = 62.24

NCL>exit

T.R	Title	User	Personal Name	Date	Lines
3979.1		RMULAC::S_WATTUM	Scott Wattum - FTAM/VT/OSAK Engineering	`Thu May 29 1997 14:25`	5
	Do other applications (like FAL) have a problem, or just MAIL? DECnet is considered a "trusted user" and so doesn't present a password to loginout (which is why passwords don't show up in NCL - they simply aren't there); if loginout is reporting an invalid password, I would suspect maybe some OpenVMS component is confused (as opposed to DECnet).
3979.2	$ show intrusion	VELI::KORKKO	Veli K�rkk� @FNO, 879-5512	`Thu May 29 1997 14:45`	23
	The most likely explanation is that intrusion subsystem has started evading your "login" attempts. Very simple way to reproduce this is VELI$ show intrusion VELI$ dir 0"nosuchuser nevermindpwd":: VELI$ dir 0"nosuchuser nevermindpwd":: VELI$ dir 0"nosuchuser nevermindpwd":: VELI$ dir 0"nosuchuser nevermindpwd":: VELI$ dir 0"nosuchuser nevermindpwd":: VELI$ dir 0"nosuchuser nevermindpwd":: VELI$ show intrusion VELI$ mail/subj=test/noself nla0: veli::_korkko and by golly, it fails! Now VELI$ delete/intrusion * VELI$ mail/subj=test/noself nla0: veli::_korkko and it should work right now. I am running OpenVMS V7.1, DECnet/OSI V7.1 btw. _veli
3979.3	Fal fails too. Intrusions are not the problem.	GADWAL::W_MCGAW		`Thu May 29 1997 15:05`	20
	RE: .1 Hi Scott! Fal also fails the same way. If I set a password in UAF, I can use explicit access to get in with a dir command through either the fal$server or mail$server account. I had Alan Anderson looking at it too and we both came up with a blank... :) Re:.2 I am very aware of the intrusion records. This will fail even when no intrusion records are present. It creates one as a result of the failure and the account in UAF actually incremaents the login failure count. Any other ideas? Thank you, Walt
3979.4		ALPHAZ::HARNEY	John A Harney	`Thu May 29 1997 19:29`	15
	re: .3 You said $ SHOW INTRUSION doesn't show anything. What about $ SHOW INTRUSION/OLD ? The $ DELETE/INTRUSION * might help; it clears the "old" database that some applications believe they understand as well as the new database of intrusion records. Also, the actual audit (as opposed to the alarms) should eventually start showing the password being attempted, if intrusion detection and breakin evasion are being tickled. \john
3979.5		VELI::KORKKO	Veli K�rkk� @FNO, 879-5512	`Fri May 30 1997 08:03`	8
	How about $ show logical sys$single_signon i.e. do you have external authentication active by any chance? Btw., what is the value LGI_CALLOUTS? _veli
3979.6	Still not working...	GADWAL::W_MCGAW		`Fri May 30 1997 09:55`	59
	re: .4 Hi John, >You said $ SHOW INTRUSION doesn't show anything. >What about $ SHOW INTRUSION/OLD ? >The $ DELETE/INTRUSION * might help; it clears the "old" database that >some applications believe they understand as well as the new database >of intrusion records. There were indeed old intrusion records too but only suspect. At any rate, I deleted the intrusions with a * and tried again but I still fail the login. >Also, the actual audit (as opposed to the alarms) should eventually >start showing the password being attempted, if intrusion detection and >breakin evasion are being tickled. I'm not sure I understand what you mean by the actual audit. Since this is PhaseV, the login is not suppose to even use a password. Phase IV needed it on the object but under PhaseV, you don't even have a place to enter a password for the session control object. re: .5 Hi Veli, >How about >$ show logical sys$single_signon This returned: %SHOW-S-NOTRAN, no translation for logical name SYS$SINGLE_SIGNON >i.e. do you have external authentication active by any chance? Btw., what is >the value LGI_CALLOUTS? SYSGEN> SHOW LGI Parameter Name Current Default Min. Max. Unit Dynamic -------------- ------- ------- ------- ------- ---- ------- LGI_BRK_TERM 1 1 0 1 Boolean D LGI_BRK_DISUSER 0 0 0 1 Boolean D LGI_PWD_TMO 30 30 0 255 Seconds D LGI_RETRY_LIM 3 3 0 255 Tries D LGI_RETRY_TMO 20 20 2 255 Seconds D LGI_BRK_LIM 5 5 1 255 Failures D LGI_BRK_TMO 300 300 0 5184000 Seconds D LGI_HID_TIM 300 300 0 1261440000 Seconds D LGI_CALLOUTS 0 0 0 255 Count D Thanks for any other ideas here :) btw, I rebooted the node late yesterday and the problem has not gone away... Walt
3979.7	Check accouting and auditing...	TWICK::PETTENGILL	mulp	`Fri May 30 1997 20:50`	8
	Accounting will often provide a hint. $acc/sinc=<time>/full And auditing. $ana/audit/sinc=<time> This seems familar; what is the protection on sys$sylogin, ie., $directory/sec sys$sylogin ; this needs to be world readable. It seems to me that I created a copy that could be read by my "group" but not by "world" and that created a problem with mail. I think it was mail. Anyway, it was similarly confusing.
3979.8	Outputs from anal/audit and accounting.	GADWAL::W_MCGAW		`Mon Jun 02 1997 10:54`	56
	Hi, Thanks for the suggestions but I'm not quite sure what I am looking for from this. Here are the outputs from the commands you gave me. Does this give you any ideas? Thanks, Walt LOGIN FAILURE ------------- Username: MAIL$SERVER UIC: [0,403] Account: <net> Finish time: 2-JUN-1997 08:42:26.13 Process ID: 000000AD Start time: 2-JUN-1997 08:42:25.87 Owner ID: Elapsed time: 0 00:00:00.26 Terminal name: Processor time: 0 00:00:00.07 Remote node addr: Priority: 4 Remote node name: PENNYM Privilege <31-00>: FFFFFFFF Remote ID: W_MCGAW Privilege <63-32>: FFFFFFFF Remote full name: LOCAL:.PENNYM Queue entry: Final status code: 00D380FC Queue name: Job name: Final status text: %LOGIN-F-INVPWD, invalid password Page faults: 60 Direct IO: 7 Page fault reads: 9 Buffered IO: 9 Peak working set: 1184 Volumes mounted: 0 Peak page file: 164336 Images executed: 1 Security Audit Analysis Utility -------------------------------------------------------------------------------- Security alarm (SECURITY) and security audit (SECURITY) on PENNYM, system id: 63 Auditable event: Network login failure Event time: 2-JUN-1997 08:42:26.04 PID: 000000AD Process name: MAIL_14010005 Username: MAIL$SERVER Remote node fullname: LOCAL:.PENNYM Remote username: W_MCGAW Status: %LOGIN-F-INVPWD, invalid password Last match: 3701 Current record: 3702 Command >
3979.9		RMULAC::S_WATTUM	Scott Wattum - FTAM/VT/OSAK Engineering (303) 840-2986	`Mon Jun 02 1997 13:12`	5
	It still sounds to me like OpenVMS security services are hosed, and no longer consider DNA Session Control to be a "trusted user" - you might want to try an OpenVMS conference with this to see what response you get. --Scott
3979.10	Making progress but...	GADWAL::W_MCGAW		`Mon Jun 02 1997 17:20`	16
	Hi, I've been getting local help on this and we've discovered that NET$ACP is checking the default accounts for passwords of 0 length. If we modify the account passwords to be "", the login works. AS soon as we put any password back on the account, it goes back to failing the login. Just for a test, I went to Phase IV DECnet and the objects work fine... I will reinstall OSI again and see what happens. btw, I forgot to mention that proxies on this system did not work either (atleast I think I forgot to mention that). Thanks, Walt
3979.11	interesting UIC	CAADC::LENNIG	Dave (N8JCX), MIG, @CYO	`Mon Jun 02 1997 18:46`	9
	re: >LOGIN FAILURE >------------- >Username: MAIL$SERVER UIC: [0,403] ^^^^^^^^^ This brings back memories of note 2340. Dave
3979.12	You might want to try recreating the default MAIL$SERVER account...	DAVIDF::FOX	David B. Fox -- DTN 285-2091	`Tue Jun 03 1997 11:11`	6
	You can do that by running NET$CONFIGURE ADVANCED and re-configuring the application database. That will insure that the account is set up properly with the correct UIC and a new random password. I'd then reboot and give it another shot. David
3979.13	Net$configure didn't fix it.	GADWAL::W_MCGAW		`Wed Jun 04 1997 16:42`	61
	re:.11 Maybe I should escalate this to engineering but other systems running V7.1 AlphaVMS and OSI are not seeing this problem. re:.12 I went back to Phase IV to test and the problem went away. Reinstalled OSI V7.1 and ran net$configure advanced but still have the same problem. I am getting the following opcom messages on the failed login for sending mail. %%%%%%%%%%% OPCOM 4-JUN-1997 16:34:43.14 %%%%%%%%%%% Message from user AUDIT$SERVER on PENNYM Security alarm (SECURITY) on PENNYM, system id: 63512 Auditable event: DECnet logical link created Event time: 4-JUN-1997 16:34:43.13 PID: 000000BE Process name: MAIL_14010017 Process owner: [1,3] Image name: SYS$COMMON:[SYSEXE]MAIL_SERVER.EXE Remote node id: 49003EAA00040018F821 Remote node fullname: LOCAL:.PENNYM Remote username: W_MCGAW DECnet logical link ID: 335609879 DECnet object name: MAIL Status: %SYSTEM-S-NORMAL, normal successful completion PENNYM +> %%%%%%%%%%% OPCOM 4-JUN-1997 16:34:43.21 %%%%%%%%%%% Message from user AUDIT$SERVER on PENNYM Security alarm (SECURITY) and security audit (SECURITY) on PENNYM, system id: 63 512 Auditable event: Network login failure Event time: 4-JUN-1997 16:34:43.20 PID: 000000BE Process name: MAIL_14010017 Username: MAIL$SERVER Remote node fullname: LOCAL:.PENNYM Remote username: W_MCGAW Status: %LOGIN-F-INVPWD, invalid password PENNYM +> %%%%%%%%%%% OPCOM 4-JUN-1997 16:34:43.33 %%%%%%%%%%% Message from user AUDIT$SERVER on PENNYM Security alarm (SECURITY) on PENNYM, system id: 63512 Auditable event: DECnet logical link created Event time: 4-JUN-1997 16:34:43.32 PID: 000000AD Process owner: [1,3] DECnet logical link ID: 335609878 Status: %NET-F-BADUSER, the access control information is invalid I modified the MAIL$SERVER account password to "" again and sending mail works fine. Still stumped... Walt