| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 2544.1 | | VELI::KORKKO | Veli K�rkk� @FNO, 879-5512 | Thu Feb 27 1997 19:46 | 9 |
| Will not allow to act as a system manager or admin. What does
this really mean?
Is it like not being able to login into VMS account?
Maybe $SHOW INTRUSION and the $DELETE/INTRUSION *
_veli
|
| 2544.2 | probably a VMS rights problem | IOSG::TYLDESLEY | | Fri Feb 28 1997 09:16 | 28 |
| Veli -1 asked exactly the right question. What do you mean by:
"...will not allow them to act as a system manager or an
administrator."?
I understand it to mean that they cannot enter the MGT or ADM subsystems
from within ALL-IN-1.
This could be lots of things, but it is strange that it is appearing on
one node in the cluster only. One thing you could do quite easily, is
go into ALL-IN-1 on the rogue system, in the rogue account, and turn
>DEBUG_ON. Then enter the option 'SM' and watch what happens as you go
through the script SM_INIT_MGT. This does all the rights checking and
you may see, by examining the symbols, where it is failing.
On the other hand, you may mean that these users cannot run
housekeeping jobs etc. which is a different set of problems.
Also, please remember that standard ALL-IN-1 was designed with the
intention of having only one 'real' manager, and many 'administrators'.
It is not wholly correct to make many people managers, though we run
several systems like that here. What I do to make other users managers
is grant them oa$manager identifier, Nominate them as administrators
from MUA, and give them quite extensive VMS privs (;-). Also, you will
have to consider which of them you want to receive housekeeping reports
as set by fields in the system policies.
regards,
davet
|
| 2544.3 | | VMSNET::C_ESTES | | Fri Feb 28 1997 12:11 | 27 |
| Good Morning,
I'm sorry for the confusion. What I mean is they cannot access the SM
and ADM menus. ALL-IN-1 tells them they are not allowed to act as a
manager or something like that.
I turned on trace and it revealed that for some reason,
sm_init_mgt.scp cannot find the identifiers on the users sysuaf record.
When it does the RIGHTS FIND_ID OA$MANAGER, OA$ADMIN, it does not find
anything and therefore the symbol is set to spaces. It fails at this
point. I had an account where this did work and turned trace on and
watched what happened with that account. It was able to find the rights
id just fine.
Looking the account, these users have alot going on on this system.
Their sysuaf records have 23 identifiers on them. I am not sure if on
this node they are not stepping on their own toes. I noticed in the
sylogin.com file they had some node specific information but nothing
that would cause this to happen.
At this point I am grasping at straws and searching for any
suggestions.
anything, please let me
know.
Cheryl Estes
|
| 2544.4 | | VMSNET::C_ESTES | | Fri Feb 28 1997 12:13 | 6 |
| Hi,
For some reason the bottom part of my message was cut off. I was
saying if you can think of anything, please let me know.
Cheryl
|
| 2544.5 | rights | IOSG::TYLDESLEY | | Fri Feb 28 1997 14:03 | 10 |
| Could you try the RIGHTS FIND_ID OA$MANAGER interactively on the 'bad'
node for these accounts?
<rights find_id "oa$manager"\get oa$status
If status is not 1, check in authorize that the identifier has been
granted to the correct OpenVMS account. If it has, then the RIGHTS code
may be being fooled by some strange definition of rightslist.dat on
that node?
(I'm off to a meeting now, but will look at OARIGHTS code again later)
cheers,
DaveT
|
| 2544.6 | | VMSNET::C_ESTES | | Fri Feb 28 1997 14:55 | 12 |
| Hi Dave,
The <rights find_id "oa$manager"\get oa$status command returns a value
of 0. Looked at the profile record and it is pointing to the correct
OpenVMS account and that account does have the proper identifier.
Customer does not have any logicals pointing to the rightslist.dat
files.
Hope this helps,
Cheryl
|
| 2544.7 | | IOSG::PYE | Graham - ALL-IN-1 Sorcerer's Apprentice | Fri Feb 28 1997 16:29 | 5 |
| I have 22 identifiers, and it works for me.
You could try using the DCL lexical as another check:
Rights_held = f$getjpi( "","PROCESS_RIGHTS" )
|
| 2544.8 | | VMSNET::C_ESTES | | Fri Feb 28 1997 17:01 | 7 |
| Hello,
I tried this and it gives all the information regrading her account
including the rights identifiers that ALL-IN-1 cannot find. We saw
oa$manager and oa$admin.
Cheryl
|
| 2544.9 | oh for a debug image! | IOSG::TYLDESLEY | | Fri Feb 28 1997 17:16 | 14 |
| ok - next try!
Has oa$manager by any chance been granted with an unusual attribute?
(e.g. DYNAMIC).
From authorize:
UAF> LIST/RIGHTS {VMSusername}
...then look at the RIGHTSLIST.LIS produced.
Failing this, what sort of machine is this one, compared to the others
in the cluster. Anything strange in its startup compared to the others?
sorry not to be much help.
DaveT
|
| 2544.10 | | VMSNET::C_ESTES | | Fri Feb 28 1997 19:09 | 28 |
| Hi Dave,
We tried the UAF> LIST/RIGHTS ELIINV and did not find anything unusual.
It only gave the name of the identifier and the number. Nothing else.
All the systems in this cluster are 6610's. They startup applications
based on node names. On the node in particular, they are running an
application called SASS????
I had her to create another generic account without all the other
software they run and without all the identifiers on it. We granted
this user the privileges to act as managers and nominated this account
as an administrator.
We logged into the account. SM and ADM options worked just fine.
Customer also had CM on her form library field so we decided to
nominate this account with CM privileges. We tried to account again and
it still worked.
I suggested that she look through her startup procedures for node
NEPTUN and see if they are doing something strange. Also suggested she
remove the sysuaf record for one of the users and add it back to see if
that clears this up. I know I'm grasping again.
Thanks for your time. I will call her again on Monday.
Cheryl Estes
|
| 2544.11 | Known problem (or was it fixed?) | SHRMSG::HOWARD | Whoever it takes | Fri Feb 28 1997 21:45 | 4 |
| Wasn't there a restriction in ALL-IN-1 on the number of identifiers a
user could have? I don't remember what it applied to.
Ben
|
| 2544.12 | | VMSNET::C_ESTES | | Mon Mar 10 1997 11:31 | 22 |
| Good Morning,
The number of identifiers are not the problem. I added all the
identifiers she had to my test account and it worked just fine.
Customer worked for awhile with the bootup team from Digital and they
could not find anything wrong. They did find another rightslist.dat
file in another directory and renamed it. They rebooted the system
twice and her account still does not work. She removed her account from
sysuaf and readded it but it still does not work. She created another
test account and gave it management privs and it worked fine. The
problem seems to only exist on existing accounts. I will have her to
add an account that is an exact duplicate of her account and see if
that account will work. They are running alot of other applications.
Customer wants us to continue to work on this. She wants me to elevate
this call to engineering because I am out of ideas. Before I do this,
does anyone have anymore ideas??
Thanks,
Cheryl Estes
|
| 2544.13 | Fixed | VMSNET::C_ESTES | | Mon Mar 10 1997 15:39 | 8 |
| Hello,
The customer called and said that the problem was fixed. There was an
issue with the bootup process.
Thanks for all your help.
Cheryl
|
| 2544.14 | I presume their error was too embarassing to admit? | IOSG::PYE | Graham - ALL-IN-1 Sorcerer's Apprentice | Mon Mar 10 1997 17:59 | 0
|